Joe Sandbox Light's architecture is modular. It consists of one central controller unit and multiple servers running Joe Sandbox Light instances equipped with several VMs. The VMs are run either run either by VirtualBox or VMWare. A submission script sends files and URLs via submission interface to the central controller, which then chooses a Joe Sandbox Light instance based on a workload-balancing algorithm. Once analyzed, the analysis results including the detail behavior report are fetched and stored on the central controller. Joe Sandbox Light has been optimized for high-speed analysis and scalability, so the analysis throughput can be extended easily by adding new Joe Sandbox Light instances.
Joe Sandbox Light's dynamic and static analysis engine monitors any activities during the binary program execution. Click to read more about Joe Security's unique Hybrid Code Analysis (HCA) technology.
Joe Sandbox Light is optimized for large-scale analysis and can handle up to 25,000 samples per day on a single Joe Sandbox Light instance. By scaling up the instances, Joe Sandbox Light enables your lab to analyze extensive numbers of samples.
Joe Sandbox Light generates very detailed analysis reports about system, network, browser and tampering/code manipulation behavior. The report includes evaluations and additional data about strings, domains and file structures. Matching generic signatures highlight suspicious and malicious key behavior. Classification and threat scores help to detect sophisticated cyber-attacks quickly. A context based search enables to quickly navigate.
Joe Sandbox Light enables analysis of all executable files (including malicious documents) on Windows 7, Windows W7 x64, Windows 10 and Windows 10 x64.
Joe Sandbox Light uses a growing set of over 1451+ generic Behavior Signatures to detect and classify malicious behavior activities such as Exploiting and Shellcode (for malicious documents), Persistence, Boot Survival, Spreading, Data Spying and Leakage and C&C Communication. Behavior Signatures are extendable and customizable and optionally are shared within a community.
In addition to analysis reports in HTML, XML and JSON formats, Joe Sandbox Light captures and generates supplementary data. This includes created files, unpacked PE files, memory dumps, PCAP of the captured network traffic (incl. decrypted HTTPS), screenshots, shellcode and strings.
Joe Sandbox Light is tuned to detect malicious samples with high precision. Extensive tests have shown an average false positive rate < 2% and false negative rate < 6% for PE files. Besides the detection status (clean, suspicious or malicious) Joe Sandbox Light generates a detailed confidence score - outlining how certain the system is about the detection.
Through predefined and configurable Cookbooks - special scripts submitted as second input - Joe Sandbox Light allows for performing advanced use cases on the analysis machine. Cookbook scripts describe an analysis procedure and allow any possible user behavior to be automated. Browsing a URL with IE, Firefox or Chrome, logging into an email account, or running a file with special arguments are just a few examples of the existing Cookbooks included. To click through any installer Joe Sandbox Light offers an advanced OCR based click engine.
Joe Sandbox Light allows for seamless integration into existing security products. A .NET SDK, serving interfaces for automated file submissions and processors for handling generated analysis data is included. For bulk file submissions, Joe Sandbox Light provides a queuing system with load-balancing and prioritization mechanisms. OEM customer have full control over the solution, its generated data and configuration.
Joe Sandbox Light is built as a modular and scalable system with many settings for advanced tuning. With its open SDK, behavior signatures and cookbooks, it enables performing advanced use cases to serve organizations' specific needs. Joe Sandbox Light supports multiple analysis machines with different applications/versions installed.
Joe Security provides excellent services, such as system installations, training, maintenance, customization and expert knowledge as an supplemental package to Joe Sandbox Light.
Contact Joe Security to schedule a technical presentation, receive a trial account or view a live demo at Joe Security.
Joe Sandbox Light is optimized to analyze large amount of malware in short time. Therefore you can process more samples on the same hardware with Joe Sandbox Light compared to Joe Sandbox Desktop.
Joe Sandbox Light analyzes any files, including EXE, DLL, PIF, CMD, BAT, COM, SCR, CPL, PDF, DOC(X)(M), XLS(X)(M)(B), PPT(X)(M), HWP (Hangul Korean), JTD (Ichitaro Japan), RFT, XPI, CRX (Chrome Plugin), EML (Email), MSG (Email), CHM, JS, VBS, VBE, LNK, JAR (Java), PS1 (Powershell), ZIP, 7Z, RAR, ZLIB, ASP(X). Joe Sandbox Light includes a file type recognition engine which detects over 5000 different files.
Behavior reports in HTML, PDF, XML and JSON, dropped or downloaded files, memory dumps, strings, PCAP, screenshot, unpacked PE files and openIOC.
Joe Sandbox Light uses a wide range of analysis technologies including dynamic, static as well as hybrid. Due to the use of several analysis techniques Joe Sandbox Light discovers more behavior than other solutions.
Behavior signatures are tiny scripts to rate data Joe Sandbox Light captures from the malware. Joe Sandbox Light extracts system, network, memory, code and browser data. Joe Sandbox Light includes a steady raising number of signatures.
Joe Sandbox Light supports all virtualization products, including VirtualBox and VMware ESX.
Yes, Joe Sandbox Light enalbes to analyze malware on native machines. Therefore you can use directly a PC or laptop from your company as an analysis target.
Windows 7, Windows 7 x64, Windows 8, Windows 10 and Windows 10 x64 with a system language spoken in Europe (German, French, English etc).
Joe Sandbox Light runs on standard hardware with Linux as operating system (e.g. Ubuntu Server). For installation a single server is required.
Yes, Joe Sandbox Light can be run without any connection to the Internet or our Cloud.
We offer perpetual licenses with a site, country or world-wide scope. Services such as support and upgrades are availabe as an annual renewing license.