High Speed Benign File Filtering
Joe Sandbox Filter enables to improve the overall performance of Joe Sandbox. It is designed to filter benign PE files with high speed and precision.
Dynamic malware analysis is time consuming. As a result powerful and extensive hardware is required to process large file volumes. Joe Sandbox Filter helps to keep hardware costs low by filtering benign samples with performant static heuristics.
Joe Sandbox Filter is a plugin for Joe Sandbox Desktop, Joe Sandbox Complete and Joe Sandbox Light.
Joe Sandbox Filter Explained
Joe Sandbox Filter is directly added as an input processor to Joe Sandbox Desktop, Complete or Light and integrated via the cookbook chaining technology.
In a first step Joe Sandbox Filter performs an extensive static analysis. It includes PE structure, data and code extraction. All information is stored to a report which is available in HTML, XML and JSON format. Signatures are then applied to select and rate benign artifacts.
As result Joe Sandbox Filters determines if a file is benign or not. The detection algorithm has been tuned to detect benign files with a high confident level and with a high filter ratio >50% meaning that half of the benign input files are note analyzed with costly dynamic analysis.
Joe Sandbox Filter has been designed to have low false positive / negative rates as well as a high filter ratio. Extensive tests have shown that the average processing time per file is below 30 seconds.
Learn more about Joe Sandbox Filter
Contact Joe Security to schedule a technical presentation.
Innovative Heuristics
Rather than detecting the malicious behavior of software, Joe Sandbox Filter focuses on the identification of benign artifacts. To do so it uses innovative heuristics such as entry point analysis or packing detection to classify benign codes. Joe Sandbox Filter includes over 30 signatures to detect benign characteristics.
Advanced PE Header Analysis
Joe Sandbox Filter consists of an extensive PE file parser which extracts fields and flags from PE file structures. It executes many additional forensic analyses such as entry point disassembly, XOR and x86 function searches on several file parts.
High Performance and Precision
Joe Sandbox Filter is optimized for large-scale analysis with an average processing time of 30 seconds per sample. The filter is very precise. False negative and positive rates have been optimized to be less than 1%. In several tests Joe Sandbox Filter has selected over 50% of all benign samples successfully.
Designed for Large Scale Analysis
Joe Sandbox Filter has been designed to easily process large volumes of files. It can be easily integrated in Joe Sandbox Desktop, Complete or Light to prevent costly dynamic analysis.
Yara
Joe Sandbox Filter allows to use Yara Rules for advanced malware detection. Joe Sandbox Filter forwards all samples to Yara.
Learn more about Joe Sandbox Filter
Contact Joe Security to schedule a technical presentation.