Endpoint Detection

Joe Sandbox Mail Discontinued

Joe Sandbox Mail 1.9 has been discontinued and is replaced by Joe Sandbox Detect. Joe Sandbox Detect covers the same functionalities as Joe Sandbox Mail plus some great additional features.

Joe Sandbox Detect in a Nutshell

Joe Security offers an Endpoint Protection called Joe Sandbox Detect. Joe Sandbox Detect is a powerful endpoint detection tool with three main functionalities:

  • Automatic analysis of suspicious files with Joe Sandbox Cloud or Joe Sandbox On-Premise
  • Manual analysis of suspicious e-Mails, attachments and files with Joe Sandbox Cloud and Joe Sandbox On-Premise
  • Alert the security team (SOC, CERT, CIRT) as well as the user about malicious detection

Automatic Analysis of suspicious Files

Joe Sandbox Detect monitors the following browsers and e-Mail applications:

  • Google Chrome
  • Microsoft Internet Explorer
  • Mozilla Firefox
  • Microsoft Edge
  • Microsoft Outlook
  • Mozilla Thunderbird

If one of those applications creates a suspicious file e.g. through an exploit or user interaction Joe Sandbox Detect uploads the file to Joe Sandbox Cloud or Joe Sandbox On-Premise:

_images/auto.png

The following files are considered suspicious:

  • Exe, dll, sys, doc, docx, docm, dot, dotm, rtf, xls, xlsx, xlsm, xltx, xlt, xltm, ppt, pptx, mht, hta, cmd, scf, lnk, pot, potx, pptm, bat, pif, sct, com, cpl, js, jse, vbs, vbe, jar, rar, zip, iso, 7z, bzip, bzip2, tar, gzip, lzh, chm, msi and sfx

Joe Sandbox analyzes the file and informs the security team (CERT, CIRT, SOC etc) as well as the user.

Manual Analysis of interesting Files

In addition, users can manually check an e-Mail or file for malware. To do this, select the appropriate e-Mail / file and drag it to the analysis area.

_images/manual.png

Since the analysis is very comprehensive, it can take up to 6 minutes. Once the analysis is complete the security team as well as the user are alerted:

_images/result.png

Joe Sandbox Detect classifies your submission into clean, suspicious and malicious:

_images/verdict.png

Note

The suspicious verdict can also have the attribute expert knowledge needed. In that case Joe Sandbox is not sure about the detection. An experienced malware analyst should have a look at the analysis report.

If the user clicks on Open Analysis Report Joe Sandbox Detect will download and show the PDF analysis report.

Note

Joe Sandbox Detect directly connects to your Joe Sandbox Cloud or Joe Sandbox On-Premise web user account. Therefore you can access all analysis via the Joe Sandbox web interface. You can also download all IOCs, detailed analysis report etc.

Create custom Alerts

Alerts are e-Mail messages about a malicious or suspicious detection which are send by Joe Sandbox to the security team. In order to create an alert login into the Joe Sandbox Web interface. Then click on your account and then Alerts. Next click Create New and fill the fields according to the screenshot below:

_images/alert.png

The XPATH filter /analysis/signaturedetections/strategy[@name=’empiric’]/detection[text()=’MAL’] triggers on all malicious detections. /analysis/signaturedetections/strategy[@name=’empiric’]/detection[text()=’SUS’] on all suspicious analyses. You can extend the filter to only trigger on Microsoft Office documents or PDF. To do so have a look at the Filter Guide which you find on account - Filters. Once saved Joe Sandbox will send e-Mail alerts to all e-Mail addresses specified.

Data encryption

Joe Sandbox Detect offers the option to encrypt all the analysis data permanently. See the option “ENCRYPTCONFIDENTIALDATA” in the Installation section below.

Data encryption means that:

  • All the analysis data is encrypted on our server at the end of an analysis.
  • The encryption key is exclusively stored on the endpoint, i.e. nobody else can decrypt these files except for the endpoint user. Even Joe Security staff cannot decrypt the files!
  • If you download a report in Joe Sandbox Detect, it is decrypted on the fly, so the password does not have to be entered explicitly.
  • We use AES-256 encryption with a random 256-bit password for each analysis. You can pre-define a password for each endpoint which is used to encrypt all analyses instead, so that your SOC has the possibility to decrypt the analyses as well.
  • Please note that meta information (i.e. sample hash, filename, detection status) is not encrypted.

View Analysis

Right click on Joe Sandbox Detect tray icon in your task bar. Then select Show Analysis:

_images/menu.png

The Analysis Overview will open. You can download the report from there, and also copy the password to the clipboard to be able to decrypt further data (if encryption is used).

_images/viewanalysis.png

Update Joe Sandbox Detect

Right click on Joe Sandbox Detect tray icon in your task bar. Then select About:

_images/about.png

If there is an update available click on the link provided.

Security disclaimer

Warning

Joe Sandbox Detect detects malicious e-mails, attachments and files, however does not delete or remove them. You are responsible for deleting and removing malicious files and e-mails. Also be aware that Joe Sandbox is not perfect. An e-mail, attachment or file detected as clean does not warrant that there is no maliciousness!

Download

You can download Joe Sandbox Detect here:

Installation

Download and install the Joe Sandbox Detect installer provided by Joe Security. During installation the installer will ask you for the API key. You find the API key in Joe Sandbox - User Settings - API Key:

  • /q (enable silent install, without any GUI)
  • API_KEY=12a4… (mandatory; must be a valid API Key)
  • ACCEPT_EULA=1 (mandatory)
  • SUPPORT_EMAIL=support@yourcompany.com
  • JBX_SYSTEM=w7x64 (optional; this system will be used for all of your analyses; defaults to w10x64_office)
  • JBX_URL=https://my-joesandbox-instance.org (optional; do not set for Joe Sandbox Cloud)
  • REBOOT=Force (optional; if set, the computer is rebooted immediately after installation in order to launch the app as the local user)
  • SHOWMALICIOUSDETECTIONSFORAUTOUPLOADS (optional; if set to false, no notifications for malicious files are shown to the user; defaults to true)
  • ENCRYPTCONFIDENTIALDATA (optional; If set to true, all confidential data is encrypted immediately after an analysis is finished (i.e. sample, raw analysis data and reports). However, meta information (i.e. sample hash, filename, detection status) is kept; defaults to false;)
  • DEFAULTENCRYPTIONKEY (optional; if ENCRYPTCONFIDENTIALDATA is true, this key will be used to encrypt all analyses; if not set, a new random password is generated for each submission)
  • PROCESSESMONITORED (optional; defaults to chrome.exe, firefox.exe etc. as specified above)
  • FILEEXTENSIONSTOMONITOR (optional; if an empty string is passed (“”), no files are monitored at all; defaults to the extensions specified above)
  • FILESTOIGNORE (optional; regular expression for paths to ignore; Detect applies a sensible selection of paths by default)
  • MAXFILESIZETOANALYZE (optional; defaults to 10 MB)
  • NOTIFICATIONWINDOWREPORTDOWNLOAD (optional; can be html, lighthtml, executive, pdf; defaults to executive)
  • ANALYSISOVERVIEWREPORTDOWNLOAD (optional; can be html, lighthtml, executive, pdf; defaults to executive)

Example:

msiexec /q /i "Joe Sandbox Detect Installer.msi" API_KEY=12a4... ACCEPT_EULA=1 JBX_SYSTEM=w7x64 REBOOT=Force

Error Analysis

Joe Sandbox Detect stores log files in C:\ProgramData\Joe Sandbox Detect. In case of an error or application crash please send all logs from C:\ProgramData\Joe Sandbox Detect to Joe Security’s Support.