You can buy such sandbox systems from different vendors (eg. checkpoint, cisco .. and some more - prices from 30.000 EUR to 500.000 EUR). Or you can build your own sandbox system (like me), based on heavily customized open source software.
goals: - 100% build on open source (except prof. virus scanners for Brain-IRMA) - is able to run in every cloud or your own cloud (DMZ) - requires zero customer system maintenance - easy and functional WEB-interface for the quarantine ( virus / banned) with ASSP GUI integration (show log, show mail), the sandbox analyzer, system monitoring - integration in to ASSP (special actions and header mods to prevent unneeded and expensive sandbox actions) - variable mail delivery and admin/user notifications - full VirusTotal integration (full attachment scan) - preconfigured honeypot analyses windows VM's are integrated - any customized builds can be integrated disadvantage: - password protected attachments and attachments with an unknown type are banned to 100% and have to be manually released after a manual check (like in every sandbox) - prof. virus scanners for Brain-IRMA and VirusTotal may produce extra costs There are currently two of these systems running since nearly one year. A small one on VMWare ESXi 6.7 and one on ProxmoxVE for ~800 office users. I plan offer this as a cloud service within this year. Thomas Von: "K Post" <nntp.p...@gmail.com> An: "For Users of ASSP" <assp-user@lists.sourceforge.net> Datum: 10.03.2020 17:16 Betreff: Re: [Assp-user] PDF Scanning This is incredible! Can you give some detail on what the system is that does this analysis, scoring, etc. Then once confirmed okay, how does the user get the attachment that's been cleared? This would be a HUGE benefit to my user base. There's tons of pdf's that I'm releasing on a daily basis. Thanks On Tue, Mar 10, 2020 at 10:36 AM Thomas Eckardt < thomas.ecka...@thockar.com> wrote: Sorry - you wanted to know how we deal with such attachments. For me, ASSP_AFC marks them for a sandbox system for analysing and let them all pass. The sandbox system extracts all attachments to their atomic parts, let some windows VM's open every single part or attachment and analyses every VM memory for malicious code and actions. The sandbox system has ~600 blocking rules and several thousand scoring rules. If an attachment is classified as bad, the mail is moved to a quarantine for manual investigation. Thomas Von: "Robert K Coffman Jr. -Info From Data Corp." < bcoff...@infofromdata.com> An: assp-user@lists.sourceforge.net Datum: 10.03.2020 12:23 Betreff: Re: [Assp-user] PDF Scanning They all have this in common: 'prohibited JavaScript in PDF file' - SHA256: D6CB05FFD99283A4C5C6BEAF37D0274B985E1D47DD3B12F08B348F42CC1A60CA However the checksums vary unfortunately. Thanks! - Bob On 3/10/2020 2:29 AM, Thomas Eckardt wrote: > It would be nice to know, why these PDF's are blocked - the reason is > shown in the maillog.txt. > > Thomas > > > > > > Von: "Robert K Coffman Jr. -Info From Data Corp." > <bcoff...@infofromdata.com> > An: assp-user@lists.sourceforge.net > Datum: 09.03.2020 17:53 > Betreff: [Assp-user] PDF Scanning > ------------------------------------------------------------------------ > > > > We are getting a large number of false positives on PDFs received. > > What are other people doing with these? > > Thanks! > > - Bob > > > > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user > > > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, > legally privileged and protected in law and are intended solely for the > use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user > _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user