CrowdStrike Falcon Sandbox is an automated malware analysis solution that empowers security teams by overlaying comprehensive threat intelligence with the results of the world’s most powerful sandbox solution. This unique combination provides context, enabling analysts to better understand sophisticated malware attacks and tune their defenses. Falcon Sandbox performs deep analysis of evasive and unknown threats, enriches the results with threat intelligence, and delivers actionable indicators of compromise (IOCs). Falcon Sandbox enables cybersecurity teams of all skill levels to increase their understanding of the threats they face and use that knowledge to defend against future attacks.
CrowdStrike Falcon Sandbox FAQ
Want to see CrowdStrike Falcon Sandbox in action? Start with a free trial
Hybrid analysis is a file analysis approach that combines runtime data with memory dump analysis to extract all possible execution pathways even for the most evasive malware. The combination of hybrid analysis and extensive pre- and post-execution analysis delivers a unique capability, resulting in the extraction of more IOCs than any other competing sandbox solution. All data extracted from the hybrid analysis engine is processed automatically and integrated into the malware analysis reports.
Hybrid-Analysis.com is a free online malware analysis community enabling users to submit files for free in-depth analysis. In addition, users can search thousands of existing malware reports or download samples and IOCs via the website and well-documented REST API.
Hybrid-Analysis is an independent service, powered by Falcon Sandbox, and is a great way to evaluate the Falcon Sandbox technology. Hybrid Analysis provides a subset of Falcon Sandbox capabilities. The following chart highlights a few of the differences:
| Feature | Hybrid-Analysis.com | Falcon Sandbox |
Falcon Sandbox On-Prem |
| DETONATION ENVIRONMENTS | |||
| Windows 7 (32/64) |
✓ |
✓ | ✓ |
| Windows 10 | ✓ | ✓ | |
| Ubuntu 16 (64) | ✓ | ✓ | ✓ |
| Ubuntu 16 (16/64) and RedHat | ✓ | ||
| Custom “Golden” Images | ✓ | ||
| FILE SUBMISSIONS | |||
| Max file submissions per month | Up to 30 as Guest | Up to 25,000 | Unlimited |
| Analyze Files/Archives | ✓ | ✓ | ✓ |
| Analyze URLs | ✓ | ✓ | ✓ |
| Submission without re CAPTCHA | ✓ | ✓ | |
| Re-analyze extracted files | ✓ | ✓ | |
| Custom Action Scripts | ✓ | ||
| DOWNLOADS | |||
| Binary Samples/PCAPS | ✓ | ✓ | ✓ |
| MAEC, STIX, MISP, OpenIOC | ✓ | ✓ | ✓ |
| PDF, JSON, HTML | ✓ | ✓ | |
| Per Process Memory Dumps | ✓ | ||
| REPORT FEATURES | |||
| Risk view summary and verdict | ✓ | ✓ | ✓ |
| View all malicious/suspicious indicators (IOCs) | ✓ | ✓ | |
| View all network IDS rule triggers | ✓ | Requires license | |
| Full privacy for your reports | ✓ | ✓ | |
| INTEGRATION | |||
| CrowdStrike Intel integration (attribution, IOCs, IDS, YARA) | ✓ | Requires license | |
| Falcon MalQuery Integration | ✓ | ✓ | ✓ |
| REST API for file submissions and search | ✓ | ✓ | ✓ |
| Support for SOAR tools (e.g Phantom, Demisto) | ✓ | ✓ | |
| SIEM integration (CEF, syslog) | ✓ | ||
| Passive email/NFS scanning with Falcon Sandbox Bridge | ✓ | ||
| SYSTEM FEATURES | |||
| Unlimited detonation environments | ✓ | ||
| Write custom behaviors | ✓ | ||
| Add custom YARA rules | ✓ |
Yes, files submitted to Falcon Sandbox are private. All submitted files and associated reports are stored and maintained in the highly secure Falcon platform. If you have privacy policies that restrict sending malware files to the cloud, please consider the Falcon Sandbox On-Prem version.
Authors of modern malware are aware of sandbox technology and have instrumented their malware to either stop or hide malicious activity when it detects an external process monitoring the file. Traditional, first-generation sandbox monitors run at the application layer (user mode) to intercept system library calls, which are easily detected. Falcon Sandbox implements monitoring at the operating system level (kernel mode) leaving the target process untouched, making it very difficult to detect. The Falcon Sandbox kernel mode monitor has proven to be robust and extremely effective against “in the wild” and most current malware samples. CrowdStrike’s world-class anti-sandbox and anti-VM detection technology (illustrated by benchmark tools such as Pafish or VMDE) enables analysis of most evasive malware. CrowdStrike is constantly updating Falcon Sandbox to stay ahead of new evasion techniques and verifies its performance with in-house benchmark tools and the public community offering Hybrid-Analysis.com that is field-tested every day.
Falcon Sandbox scales automatically. You can easily process up to 25,000 files per month with the appropriate license. This level of scalability is provided without any infrastructure costs to you.
Falcon Sandbox On-Prem customers can scale to over 25,000 files per month, with the appropriate license. It is possible to create distributed large-scale systems using the load-balancing broker Falcon Sandbox Bridge and enable processing of an unlimited amount of files. Please contact FalconSandbox@crowdstrike.com for guidance on deployment options.
Falcon Sandbox On-Prem is designed for organizations that require customized control of how malware is detonated; have stringent privacy requirements that restrict files from leaving the organization; or require massive scalability that exceeds 25,000 files analyzed per month.
Falcon Sandbox On-Prem includes the features of Falcon Sandbox, plus:
- Enables custom or “golden” guest virtual machine images (VirtualBox hypervisors are supported).
- Analyzes files in an unlimited number of virtual environments in parallel, to provide true targeted attack detection
- Ability to tune Falcon Sandbox to your specific requirements. Falcon Sandbox On-Prem has hundreds of configuration options including custom “action scripts” (to simulate human activity during detonation), custom behavior indicators, and you can manipulate the malware verdict for custom risk scoring
- Ability to run completely disconnected from the network (air gapped), while simulating network connectivity (using FakeNet-NG, INetSim)
- Enables a variety of integrations such as sending feedback analysis results to SIEMs using CEF syslog
- Ability to add your own custom YARA rules, hash/certificate allowlists and more
CrowdStrike provides all the software used by Falcon Sandbox On-Prem as part of an automated installation process. CrowdStrike notifies all customers when a new release is available with links to both the documentation as well as the release package. Upgrading the system is automated, easy and fast.
Falcon Sandbox is the preferred deployment option for most Falcon Sandbox users. The cloud delivery provides instant time-to-value and no infrastructure investment and is a compelling cost-effective deployment option.
The Falcon Sandbox On-Prem option is designed for organizations that demand customized control of how malware is detonated, have stringent privacy requirements that restrict malware from leaving the organization or require massive scalability exceeding 25,000 files analyzed per month.
The following chart offers a summary of features for the two deployment options:
| Feature | Falcon Sandbox | Falcon Sandbox On-Prem |
| Total Files Analyzed Per Month | Up to 25,000 files | Unlimited license available |
| Guest Operating System Support | Windows, 7,10, (32/64), Ubuntu Linux (64), Android (static analysis) | Adds custom virtual machine images, Ubuntu Linux (32 bit) |
| Privacy | All files/reports are private | Adds ability to deploy disconnected to the network (air gapped) |
| Downloads / File Formats | Binary samples, CSV, JSON, STIX, MAEC, PCAP, PDF, MISP, OpenIOC, PDF | Adds CEF format |
| Customization | Configure malware detonation (duration, date and time), command line options, select existing action scripts and choose from existing execution environments | Adds the ability to run malware samples on custom images, create user-defined action scripts and add fine-grained configuration options |
| Reporting | Comprehensive analysis reports, including recursive file analysis | Comprehensive analysis reports |
| CrowdStrike Intelligence Integration | Yes | Requires license |
| MalQuery Integration | Yes | Requires license |
Falcon Sandbox Bridge enables the creation of a distributed Falcon Sandbox On-Prem system that can process hundreds of thousands of files per day. This scale is accomplished by adding physical servers to your existing Falcon Sandbox On-Prem system with a load balancing controller that distributes incoming files to one or more designated application servers managed by Falcon Sandbox Bridge.
Falcon Sandbox Bridge can also collect files from various sources (e.g. e-mail inboxes, network drives, etc.) and forward them to Falcon Sandbox On-Prem. The file collection process is implemented by polling the file source at a user-defined frequency. Once analysis is complete, and the result for a file is retrieved — based on a user-defined threat level — an automated email notification is sent.
The Falcon Sandbox supports PE files (.exe, .scr, .pif, .dll, .com, .cpl, etc.), Office (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub), PDF, APK, executable JAR, Windows Script Component (.sct), Windows Shortcut (.lnk), Windows Help (.chm), HTML Application (.hta), Windows Script File (*.wsf), Javascript (.js), Visual Basic (*.vbs, *.vbe), Shockwave Flash (.swf), Perl (.pl), Powershell (.ps1, .psd1, .psm1), Scalable Vector Graphics (.svg), Python (.py) and Perl (.pl) scripts, Linux ELF executables, MIME RFC 822 (*.eml) and Outlook *.msg files.
You can upload archives with or without a password: ace, arj, 7z, bzip2, gzip2, iso, rar, rev, tar, wim, xz and zip. If you use a password, the typical, “infected,” password is required.
Falcon Sandbox enables users to take control by providing the ability to configure settings to determine how malware is detonated. These options include setting the date/time, environmental variables, setting command line options, providing passwords for PDF/Office prompts and more. In addition, you can select from many “action scripts” that will mimic user behavior (such as mouse clicks and movement, keyboard entry, etc.) during detonation to help expose malware attempting to hide from sandbox technology.
If you need additional flexibility, Falcon Sandbox On-Prem provides additional capabilities and is designed for organizations that demand customized control of how malware is detonated.
Behavioral indicators, similar to indicators of attack (IOAs), define high-risk activity or a series of activities taken in sequence that can be considered potentially malicious. Examples include adding an entry to an autostart registry, changing a firewall setting, writing a known ransomware file to disk or sending data on unusual ports. Behavioral indicators provide a more complete view into the potential risk of the file and are used to identify previously unknown threats. Falcon Sandbox includes more than 700 generic behavioral indicators, which are constantly being updated and expanded.
Falcon Sandbox supports Windows Desktop XP, Vista, 7, 8, 10 (32 and 64 bit) and Ubuntu/RHEL Linux (32 and 64 bit). We also support static file analysis for Android APK files. Custom virtual machine images (using VMWare and VirtualBox) are supported with Falcon Sandbox On-Prem.
Falcon Sandbox reports include an incident response summary, links to related sandbox analysis reports, many IOCs, actor attribution, recursive file analysis, file details, screenshots of the detonation, runtime process tree, network traffic analysis, extracted strings and IP/URL reputation lookups. In addition, reports are enriched with information from AlienVault OTX, VirusTotal and by CrowdStrike Intelligence, providing threat actor attribution, related samples and more. In addition, you can review CrowdStrike’s Falcon Sandbox reports for examples.
Yes, Falcon Sandbox provides a variety of search options, including the ability to combine search terms. You can search for a virus family name, threat actor, specific file type, hash, #tag and whether a specific behavioral indicator was triggered. You can even find reports that have contacted a specific IP address, country, domain, URL and much more.
Falcon Sandbox offers a wide range of integrations including:
- VirusTotal and OPSWAT Metadefender
- AlienVault OTX
- SIEM systems using CEF format
- NSRL (allowlisting)
- Thug honeyclient (e.g. URL exploit analysis)
- Suricata (network threat detection)
- TOR (to avoid external IP fingerprinting)
- Orchestration platforms (e.g. Demisto, Phantom)
- FAME (malware analysis framework)
- Cortex (manages observables at scale)
The full-featured Falcon Sandbox REST API is also available.
Recursive analysis is a unique capability that determines whether the analyzed file is related to a larger campaign, malware family or threat actor. Falcon Sandbox will automatically search the industries largest malware search engine to find related samples and within seconds expand the analysis to include all files. This is important because it provides analysts with a deeper understanding of the attack and a larger set of IOCs that can be used to better protect the organization.
Falcon Sandbox is licensed on a subscription basis, based upon the number of files analyzed by Falcon Sandbox per month. Flexible subscriptions options are available for both Falcon Sandbox and the On-Prem Edition.
For more information, please contact us.