Calculations for the Sandbox component

The hardware requirements for a server with the Sandbox component depend on the type and volume of processed traffic and on the permissible object scan time.

By default, the permissible object scan time is 1 hour. To reduce this time, you need a more powerful server or more servers with the Sandbox component.

It is recommended to calculate the configuration of the Sandbox component as follows:

1. Install the Central Node and Sensor components on one server and the Sandbox component on a different server for pilot operation of the application.

   To receive sufficient statistical data, the application must process traffic of the organization for a week.

2. Run the data recording script by executing the following commands:

   sudo kata-run.sh kata-collect --output-dir path-to-folder

   --output-dir <path to directory>

   When the script finishes running, the collect.tar.gz archive will be moved to the specified directory.

3. Forward this archive to Kaspersky Lab staff for analysis.

   If multiple virtual machines are started simultaneously, the speed of processing objects from the queue is increased.

The Sandbox component is not supported on AMD processors.

Hardware requirements for the server hosting the Sandbox component

The calculation of the number of servers with the Sandbox component when using preset images of operating systems is shown in the table below.

Hardware requirements for the Sandbox component when using preset images of operating systems

Maximum number of email messages per second	Maximum volume of traffic from SPAN ports (Mbps)	Maximum number of computers with the Endpoint Agent component	Number of physical servers with the Sandbox component
			When using all images	When using only two images of Linux
1	200	1000	1	1
2	500	3000	1	1
1	1000	5000	1	1
5	2000	5000	1	1
20	4000	10,000	2	1
20	7000	15,000	4	2
20	10,000	15,000	5	2

If you want to install the Sandbox component on a virtual server, you need 3 to 4 times more virtual servers to get the same performance you would get from a physical server.

Additional capacity may be required when using custom images for servers with the Sandbox component. To calculate the number of physical Sandbox servers required when using custom operating system images, you can use the following formula:

<number of files that need to be processed per hour in accordance with to user-defined Sandbox rules> * <number of custom operating system images> / 1000

To calculate the number of virtual Sandbox servers required when using custom operating system images, you can use the following formula:

<number of files that need to be processed per hour in accordance with to user-defined Sandbox rules> * <number of custom operating system images> / 280

The estimation of the number of Sandbox servers is listed for servers with the following configuration:

• When installing the Sandbox component on a physical server:
  • 2 CPUs: Intel® Xeon® 8 Core™ (HT) at 2.6 GHz or higher.
  • 80 GB of RAM
  • 2 HDDs, 300 GB each, combined into a RAID 1 array.
• When installing the Sandbox component on a VMware ESXi virtual machine:
  • Intel Xeon 15 Core (HT) CPU at 2.1 GHz or higher.
  • 32 GB of RAM
  • 300 GB HDD

    On the virtual machine:

    1. Nested virtualization enabled.
    2. Latency Sensitivity option set to High.
    3. Entire RAM is reserved.
    4. Entire CPU frequency is reserved.

  When installing the Sandbox component on a VMware ESXi virtual machine, you must set the limit for simultaneously running virtual machines to 12.

See also Calculations for the Sensor component Calculations for the Central Node component Calculations for the Central Node component deployed on the KVM virtualization platform

Page top