What is Falcon Sandbox™?
CrowdStrike® Falcon Sandbox is an automated malware analysis solution that empowers security teams by overlaying comprehensive threat intelligence with the results of the world’s most powerful sandbox solution. This unique combination provides context, enabling analysts to better understand sophisticated malware attacks and tune their defenses. Falcon Sandbox performs deep analysis of evasive and unknown threats, enriches the results with threat intelligence, and delivers actionable indicators of compromise (IOCs). Falcon Sandbox enables cybersecurity teams of all skill levels to increase their understanding of the threats they face and use that knowledge to defend against future attacks.
Are files submitted to Falcon Sandbox private?
Yes, files submitted to Falcon Sandbox are private. When you license Falcon Sandbox, CrowdStrike creates a dedicated private cloud instance reserved just for your organization. All submitted files and associated reports are stored and maintained in this separate environment. If you have privacy policies that restrict sending malware files to the cloud, please consider the Falcon Sandbox On-Prem version.
What is the Hybrid Analysis technology and how does it benefit malware analysis?
Hybrid Analysis combines runtime data with memory dump analysis to extract all possible execution pathways even for the most evasive malware. The combination of Hybrid Analysis and Falcon Sandbox’s extensive pre- and post-execution analysis delivers a unique capability, resulting in the extraction of more IOCs than any other competing sandbox solution. All data extracted from the Hybrid Analysis engine is processed automatically and integrated into the Falcon Sandbox reports.
Read more on the Hybrid Analysis technology page.
Why is a “kernel mode monitor” important when analyzing malware?
Authors of modern malware are aware of sandbox technology and have instrumented their malware to either stop or hide malicious activity when it detects an external process monitoring the file. Traditional, first-generation sandbox monitors run at the application layer (user mode) to intercept system library calls, which are easily detected. Falcon Sandbox implements monitoring at the operating system level (kernel mode) leaving the target process untouched, making it very difficult to detect. The Falcon Sandbox kernel mode monitor has proven to be robust and extremely effective against “in the wild” and most current malware samples. CrowdStrike’s world-class anti-sandbox and anti-VM detection technology (illustrated by benchmark tools such as Pafish or VMDE) enables analysis of most evasive malware. CrowdStrike is constantly updating Falcon Sandbox to stay ahead of new evasion techniques and verifies its performance with in-house benchmark tools and the public community offering (Hybrid-Analysis.com) that is field-tested every day.
What is Hybrid-Analysis.com?
Hybrid-Analysis.com is a free online malware analysis community enabling users to submit files for free in-depth analysis. In addition, users can search thousands of existing malware reports or download samples and IOCs, via the website and well-documented REST API.
Hybrid-Analysis is an independent service, powered by Falcon Sandbox and is a great way to evaluate the Falcon Sandbox technology. Hybrid Analysis provides a subset of Falcon Sandbox Private Cloud capabilities. The following chart highlights a few of the differences:
|Total files Analyzed per Month||Up to 30 files||Up to 25,000 files|
|Privacy||Reports are shared, files can be marked private||Complete privacy|
|Supported Operating Systems||Windows 7 (32/64), Ubuntu (64), Android (static analysis)||Plus Windows 10|
|Submission Type||Files, archives only||Plus URL analysis|
|Downloads / Formats||Binary samples, PCAPs,MAEC, STIX, MISP, OPenIOC||Plus PDF, XML, JSON, HTML|
|Reporting||View risk, summary and malware verdicts||Full reports — also includes all IOCs, all IDS rules, intelligence and more.|
|CrowdStrike Falcon Intelligence™||None||View actor attribution, IOCs, IDS and YARA rules from Falcon Intelligence|
|Recursive Analysis||None||Automatically searches and provides analysis reports for all related malware based on actor, campaign or malware family|
How does Falcon Sandbox scale?
Falcon Sandbox Private Cloud scales automatically. You can easily process up to 25,000 files per day with the appropriate license. This level of scalability is provided without any infrastructure costs to you.
Falcon Sandbox On-Prem customers can easily scale to process over 25,000 files per day, depending on your deployment. It is possible to create distributed large-scale systems using the load-balancing broker Falcon Sandbox Bridge and enable processing of hundreds of thousands of files per day. Please contact FalconSandbox@crowdstrike.com for guidance on deployment options.
What is Falcon Sandbox On-Prem?
Falcon Sandbox On-Prem is designed for organizations that require customized control of how malware is detonated; have stringent privacy requirements that restrict files from leaving the organization; or require massive scalability that exceeds 25,000 files analyzed per day.
Falcon Sandbox On-Prem includes the features of Falcon Sandbox Private Cloud, plus:
- Enables custom or “golden” guest virtual machine images (VMWare and VirtualBox hypervisors are supported).
- Analyzes files in an unlimited number of virtual environments in parallel, to provide true targeted attack detection
- Ability to tune Falcon Sandbox to your specific requirements. Falcon Sandbox On-Prem has hundreds of configuration options including custom “action scripts” (to simulate human activity during detonation), custom behavior indicators, and you can manipulate the malware verdict for custom risk scoring
- Ability to run completely disconnected from the network (air gapped), while simulating network connectivity (using FakeNet-NG, INetSim)
- Enables a variety of integrations such as sending feedback analysis results to SIEMs using CEF syslog
- Ability to add your own custom YARA rules, hash/certificate whitelists and more
CrowdStrike provides all the software used by Falcon Sandbox On-Prem as part of an automated installation process. CrowdStrike notifies all customers when a new release is available with links to both the documentation as well as the release package. Upgrading the system is automated, easy and fast.
What is the difference between Falcon Sandbox Private Cloud and Falcon Sandbox On-Prem?
Falcon Sandbox Private Cloud is the preferred deployment option for most Falcon Sandbox users. The cloud delivery provides instant time-to-value and no infrastructure investment and is a compelling cost-effective deployment option.
The Falcon Sandbox On-Prem option is designed for organizations that demand customized control of how malware is detonated, have stringent privacy requirements that restrict malware from leaving the organization or require massive scalability exceeding 25,000 files analyzed per day.
The following chart offers a summary of features for the two deployment options:
|Falcon Sandbox On-Prem|
|Total Files Analyzed Per Month||Up to 25,000 files||Unlimited files|
|Guest Operating System Support||Windows, 7,10, (32/64), Ubuntu Linux (64), Android (static analysis)||Adds custom virtual machine images, Ubuntu Linux (32 bit)|
|Privacy||All files/reports are private||Adds ability to deploy disconnected to the network (air gapped)|
|Downloads / File Formats||Binary samples, PCAPs,MAEC, STIX, MISP, OPenIOC, PDF, XML, JSON, HTML||Adds CEF format|
|Customization||Configure malware detonation (duration, date & time), select existing action scripts and choose from existing execution environments||Adds the ability to run malware samples on custom images, create user-defined action scripts and add fine-grained configuration options|
|Reporting||Full analysis reports, including recursive file analysis||Recursive file analysis (coming soon)|
|CrowdStrike Intelligence Integration||Yes||Requires license|
|Recursive Analysis||Yes||Coming soon|
What is Falcon Sandbox Bridge?
For Falcon Sandbox On-Prem customers: Falcon Sandbox Bridge enables the creation of a distributed Falcon Sandbox system that can process hundreds of thousands of files per day. This scale is accomplished by adding physical servers to your existing Falcon Sandbox On-Prem system with a load balancing controller that distributes incoming files to one or more designated application servers managed by Falcon Sandbox Bridge.
For all Falcon Sandbox customers: Falcon Sandbox Bridge can collect files from various sources (e.g. e-mail inboxes, network drives, etc.) and forward them to Falcon Sandbox Private Cloud or Falcon Sandbox On-Prem. The file collection process is implemented by polling the file source at a user-defined frequency. Once analysis is complete, and the result for a file is retrieved — based on a user-defined threat level — an automated email notification is sent.
What files can Falcon Sandbox analyze?
You can upload archives with or without a password: ace, arj, 7z, bzip2, gzip2, iso, rar, rev, tar, wim, xz and zip. If you use a password, the typical, “infected,” password is required.
What report formats do you support?
Report formats include XML, MAEC (4.1), OpenIOC (1.1), MISP XML and JSON. Reports are also provided as a single HTML or PDF file.
Can I control how a file is analyzed?
Falcon Sandbox enables users to take control by providing the ability to configure settings to determine how malware is detonated. These options include setting the date/time, environmental variables, setting command line options, providing passwords for PDF/Office prompts and more. In addition, you can select from many “action scripts” that will mimic user behavior (such as mouse clicks and movement, keyboard entry, etc.) during detonation to help expose malware attempting to hide from sandbox technology.
What are Falcon Sandbox behavioral Indicators?
Behavioral indicators, similar to indicators of attack (IOAs), define high-risk activity or a series of activities taken in sequence that can be considered potentially malicious. Examples include adding an entry to an autostart registry, changing a firewall setting, writing a known ransomware file to disk or sending data on unusual ports. Behavioral indicators provide a more complete view into the potential risk of the file and are used to identify previously unknown threats. Falcon Sandbox includes more than 700 generic behavioral indicators, which are constantly being updated and expanded.
What detonation operating systems do you support?
We support Windows Desktop XP, Vista, 7, 8, 10 (32 and 64 bit) and Ubuntu/RHEL Linux (32 and 64 bit). We also support static file analysis for Android APK files. Custom virtual machine images (using VMWare and VirtualBox) are supported with Falcon Sandbox On-Prem.
What type of information is available in a Falcon Sandbox analysis report?
Falcon Sandbox reports include an incident response summary, links to related sandbox analysis reports, many IOCs, actor attribution, recursive file analysis, file details, screenshots of the detonation, runtime process tree, network traffic analysis, extracted strings and IP/URL reputation lookups. In addition, reports are enriched with information from AlienVault OTX, VirusTotal and by Falcon Intelligence, providing threat actor attribution, related samples and more. In addition, you can review CrowdStrike’s Falcon Sandbox reports for examples.
Can I threat hunt and search through the results of previously analyzed malware?
Yes, Falcon Sandbox provides a variety of search options, including the ability to combine search terms. You can search for a virus family name, threat actor, specific file type, hash, #tag and whether a specific behavioral indicator was triggered. You can even find reports that contacted a specific IP address, country, domain, URL and much more.
What integrations are provided with Falcon Sandbox?
Falcon Sandbox offers a wide range of integrations including:
- VirusTotal and OPSWAT Metadefender
- AlienVault OTX
- SIEM systems using CEF format (read more)
- NSRL (Whitelisting)
- Thug honeyclient (e.g. URL exploit analysis)
- Suricata (network threat detection)
- TOR (to avoid external IP fingerprinting)
- Orchestration platforms (e.g. Demisto, Phantom) (read more)
- FAME (malware analysis framework) (read more)
- Cortex (manages observables at scale) (read more)
The full-featured Falcon Sandbox REST API is also available. (read more)
What is recursive analysis and why is it important?
Recursive analysis is a unique capability that determines whether the analyzed file is related to a larger campaign, malware family or threat actor. Falcon Sandbox will automatically search the industries largest malware search engine to find related samples and within seconds expand the analysis to include all files. This is important because it provides analysts with a deeper understanding of the attack and a larger set of IOCs that can be used to better protect the organization.
Is Falcon Sandbox localized to any languages?
Yes: English, German, Spanish, French, Italian, Dutch, Polish, Portuguese, Chinese, Turkish, Russian, Vietnamese, Korean, Thai, Indonesian, Malaysian, Arabic