Qualys Endpoint Detection and Response

Limited Customer Release Notes

Version 3.7

April 15, 2025 

What is Sandbox Analysis

Sandbox Analysis is a proactive cybersecurity practice designed to prevent threats by enabling detection, analyzing malware behavior in an isolated environment, and providing detailed reporting on verdict highlighting the risks. This enhances organizations' security posture and empowers them to protect against cyber-attacks. Most importantly, Sandbox Analysis is conducted in a safe, controlled environment, ensuring the safety of your operations, and providing a sense of security.

Sandbox Analyzer page for analyzing and detecting potential malware threats in uploaded files.

How Sandbox Analysis Works in Qualys EDR

Qualys EDR enhances threat detection by integrating Sandbox Analysis, which provides deep file inspection in a safe, isolated environment. Here's how it works:

Sandbox Analysis offers a secure environment to analyze potentially harmful files without compromising system security. Here are its main benefits.

  • Identifies malware, ransomware, and zero-day threats by executing files in an isolated space.
  • Observe how a file behaves in real-time, detecting hidden threats that traditional signature-based security might miss.
  • Prevents infections by isolating suspicious files.
  • Provides detailed reports (both interactive and PDF formats) on malicious activity, helping security teams investigate and mitigate threats.

What Roles are Supported in Sandbox Analysis

Sandbox Analysis supports multiple user roles, each with specific permissions to access, manage, and analyze files.

  • Manager Role
  • Analyst Role
  • Reader Role (View-Only)

What are the Required Sandbox Analysis Permissions

Sandbox Analysis is an essential technique in cybersecurity operations. It aids in the detection, analysis, and mitigation of cyber threats.

  • Sandbox View - Once the Manager user grants this permission, users will see the Forensic tab in their subscription. In the Forensics tab, users will see the Sandbox Analyzer tab.
  • Sandbox Submit File - Once the Manager user grants this permission, users can submit sample files manually to the sandbox.

How do you Submit File for Sandbox Analysis?

You can submit a file for Sandbox Analysis or upload a zip file (up to 5 MB) from:

  • the Event Details Summary page of the Hunting tab,
  • or the Sandbox Analyzer page of the Forensics tab,
  • or from the Timeline section of the Incident Details page.

Perform the following steps in the Hunting and Forensics tab to submit files for analysis:

Location on the UI Steps
Hunting
  1. Hover the mouse over an Object to view the Quick Actions menu. 
  2. Click Event Details.
  3. On the Summary page, click Submit File from the Actions drop-down menu.
    Submit file to Sandbox from the Event Details Summary page under the Hunting tab.
  4. On the Confirmation window, click Yes. You will be notified once the request is successfully submitted. 
Forensics
  1. From the Forensics tab, go to Sandbox Analyzer.
  2. Click Submit Sample
  3. In the Submit New: Sample window, from the Sample Type option, choose the type as File or URL. For the File type option, the maximum file size is 5 MB. 
    Submit file to Sandbox from the Sandbox Analyzer page under the Forensics tab.
  4. Click Submit. You will be notified once the request is successfully submitted.
Incident Details
  1. Go to the Detections tab and under the Incidents tab, click an incident number or description. 
  2. In the Incident Details page, click Timeline.
  3. In the Timeline of Detected Events, click View More for an event.
  4. Click Submit File in the File section. 
    Submit file to Sandbox from the Timeline section of the Incident Details page.
  5. Click Yes to confirm your action.
View Analysis Report

After you submit the sample, you can view the analysis report from the Sandbox Analyzer page under the Forensics tab.

  • The Analysis Result column displays the status as Clean if no issues are found in the submitted file.
  • The column displays the status as Malicious if a file is not clean. 

View the analysis report from the Sandbox Analyzer page under the Forensics tab.

Click the tooltip next to Malicious results to view a message indicating that the report has been retrieved from the cache. This means the file or URL was previously analyzed, and its results are being reused instead of undergoing a fresh analysis.

Click the tooltip next to Malicious results to see a message about the cached report.

Use the Force Submit option from the Quick Actions menu to view updated results. The Force Submit option ensures the file or URL is re-analyzed and the updated data is displayed.

Click Force Submit in the Quick Actions menu to see updated results.

Quick Actions in Analysis Result

You can perform the following actions from the Quick Actions menu:

Perform various actions from the Quick Actions menu.

What is a Sandbox Report

A Sandbox Report is a detailed security analysis generated after executing a potentially malicious file or URL in an isolated environment (sandbox). This controlled setup allows security teams to observe the behavior of the sample without risking damage to real systems. Our Sandbox Reports are available in PDF format and an interactive UI, giving you more flexibility in analyzing security threats.

What is the Purpose of a Sandbox Report

Sandbox reports are used for: 

  • Malware Detection: Identifying viruses, ransomware, trojans, and other security threats.
  • Threat Analysis: Analyzing file behavior, including system modifications and network activity.
  • Incident Response: Investigating and addressing security breaches.
  • Forensics: Collecting evidence on attack techniques and Indicators of Compromise (IoCs).

What Does a Sandbox Report Contain?

A sandbox report includes:

Area Description
Summary

This section provides a high-level summary of the behavior observed during Sandbox Analysis.

  • Summary – A brief overview of the detected malware, Mime and object type, file size, and SHA-256 and MD5 details.
  • Verdict – The overall classification of the file/sample based on its behavior, typically labeled as:
    • Malicious – Confirms the presence of harmful activity.
    • Clean – No detected threats; appears safe.

Gain a high-level summary of the behavior observed during sandbox analysis.

Malicious Behavior

This section provides structured threat insights:

  • Name: The process or application performing the action (e.g., explorer.exe, cmd.exe).
  • Severity: Risk level (Low, Medium, High, Critical) based on potential impact.
  • Indicator: A numerical value indicating the strength of malicious behavior association; higher scores reflect greater risk.

Drill-Down Structure

  • Behavior: Lists different actions or techniques observed.
  • Description: Specific actions taken by the process.
  • Behavior Level: Indicates a score against each detected action or technique.
    The Behavior Level score corresponds to the following severity levels:
     
    0–19 → Safe | 20–49 → Very Low | 50–59 → Low | 60–69 → Medium | 70–89 → High | 90 and above → Very High

Gain insights into the malicious behavior of files and URLs.

Key Benefits of this Section

  • Transparency: View how the Indicator Score is calculated.
  • Drill-Down Analysis: Understand behaviors contributing to risk scores.
  • Prioritization: Higher scores indicate critical threats for investigation.
Other Indicators

This section breaks down the specific indicators that contributed to the report’s verdict.

  • Malicious – Strong evidence of harmful intent (e.g., ransomware behavior).
  • Suspicious – Activity that is unusual but not definitively harmful (e.g., modifying system files, encrypting data).
  • Informative – General observations that do not indicate a threat but may provide useful context (e.g., system calls, software execution paths).

Gain insights about specific indicators that contributed to the report’s verdict.

Analysis

This section covers the different methods used to evaluate the sample.

  • Static Analysis – Examines a file without running it. It checks for suspicious signatures, embedded scripts, known malware patterns, or unusual metadata. 
  • Dynamic Analysis – Runs the file in a controlled sandbox environment to see how it behaves in real-time. This includes monitoring process execution, file changes, registry modifications, and network activity.

Gain insights into the various methods used to evaluate the sample.

Sandbox Environment

This section provides information about the test setup for executing and analyzing the file. These details help security analysts in understanding the conditions under which the analysis was conducted, ensuring accurate interpretation of the results.

Why this Information Matters

  • Ensures transparency – Analysts can verify that the test environment is suitable  for the malware being analyzed.
  • Helps detect environment-specific threats – Certain malware only executes under specific conditions, such as targeting outdated versions of Java or Office.
  • Assists in forensic investigations – Understanding the details of the sandbox allows for the reproduction and verification of findings.

Understand the test setup and conditions for executing and analyzing the file.

What Search Tokens are Supported

You can use the following search tokens in the Sandbox Analyzer tab:

Token Description
sandbox.analysis.result

Use this token to retrieve the result of a Sandbox Analysis. Choose from:

Analysing, Clean, Error_Processing_File, In Queue, In Progress, Malicious, Queued, Submitted_to_Sandbox

Examples
To see the Sandbox Analysis result as malicious, see the following example:
sandbox.analysis.result:MALICIOUS

To see the Sandbox Analysis result in analysis, see the following example:
sandbox.analysis.result:ANALYSING

sandbox.assetname

Use this token to identify the asset being analyzed in the sandbox environment. The asset could be a file, application, or other item under investigation.

Example
To show all events having this asset name
sandbox.assetname:Desktopas1

sandbox.user

Use this token to identify the user linked to the Sandbox Analysis. It helps track who initiated the analysis, owns the asset, or monitors operations, ensuring accountability and simplifying reporting in multi-user environments.

Example
To show all events having this username
sandbox.user:JOHN DOE

sandbox.analysis.remarks  

Use this token to capture remarks or additional details about the Sandbox Analysis. It provides insights not covered in the primary result, including special conditions, limitations, or analyst observations.

Example
To show all events having this remark
sandbox.analysis.remarks"Analysis performed with restricted permissions."

sandbox.filepath.sample

Use this token to identify the sample file path for Sandbox Analysis, ensuring accurate tracking and association with the results.

Example
To show all events having this file path
sandbox.filepath.sample:C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

sandbox.url.sample

Use this token to specify the sample's URL (file, web page, or resource) being analyzed in the sandbox. It helps track the sample's location, ensuring accurate association with the analysis results.

Example
To show all events having this URL
sandbox.url.sample:"https://example.sharepoint/sites.com"

How do you Exclude Assets or Tags from Sandbox Analysis? 

The Asset Exclusion option allows you to exclude assets or tags from Sandbox Analysis. 

Restrict Assets Using Asset Tags

Perform the following steps from the Asset Configuration tab under the Configuration to restrict assets using the asset tags or the child tags:

  1. Go to Asset Exclusion and click the add icon to add asset tags.
    The following screenshot is an example that highlights the Asset Exclusion and the Add icon:
  2.  In the Select Tags window, select the tags and click Save.
    The asset tags, which will restrict the assets from Sandbox Analysis are added.
  3. (Optional) Click any of the options—Exclude Child Tags or Exclude Assets. These options will exclude the asset belonging to the child tags for sandbox submission.
    The following screenshot is an example of the asset tags selected to restrict assets: 

Exclude by Asset Name

Perform the following steps from the Asset Configuration tab under the Configuration to restrict assets by assets:

  1. Go to Asset Exclusion and click the add icon to add asset tags.
    The following screenshot is an example that highlights the Asset Exclusion and the Add icon:
  2. In the Select Assets window, select the assets and click Save. The assets, which will restrict the assets from Sandbox Analysis are added.
    The following screenshot is an example of the assets selected to restrict assets: