Endpoint Detection

Download

Select one of the following links to download Joe Sandbox Detect (Click here to see the current version number):

Introduction

Joe Security offers a slim Endpoint Client called Joe Sandbox Detect with the following two functionality:

  • Validation of EDR / XDR alerts: Joe Sandbox Detect automatically analyzes quarantined files of Endpoint Protection and provides deep malware analysis on top of EDR / XDR alerts.

  • User-spotted Phishing and Malware Reporting: Joe Sandbox Detect enables any user to easily analyze emails with Joe Sandbox and sends a deep malware analysis report to the security team.

Both functionalities can be used in tandem or single.

Endpoint Detection Quarantine Analysis

Joe Sandbox automatically monitors your Endpoint Detection quarantine for new files. New files are automatically sent to Joe Sandbox (Cloud or on-premise) and analyzed. On completion the security team is notified who can perform validation.

_images/quarantine.png

The following Endpoint Detection products are supported:

  • Avast

  • AVG

  • Avira

  • Crowdstrike

  • ESET

  • FortiClient

  • GData

  • Kaspersky

  • MalwareBytes

  • McAfee

  • SentinelOne

  • Sophos

  • Trendmicro

  • Windows Defender

Monitoring happens fully automated. No user intervention is required.

For Windows Defender please also checkout the Joe Sandbox Microsoft Defender Connector which directly enriches Defender alerts.

Submission of interesting Files

Users can easily submit an e-Mail or file for analysis. Simply select the appropriate e-Mail / file and drag it to the analysis area.

_images/manual.png

Once the analysis is complete the security team as well as the user are alerted:

_images/result.png

Joe Sandbox Detect classifies the submission into clean, suspicious and malicious:

_images/verdict.png

Note

The suspicious verdict can also have the attribute expert knowledge needed. In that case Joe Sandbox is not sure about the detection. An experienced malware analyst should have a look at the analysis report.

If a user clicks on Open Analysis Report Joe Sandbox Detect will download and show the PDF analysis report.

Note

Joe Sandbox Detect directly connects to your Joe Sandbox (Cloud or on-premise). Hence the security team can access all analysis via the Joe Sandbox web interface. The security team can also download all IOCs, detailed analysis report etc.

Create custom Alerts

Alerts are e-Mail messages about a malicious or suspicious detection which are sent by Joe Sandbox to the security team. In order to create an alert login into the Joe Sandbox Web interface. Then click on your account and then Filters/Alerts - Alerts. Next click Create New and fill the fields according to the screenshot below:

_images/alert.png

The XPATH filter /analysis/signaturedetections/strategy[@name=’empiric’]/detection[text()=’MAL’] triggers on all malicious detections. /analysis/signaturedetections/strategy[@name=’empiric’]/detection[text()=’SUS’] on all suspicious analyses. You can extend the filter to only trigger on Microsoft Office documents or PDF. To do so please have a look at the Filter Guide which you find on Filters. Once the alert is saved Joe Sandbox will send e-Mail alerts to all e-Mail addresses specified.

Data encryption

Joe Sandbox Detect offers the option to encrypt all the analysis data permanently. See the option “ENCRYPTCONFIDENTIALDATA” in the Installation section below.

Data encryption means that:

  • All the analysis data is encrypted on the server at the end of an analysis.

  • The encryption key is exclusively stored on the endpoint, i.e. nobody else can decrypt these files except for the user.

  • If a user downloads a report in Joe Sandbox Detect, the report is decrypted on the fly, so the password does not have to be entered explicitly.

  • Joe Sandbox use AES-256 encryption with a random 256-bit password for each analysis. There is an option to use pre-define password accross all endpoint.

  • Please note that meta information (i.e. sample hash, filename, detection status) is not encrypted.

  • Files from Endpoint Security quarantine are not encrypted.

View Analysis

Right click on Joe Sandbox Detect tray icon in your task bar. Then select Show Analysis:

_images/menu.png

The Analysis Overview will open. You can download the report from there, and also copy the password to the clipboard to be able to decrypt further data (if encryption is used).

_images/viewanalysis.png

Update Joe Sandbox Detect

Right click on Joe Sandbox Detect tray icon in your task bar. Then select About:

_images/about.png

If there is an update available click on the link provided.

Security disclaimer

Warning

Joe Sandbox Detect detects malicious e-mails, attachments and files, however does not delete or remove them. You are responsible for deleting and removing malicious files and e-mails. Also be aware that Joe Sandbox is not perfect. An e-mail, attachment or file detected as clean does not warrant that there is no maliciousness!

Installation

Download and install the Joe Sandbox Detect installer provided by Joe Security. During installation the installer will ask you for the API key. You find the API key in Web App - User Settings:

Parameter

Format

Mandatory

Default

Description

/q

no

Enable silent install, without any GUI.

API_KEY

string

yes

API key generated via Web App - User Settings.

ACCEPT_EULA

integer, yes=1

yes

0

EULA available in the Web App - Analyze.

JBX_SYSTEM

string

no

W10x64_office

Default analysis system, list of systems can be found in Web App - Analyze - Analysis System.

JBX_URL

string

no

Joe Sandbox Cloud

URL to Joe Sandbox web interface, default set to Joe Sandbox Cloud.

ENCRYPTCONFIDENTIALDATA

boolean

no

false

All analysis data is encrypted immediately after an analysis. Meta information is kept. Quarantine uploads are not encrypted.

DEFAULTENCRYPTIONKEY

string

no

If ENCRYPTCONFIDENTIALDATA is true, this key encrypts all analyses; if not set, a new random password is generated for each submission.

NOTIFICATIONWINDOWREPORTDOWNLOAD

string, “html”, “lighthtml” or “executive”

no

executive

The report type which user can download in the notification window.

ANALYSISOVERVIEWREPORTDOWNLOAD

string, “html”, “lighthtml” or “executive”

no

executive

The report type which user can download in the analysis overview.

ENABLEQUARANTINEUPLOADS

boolean

no

true

Enables quarantine upload.

DISABLEMANUALUPLOAD

boolean

no

false

Disables manual upload.

REBOOT

string “Force”

no

If set, the computer is rebooted immediately after installation to launch the app as the local user.

Example:

msiexec /q /i "Joe Sandbox Detect Installer.msi" API_KEY=12a4... ACCEPT_EULA=1 JBX_SYSTEM=w7x64 REBOOT=Force

Error Analysis

Joe Sandbox Detect creates log files in C:\ProgramData\Joe Sandbox Detect. In case of an error or application crash please send all logs from C:\ProgramData\Joe Sandbox Detect to Joe Security.