Tuesday, August 20, 2019

Joe Sandbox Detect - the Cloud backed Endpoint Sensor




Today, we are proud to show-case Joe Sandbox Detect. In a nutshell, Joe Sandbox Detect is a configurable endpoint sensor with Joe Sandbox Cloud as its backend. What is an endpoint sensor and why does my organization need it? This blog post addresses those questions.


Endpoint Overloading


Detecting malware on endpoints is a hard job. Endpoint security vendors have to make sure not to consume too many resources, not to interrupt end-users, do not weaken the security and not do conflict with other endpoint security tools. This, of course, limits the effectiveness of malware detection. 






Holy Cloud


The best solution to escape those limitations is to move the malware detection to the Cloud. As a result, the agent is light-weight, with very little resource consumption, high security, and compatibility. The malware detection in the Cloud has access to massive computing resources and will not slow down the endpoint. This design increases the effectiveness of malware detection massively.

Joe Sandbox Detect is a slim endpoint sensor which utilizes Joe Sandbox Cloud for malware detection. Joe Sandbox is the industries deepest malware analysis engine. It uses a combination of static and dynamic malware analysis (sandboxing) to detect even the most sophisticated malware.







Malware Entry Points


Deep malware analysis is great but it also takes time to analyze a file in depth. Thus, it is not possible to analyze any files on an endpoint. To address this challenge Joe Sandbox Detect includes configurable filters. By default, those filters select only files which might contain code and are created by applications which are known for malware entry points (e-mail clients, web browsers, etc).





Filters can be set during installation via command-line arguments.


Notifications and Alerts


Let us assume a user has opened a potential malicious Microsoft Word document via Thunderbird or Outlook:






Joe Sandbox Detect is monitoring e-mail clients for the creation of Microsoft Office documents. Therefore Ferreria's Quote.doc is uploaded for deep inspection to Joe Sandbox Cloud. Joe Sandbox Cloud analyzes the file and once completed will first alert the security team. Joe Sandbox Cloud includes configurable filters for alerts. For instance, the security team can enable that only for malicious detections an alert is sent or only for certain file types:







The security team can also access the analysis data including IOCs and see from which endpoint and application the file origins:













IOCs can be used to block malware on endpoints and search other endpoints for existing infections. Detailed behavior information enables to understand if the threat has spyware, spreading or ransomware functionality. 

After alerting the security team the end-user is also notified. This notification is configurable and can also be disabled. End-users can also open the management report which contains only high-level information:







Privacy - Encrypted Analysis


Because Joe Sandbox Detect might also analyze documents which contain confidential information privacy is extremely important. We recently outlined in a blog post what privacy features Joe Sandbox Cloud implements. Encrypted Analysis is one of these features which also Joe Sandbox Detect uses. Whenever Joe Sandbox Detect uploads a file and the analysis is completed Joe Sandbox Cloud encrypts all data including the file, IOCs, reports, etc. with a random password. Encrypted analyses are indicated with the small lock icon:





The password for encryption is only kept on the end-point. Therefore, Joe Security cannot access the analysis data anymore. Security teams can decide to use a unique password for encryption for all their endpoints during the installation of Joe Sandbox Detect. End-users can also copy the password and share it with the security team on purpose:





Encrypted analyses provide the strongest privacy and are a unique feature of Joe Sandbox Cloud. You don't trust cloud services at all? Joe Security also offers on-premise products which work with Joe Sandbox Detect as good as with Joe Sandbox Cloud.


Manual Submissions


Automated analysis is great but there is also the use case where an end-user detects a malicious e-mail and is not opening the attachments and he still wants to check if he is right. To address this Joe Sandbox Detect includes an optional small bar which shows up on the Desktop. End-users can drag and drop e-mails to this bar for analysis by Joe Sandbox Detect:





This also works for files on USB sticks. The same alerts and notifications are sent as if it were an automated analysis. Analyses are also encrypted. 

Enhancing your Endpoint Security


Joe Sandbox Detect is a unique endpoint sensor with the following feature set:


  • Leverages Joe Sandbox Cloud for in-depth malware analysis
  • Configurable filters to define what is analyzed and what not
  • Extensive alerting for SOCs
  • Complete privacy due to encrypted analyses
  • Extremely low resource consumption
  • Compatible with any other endpoint security solution
  • Convenient manual submissions
  • Parameterized MSI installer for easy deployment

Want to try Joe Sandbox Detect and test its malware detection capabilities? Contact us today for a trial or an in-depth technical demo!