PT Sandbox gets new proactive threat search capabilities

Positive Technologies has released PT Sandbox 4.0, the newest version of its sandbox for protection against targeted and mass attacks. The updated product features enhanced capabilities for threat hunting with flexible search and customizable filtering options. In addition, PT Sandbox now supports the server operating systems Windows Server 2016 and Windows Server 2019. This allows security analysts to simulate virtual machines in the sandbox and detect attacks directed at these types of OS.

PT Sandbox 4.0 introduces a flexible search mechanism for finding traces of compromise and testing hypotheses proposed during threat hunting. Sandbox users can create complex queries for selecting file analysis tasks. Possible criteria include file names and formats, network indicators, hash sums, names of detects, addresses of email senders/recipients, threat classes, and other text substrings. This makes it possible, for example, to identify specific malicious behavior retrospectively and link seemingly disparate incidents into a single attack chain.

"PT Sandbox will deliver threat hunting for companies that currently lack other monitoring tools with threat-hunting functionality, such as traffic analysis systems. Knowing the signs of malware designed to attack a particular industry, type of business, or country, PT Sandbox users can configure a recurring refined search to detect this cyberthreat," comments Alexey Vishnyakov, Head of Malware Detection at the Positive Technologies Expert Security Center (PT ESC).

Support for Windows Server 2016 and Windows Server 2019 has been added to enhance the ability to simulate a company’s real-world infrastructure.

"We have expanded the capabilities of our sandbox to replicate not only user workstations in virtual environments, but also servers. This allows PT Sandbox to detect attacks honed for server operating systems," says Olga Tikhonova, PT Sandbox Development Manager.

The new event storage system makes PT Sandbox even more user-friendly. The product interface now displays the execution status of each task in real time and updates data based on static and dynamic file analysis. Even before scanning is complete, the infosec expert can monitor the execution status of tasks and check them against PT ESC rules.