Another evasive method is done through environmental checks, Lastline points out.
- Malware authors can add novel, zero-day "environmental checks" related to the operating system and "manipulate the return value" as an evasive maneuver that forces vendors to "patch" their sandbox to catch it, according to Lastline.
Lastline seeks to address these sandbox-evasion tricks in its Previct appliance it offers, but Kruegel acknowledges "there is no 100% security."
Some information-security managers say they appreciate sandboxing as a defensive technology but don't seem to have any illusions that it is going to be perfect in detecting and stopping malware.
"Sandboxing will get some of it," says Brad Stroeh, senior network security engineer at First Financial Bank, a Sourcefire customer, in discussing a wide variety of security approaches and the credence he places in them. It's worthwhile subjecting malware when possible to a sandbox test, and using it as part of the overall defensive process. But since malware could bypass sandbox checks, it only makes sense to use other malware-detection methods as well.
Sign up for Computerworld eNewsletters.