1
00:00:01,710 --> 00:00:07,380
Sandboxing is used to separate applications from secure resources.

2
00:00:07,380 --> 00:00:14,490
The idea is to let an application run in a secluded zone that cannot reach other systems.

3
00:00:14,490 --> 00:00:22,770
It can be implemented as a means to test new software or even to study the behavior of a malicious program.

4
00:00:22,770 --> 00:00:29,550
A lot of security products actually use sandboxing to identify if a program is a threat strictly based

5
00:00:29,550 --> 00:00:33,060
on behavioral indicators.

6
00:00:33,060 --> 00:00:38,710
So if I have a program running in a sandbox environment that is constantly scanning networks and running

7
00:00:38,730 --> 00:00:44,150
oddly then it is likely that the program is malicious and should not be allowed on the network.

8
00:00:45,310 --> 00:00:51,820
Let's take a look at how Cisco amp uses a sandbox environment to analyze files.

9
00:00:51,820 --> 00:00:59,290
Here I am in the Cisco amp for endpoints portal one of my favorite features of the portal is the file

10
00:00:59,320 --> 00:01:06,480
analysis page on this page you can actually upload files that you're unsure of.

11
00:01:06,480 --> 00:01:16,620
And Cisco will run the file within a sandbox environment and you can even watch a video of what happened

12
00:01:16,620 --> 00:01:20,740
when the file launched on a PC in the sandbox environment.

13
00:01:21,000 --> 00:01:27,620
So I do have a file that is suspicious to me an For I run it in a production environment.

14
00:01:27,660 --> 00:01:34,020
I'm going to submit it to the file analysis page here and we're going to see if the sandbox environment

15
00:01:34,470 --> 00:01:36,680
determines if this file is good or bad.

16
00:01:38,500 --> 00:01:45,250
I upload my file and then once it finishes running the file in the sandbox environment will look at

17
00:01:45,250 --> 00:01:48,340
the report for the file to see if it's malicious or not.

18
00:01:48,880 --> 00:01:56,170
OK so it looks like the sandbox environment finished analyzing this file we uploaded it is rad which

19
00:01:56,170 --> 00:02:01,190
tells me that it has been identified as being a malicious file.

20
00:02:01,190 --> 00:02:02,640
I'll click on the report here.

21
00:02:07,550 --> 00:02:15,230
And we get a nice report on the behavioral indicators that were found when this file was ran in a safe

22
00:02:15,830 --> 00:02:23,420
sandbox environment and it looks like this definitely is a malicious file.

23
00:02:23,420 --> 00:02:26,870
That shows that it's been flagged as a known Trojan.

24
00:02:26,990 --> 00:02:33,440
So fortunately by utilizing a sandbox environment I was able to determine that the file was malicious

25
00:02:33,800 --> 00:02:39,020
before it was launched on my network.

26
00:02:39,120 --> 00:02:47,190
In addition to now Rick sandboxing there's also what's called system based sandboxing some system based

27
00:02:47,400 --> 00:02:56,720
sandboxing implementations are available like Google chromium and HVM L5 these methods of sandboxing

28
00:02:56,730 --> 00:03:04,890
introduce an entire layer of security around web browsers to protect connections to Web sites each time

29
00:03:04,890 --> 00:03:11,040
a new web browser tab is opened a new process is created in its own sandbox.

30
00:03:12,400 --> 00:03:18,130
So even if you were to accidentally go to a malware site the malicious data would be contained within

31
00:03:18,130 --> 00:03:24,420
the source browser tab and would not have access to other web pages or the local system.