The Sandbox technology makes it possible to analyze and scan objects on special servers with deployed virtual images of operating systems to detect malicious activity and indicators of targeted attacks on the corporate IT infrastructure.
The Kaspersky Endpoint Security application can interact with Sandbox on the Open Single Management Platform (OSMP) or on the Kaspersky Anti Targeted Attack Platform. Depending on the platform, the interaction of the Kaspersky Endpoint Security application with the Sandbox is handled by the Sandbox server: an OSMP server or a Central Node server.
Integration with Sandbox is provided by the Sandbox component of Kaspersky Endpoint Security.
When integrating with Sandbox, devices running Kaspersky Endpoint Security establish encrypted HTTPS connections with the integration servers. To ensure a secure connection, the following certificates issued by the OSMP server or Central Node server are used:
Server certificate. The connection is encrypted using the server's TLS certificate. You can elevate the security of the connection by verifying the server certificate on the Kaspersky Endpoint Security side. To do so, you need to add the server certificate before enabling integration with Sandbox.
Client certificate. This certificate is used for additional connection protection using two-way authentication (the OSMP server or the Central Node server authenticates devices with the Kaspersky Endpoint Security application). The same client certificate can be used by multiple devices. By default, the server does not check client certificates, but two-way authentication can be enabled on the side of OSMP or Kaspersky Anti Targeted Attack Platform. In this case, you need to enable two-way authentication in the settings of the Sandbox component and add the client certificate (cryptocontainer with certificate and private key).
Certificates for securing the connection with the servers that handle the interaction with Sandbox must be provided by the administrator of the OSMP platform or Kaspersky Anti Targeted Attack Platform.
If the use of a proxy server is configured in the general settings of the Kaspersky Endpoint Security application, a proxy server is used for the connection to servers that handle the interaction with Sandbox.
Files and directories can be sent to Sandbox for scanning in one of the following modes:
Automatic only. The application automatically sends objects for scanning, and it is impossible to manually send objects to be scanned by Sandbox.
Automatic and manual. The application automatically sends objects for scanning, but you can also send an object to Sandbox manually using a command or from the graphical interface.
Sandbox Integration is disabled by default. You can enable or disable the Sandbox component as well as manage the following integration settings using the Web Console or the command line.
Select the mode of sending objects for scanning (manual, automatic only, automatic and manual).
Select actions that the application performs when a threat is detected (if the asynchronous mode of sending objects to the Sandbox is active):
Delete the file with the detected object and quarantine a copy of the file.
Start the critical areas scan task. By default, the application scans process memory, kernel memory, boot sectors, startup objects, and the path to the detected object.
Create an IOC Scan task. The application automatically creates an IOC Scan task; you can configure the task starting mode, the scan scope, and the action to be performed on IOC detection (delete the detected object, start the critical areas scan task).
Configure general Sandbox server connection settings.
Add or remove Sandbox server certificates.
Configure two-way authentication when connecting to Sandbox servers and add client certificates.