Asserting that sandbox security is both inconvenient and unreliable, Check Point Software Technologies Ltd. has come out with a variation that it claims provides vastly improve performance by detecting threats at the CPU level.

The SandBlast platform, which is available both on premise and as a service, identifies malware at the exploit phase before common evasion techniques can be applied. The service isn’t based on signatures, but rather analyzes the execution stream of the code to look for anomalous behavior. Check Point said the platform currently protects against all known malware-insertion techniques.

The approach is intended to attack the most common types of malware, which typically plant a small program called a shell code that calls a control center over the Internet for instructions on what to do.

Although malware can take many forms, nearly all types use this “return-oriented programming” technique to implant. “There is no way for malware to get into this system without going through these steps,” said Andy Feit, head of threat prevention marketing at Check Point.

Conventional sandboxes isolate files until they’re deemed safe, a process that usually takes a few minutes. However, hackers have figured out ways around that process, such as delaying activation for days, avoiding virtual machines or waiting for a user action such as a keystroke to kick off the call to home.

Checkpoint says its technology can’t be bypassed by delay loops, virtual machine detection or other techniques that sniff out attempts to block execution. SandBlast works at the operating system level to evaluate content in a broad range of file types, including MS Office, PDF, flash, executables, and archives. “It looks for behavior that would never occur in by legitimate software,” Feit said.

One notable feature of SandBlast is its approach to file isolation. While the few minutes that a file is delayed in a sandbox may seem trivial, the impact on productivity across many users and files can be significant.

Checkpoint uses a procedure it calls “threat extraction” to make files available almost instantly. “If I send you a Word doc or PowerPoint file, we’ll take a clean snapshot without videos, macros or other potentially threatening elements,” he said. “Everything gets turned into a clean, safe, reconstructed version of the document that you can use instantly.” Administrators can define different levels of protection to make some files available without scrubbing depending upon user needs and profiles.

Asked if malware creators can come up with a new approach to activation that renders products like SandBlast ineffective, Feit said it’s unlikely. “Someone could come up with a brand new anomaly, but it doesn’t happen very often,” he said.

SandBlast is available immediately as a cloud service or on-premise appliance. There are four configurations ranging in capacity from 250,000 to 2 million inspections per month. Appliance prices range from $30,000 to $200,000, and multiple appliances can be managed from a single console.

Photo by Creative-Tools.com via Flickr