Our website uses cookies to enhance your browsing experience.


CrowdStrike Falcon Sandbox FAQ

Want to see CrowdStrike Falcon Sandbox in action? Start with a free trial

What is Falcon Sandbox™?

CrowdStrike® Falcon Sandbox is an automated malware analysis solution that empowers security teams by overlaying comprehensive threat intelligence with the results of the world’s most powerful sandbox solution. This unique combination provides context, enabling analysts to better understand sophisticated malware attacks and tune their defenses. Falcon Sandbox performs deep analysis of evasive and unknown threats, enriches the results with threat intelligence, and delivers actionable indicators of compromise (IOCs). Falcon Sandbox enables cybersecurity teams of all skill levels to increase their understanding of the threats they face and use that knowledge to defend against future attacks.

What is the hybrid analysis technology and how does it benefit malware analysis?

Hybrid analysis is a file analysis approach that combines runtime data with memory dump analysis to extract all possible execution pathways even for the most evasive malware. The combination of hybrid analysis and extensive pre- and post-execution analysis delivers a unique capability, resulting in the extraction of more IOCs than any other competing sandbox solution. All data extracted from the hybrid analysis engine is processed automatically and integrated into the malware analysis reports.

How is a Falcon Sandbox license different than Hybrid-Analysis.com?

Hybrid-Analysis.com is a free online malware analysis community enabling users to submit files for free in-depth analysis. In addition, users can search thousands of existing malware reports or download samples and IOCs via the website and well-documented REST API.

Hybrid-Analysis is an independent service, powered by Falcon Sandbox and is a great way to evaluate the Falcon Sandbox technology. Hybrid Analysis provides a subset of Falcon Sandbox capabilities. The following chart highlights a few of the differences:

Feature Hybrid-Analysis.com Falcon Sandbox
Private Cloud
Falcon Sandbox
On Premise
Windows 7 (32/64)

Windows 10
Ubuntu 16 (64)
Ubuntu 16 (16/64) and RedHat
Custom “Golden” Images
Max file submissions per month Up to 30 as Guest Up to 25,000 Unlimited
Analyze Files/Archives
Analyze URLs
Submission without re CAPTCHA
Re-analyze extracted files
Custom Action Scripts
Binary Samples/PCAPS
Per Process Memory Dumps
Risk view summary and verdict
View all malicious/suspicious indicators (IOAs)
View all network IDS rule triggers Requires license
Full privacy for your reports
CrowdStrike Intel integration (attribution, IOCs, IDS, YARA) Requires license
Falcon MalQuery Integration
REST API for file submissions and search
Support for SOAR tools (e.g Phantom, Demisto)
SIEM integration (CEF, syslog)
Passive email/NFS scanning with Falcon Bridge
Unlimited detonation environments
Write custom IOAs
Add custom YARA rules
Are files submitted to Falcon Sandbox private?

Yes, files submitted to Falcon Sandbox are private. When you license Falcon Sandbox, CrowdStrike creates a dedicated private cloud instance reserved just for your organization.  All submitted files and associated reports are stored and maintained in this separate environment. If you have privacy policies that restrict sending malware files to the cloud, please consider the Falcon Sandbox On-Prem version.

Why is a “kernel mode monitor” important when analyzing malware?

Authors of modern malware are aware of sandbox technology and have instrumented their malware to either stop or hide malicious activity when it detects an external process monitoring the file. Traditional, first-generation sandbox monitors run at the application layer (user mode) to intercept system library calls, which are easily detected. Falcon Sandbox implements monitoring at the operating system level (kernel mode) leaving the target process untouched, making it very difficult to detect. The Falcon Sandbox kernel mode monitor has proven to be robust and extremely effective against “in the wild” and most current malware samples. CrowdStrike’s world-class anti-sandbox and anti-VM detection technology (illustrated by benchmark tools such as Pafish or VMDE) enables analysis of most evasive malware. CrowdStrike is constantly updating Falcon Sandbox to stay ahead of new evasion techniques and verifies its performance with in-house benchmark tools and the public community offering Hybrid-Analysis.com that is field-tested every day.

How does Falcon Sandbox scale?

Falcon Sandbox Private Cloud scales automatically. You can easily process up to 25,000 files per month with the appropriate license. This level of scalability is provided without any infrastructure costs to you.

Falcon Sandbox On-Prem customers can scale to over 25,000 files per month, the the appropriate license. It is possible to create distributed large-scale systems using the load-balancing broker Falcon Sandbox Bridge and enable processing of an unlimited amount of files. Please contact FalconSandbox@crowdstrike.com for guidance on deployment options.

What is Falcon Sandbox On-Prem?

Falcon Sandbox On-Prem is designed for organizations that require customized control of how malware is detonated; have stringent privacy requirements that restrict files from leaving the organization; or require massive scalability that exceeds 25,000 files analyzed per month.

Falcon Sandbox On-Prem includes the features of Falcon Sandbox Private Cloud, plus:

  • Enables custom or “golden” guest virtual machine images (VirtualBox hypervisors are supported).
  • Analyzes files in an unlimited number of virtual environments in parallel, to provide true targeted attack detection
  • Ability to tune Falcon Sandbox to your specific requirements. Falcon Sandbox On-Prem has hundreds of configuration options including custom “action scripts” (to simulate human activity during detonation), custom behavior indicators, and you can manipulate the malware verdict for custom risk scoring
  • Ability to run completely disconnected from the network (air gapped), while simulating network connectivity (using FakeNet-NG, INetSim)
  • Enables a variety of integrations such as sending feedback analysis results to SIEMs using CEF syslog
  • Ability to add your own custom YARA rules, hash/certificate whitelists and more

CrowdStrike provides all the software used by Falcon Sandbox On-Prem as part of an automated installation process. CrowdStrike notifies all customers when a new release is available with links to both the documentation as well as the release package. Upgrading the system is automated, easy and fast.

What is the difference between Falcon Sandbox Private Cloud and Falcon Sandbox On-Prem?

Falcon Sandbox Private Cloud is the preferred deployment option for most Falcon Sandbox users. The cloud delivery provides instant time-to-value and no infrastructure investment and is a compelling cost-effective deployment option.

The Falcon Sandbox On-Prem option is designed for organizations that demand customized control of how malware is detonated, have stringent privacy requirements that restrict malware from leaving the organization or require massive scalability exceeding 25,000 files analyzed per month.
The following chart offers a summary of features for the two deployment options:

Feature Falcon Sandbox Private Cloud Falcon Sandbox On-Prem
Total Files Analyzed Per Month Up to 25,000 files Unlimited license available
Guest Operating System Support Windows, 7,10, (32/64), Ubuntu  Linux (64), Android (static analysis) Adds custom virtual machine  images, Ubuntu Linux (32 bit)
Privacy All files/reports are private Adds ability to deploy disconnected to the network (air gapped)
Downloads / File Formats Binary samples, PCAPs,MAEC, STIX, MISP, OPenIOC, PDF, XML, JSON, HTML Adds CEF format
Customization Configure malware detonation (duration, date & time), select existing action scripts and choose from existing execution environments Adds the ability to run malware samples on custom images, create user-defined action scripts and add fine-grained configuration options
Reporting Full analysis reports, including recursive file analysis Recursive file analysis (coming soon)
CrowdStrike Intelligence Integration Yes Requires license
MalQuery Integration Yes Requires license
What is Falcon Sandbox Bridge?

For Falcon Sandbox On-Prem customers: Falcon Sandbox Bridge enables the creation of a distributed Falcon Sandbox system that can process hundreds of thousands of files per day.  This scale is accomplished by adding physical servers to your existing Falcon Sandbox On-Prem system with a load balancing controller that distributes incoming files to one or more designated application servers managed by Falcon Sandbox Bridge.

For all Falcon Sandbox customers: Falcon Sandbox Bridge can collect files from various sources (e.g. e-mail inboxes, network drives, etc.) and forward them to Falcon Sandbox Private Cloud or Falcon Sandbox On-Prem. The file collection process is implemented by polling the file source at a user-defined frequency. Once analysis is complete, and the result for a file is retrieved — based on a user-defined threat level — an automated email notification is sent.

What files can Falcon Sandbox analyze?

The Falcon Sandbox supports PE files (.exe, .scr, .pif, .dll, .com, .cpl, etc.), Office (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub), PDF, APK, executable JAR, Windows Script Component (.sct), Windows Shortcut (.lnk), Windows Help (.chm), HTML Application (.hta), Windows Script File (*.wsf), Javascript (.js), Visual Basic (*.vbs, *.vbe), Shockwave Flash (.swf), Perl (.pl), Powershell (.ps1, .psd1, .psm1), Scalable Vector Graphics (.svg), Python (.py) and Perl (.pl) scripts, Linux ELF executables, MIME RFC 822 (*.eml) and Outlook *.msg files.

You can upload archives with or without a password: ace, arj, 7z, bzip2, gzip2, iso, rar, rev, tar, wim, xz and zip. If you use a password, the typical, “infected,” password is required.

What report formats do you support?

Report formats include XML, MAEC (4.1), OpenIOC (1.1), MISP XML and JSON. Reports are also provided as a single HTML or PDF file.

Can I control how a file is analyzed?

Falcon Sandbox Private Cloud enables users to take control by providing the ability to configure settings to determine how malware is detonated. These options include setting the date/time, environmental variables, setting command line options, providing passwords for PDF/Office prompts and more. In addition, you can select from many “action scripts” that will mimic user behavior (such as mouse clicks and movement, keyboard entry, etc.) during detonation to help expose malware attempting to hide from sandbox technology.

If you need additional flexibility, Falcon Sandbox On-Prem provides additional capabilities and is designed for organizations that demand customized control of how malware is detonated.

What are Falcon Sandbox behavioral Indicators?

Behavioral indicators, similar to indicators of attack (IOAs), define high-risk activity or a series of activities taken in sequence that can be considered potentially malicious. Examples include adding an entry to an autostart registry, changing a firewall setting, writing a known ransomware file to disk or sending data on unusual ports. Behavioral indicators provide a more complete view into the potential risk of the file and are used to identify previously unknown threats.  Falcon Sandbox includes more than 700 generic behavioral indicators, which are constantly being updated and expanded.

What detonation operating systems do you support?

We support Windows Desktop XP, Vista, 7, 8, 10 (32 and 64 bit) and Ubuntu/RHEL Linux (32 and 64 bit). We also support static file analysis for Android APK files. Custom virtual machine images (using VMWare and VirtualBox) are supported with Falcon Sandbox On-Prem.

What type of information is available in a Falcon Sandbox analysis report?

Falcon Sandbox reports include an incident response summary, links to related sandbox analysis reports, many IOCs, actor attribution, recursive file analysis, file details, screenshots of the detonation, runtime process tree, network traffic analysis, extracted strings and IP/URL reputation lookups. In addition, reports are enriched with information from AlienVault OTX, VirusTotal and by Falcon Intelligence, providing threat actor attribution, related samples and more. In addition, you can review CrowdStrike’s Falcon Sandbox reports for examples.

Can I threat hunt and search through the results of previously analyzed malware?

Yes, Falcon Sandbox provides a variety of search options, including the ability to combine search terms. You can search for a virus family name, threat actor, specific file type, hash, #tag and whether a specific behavioral indicator was triggered. You can even find reports that contacted a specific IP address, country, domain, URL and much more.

What integrations are provided with Falcon Sandbox?

Falcon Sandbox offers a wide range of integrations including:

  • VirusTotal and OPSWAT Metadefender
  • AlienVault OTX
  • SIEM systems using CEF format
  • NSRL (Whitelisting)
  • Thug honeyclient (e.g. URL exploit analysis)
  • Suricata (network threat detection)
  • TOR (to avoid external IP fingerprinting)
  • Orchestration platforms (e.g. Demisto, Phantom)
  • FAME (malware analysis framework)
  • Cortex (manages observables at scale)

The full-featured Falcon Sandbox REST API is also available. (read more)

What is recursive analysis and why is it important?

Recursive analysis is a unique capability that determines whether the analyzed file is related to a larger campaign, malware family or threat actor. Falcon Sandbox will automatically search the industries largest malware search engine to find related samples and within seconds expand the analysis to include all files. This is important because it provides analysts with a deeper understanding of the attack and a larger set of IOCs that can be used to better protect the organization.

Is Falcon Sandbox localized to any languages?

Yes: English, German, Spanish, French, Italian, Dutch, Polish, Portuguese, Chinese, Turkish, Russian, Vietnamese, Korean, Thai, Indonesian, Malaysian, Arabic

How is Falcon Sandbox priced?

Falcon Sandbox is licensed on a subscription basis, based upon the number of files analyzed by Falcon Sandbox per month. Flexible subscriptions options are available for both Falcon Sandbox Private Cloud and the On-Prem Edition.

For more information, please contact us.