Firehunter 6000 Sandbox

Advanced Persistent Threats (APTs) often use social engineering to obtain contact information and send phishing emails to unsuspecting people. They exploit security vulnerabilities in Internet of Things (IoT) devices, and hide, without being detected, in high-value business assets to steal or compromise target information. Attacks are commonly seen in compromised infrastructure, such as the finance sector, resource suppliers, and government agencies, affecting people’s livelihoods. Before launching attacks, perpetrators are usually well-prepared and wait patiently for their opportunity. Once attacks are launched, perpetrators usually use technologies, such as advanced evasion techniques in combination, to exploit known vulnerabilities. This makes the security devices that detect attack traffic ineffective.
Huawei FireHunter 6000 series sandbox products (hereinafter referred to as Huawei FireHunter) are a family of APT detection systems. They reassemble network traffic mirrored by switches or traditional security devices, and detect files transferred over networks in virtualized environments to detect unknown malicious files. Through credit scanning, real-time behavior analysis, Big Data-based correlation analysis, and cloud-end technologies, Huawei FireHunter collects and analyzes the static and dynamic behavior of target software programs to provide accurate detection results with the help of Huawei’s unique behavior model library. Based on the results, Huawei FireHunter detects, blocks, and visualizes suspicious traffic streams, effectively preventing the spread of unknown threats and protecting business’s core information assets. Huawei FireHunter is especially useful to finance and government agencies, resource providers, and high-tech enterprises.

Furehunter 6000 Sandbox

Characteristic

Multi-system simulation capabilities, ensuring comprehensive detection of malware and unknown threats

  • Comprehensive traffic detection capabilities: Huawei FireHunter is capable of identifying mainstream file transfer protocols, such as HTTP, SMTP, POP3, IMAP, and FTP, and detecting malicious files transmitted using these protocols.
  • Detection of mainstream file types: Huawei FireHunter is capable of detecting malicious codes contained in files, such as .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .html, .js, .exe, .jpg, .gif, .png, and .zip, created using mainstream applications.
  • Detection of web traffic: Huawei FireHunter supports the detection of zero-day vulnerabilities on web pages, which makes Huawei one of just two vendors in the world to support such a detection function.
  • Simulation of mainstream operating systems and applications: Huawei FireHunter is capable of simulating the behavior of Windows operating system, Internet Explorer, Microsoft Office suite, and Kingsoft WPS by default. This can be customized to suit your needs.

Multi-layer in-depth detections and rapid response in seconds, blocking malware and unknown threats

  • Layered defense system: Huawei FireHunter supports reputation matching, heuristic detection, and virtualized execution, ensuring Huawei FireHunter can tackle next-generation threats represented by APT attacks.
  • Industry-leading performance: Huawei FireHunter provides industry-leading capability by analyzing 70,000 to 180,000 files per day. Multiple Huawei FireHunters can be deployed to form a cluster to expand performance.
  • Near-real-time processing capabilities: Huawei FireHunter provides near-real-time processing capabilities, reducing the response time from weeks to seconds. In addition, Huawei FireHunter can work with the NGFW to provide online defense capabilities.

Sandbox diagram



Multi-dimensional analysis, reducing false positives and improving the detection accuracy

  • Multi-dimensional analysis capabilities: Huawei FireHunter pins down suspicious traffic by performing static analysis that involves the analysis of code snippets and abnormal API calling, identifies malicious files and operations through instruction stream monitoring, and determines whether traffic is legitimate based on intelligent behavior analysis.
  • High detection accuracy and low false positives: Based on multi-dimensional analysis, Huawei FireHunter has a detection accuracy of 99% and reduces false positives using effective measures, such as a whitelist.

Deployment Scenario

Huawei FireHunter can be deployed in following modes:

Off-line mode: Huawei FireHunter detects malicious files in mirrored traffic using the mirroring port or optical splitter. If network traffic is replicated and sent to Huawei FireHunter for analysis, the firewall or IPS device is responsible for blocking malicious traffic detected by Huawei FireHunter.

MTA in-line mode: Huawei FireHunter is directly connected to the email server. After the email server and Huawei FireHunter are configured to work with each other, Huawei FireHunter detects the email attachments before forwarding the messages to the email server. If an attachment is considered malicious, Huawei FireHunter blocks the email.

Sandbox deployment scenarios

Specification

Supports 32-bit PE File Inspection

Supports 32-bit Windows XP and Windows 7 operating systems.

Supports Compressed PE File Inspection

Supports the decompression of and threat detection in ZIP, RAR, GZ, CAB, and 7Z files.

Supports Compressed Web File Inspection

Supports the decompression of and threat detection in ZIP, RAR, GZ, CAB, and 7Z files.

Supports PDF File Inspection

Supports Adobe Reader 9, X, and XI.

Supports Compressed PDF File Inspection

Supports the decompression of and threat detection in ZIP, RAR, GZ, CAB, and 7Z files.

Supports Traffic Restoration of Layer-2 Protocols

Supports Layer-2 protocols such as ETH, VLAN, PPTP, PPP, and PPPOE in traffic restoration.

Supports Traffic Restoration of Layer-3 and Layer-4 Protocols

Layer-3 and Layer-4 protocols supported by traffic restoration include IPv4, IPv6, GRE, TCP, and UDP.

Supports Traffic Restoration of Application-layer Protocols

Application-layer protocols supported by traffic restoration include HTTP, FTP, SMTP, POP3, IMAP, TFTP, NFS, and Samba.

Model FireHunter 6000
Hardware Configuration

• x86 server in a 2U rack

• Memory of no less than 128 GB

• Two power modules for redundancy

• Hard drive with a capacity of no less than 2 TB

• SSD drive with a capacity of no less than 128 GB

Performance

• 70,000 files (non-web pages) per day or 36,000 web pages per hour

• Average detection response time of less than 30 seconds

 

Huawei Sandbox

Using virus and reputation-based scanning, static analysis, and virtual execution technologies as well as Huawei’s unique behavior pattern library, the FireHunter6000 is capable of detecting unknown malicious files and providing accurate detection reports accordingly. It interworks with other security devices to quickly block advanced malicious files, preventing unknown threats from spreading and protecting core information assets for enterprises. The FireHunter is especially applicable to finance and government agencies, energy providers, and high-tech enterprises.

Competitive products include Fireeye NX series, EX series and ETP, Fortinet FortiSandbox, Cisco AMP, Palo Alto Networks Wildfire cloud-based malware analysis.