Avast Business Endpoint Protection:  A Closer Look at CyberCapture and Sandbox

Greg Mosher 18 Jan 2018

All three solutions offer advanced threat detection technologies for businesses




As small and medium-sized (SMB) businesses continue to be primary targets for cybercrime, IT teams need powerful, affordable and easy-to-use security software.  All three of our Avast Business endpoint protection solutions – Antivirus, Antivirus Pro and Antivirus Pro Plus – deliver the technology and security expertise of the Avast-AVG combination. With SMB security needs and budgets in mind, each solution provides a robust defense.  Even our basic solution, Avast Business Antivirus, has advanced security features and technologies that include File, Web, Email and Behavior Security Shields, Firewall, Anti-spam, Smartscan, Sandbox and CyberCapture.

Let’s take a closer look at two of these technologies, CyberCapture and Sandbox, and explain how they help identify, isolate and detect threats and why this matters for businesses.

The power behind CyberCapture

In developing our proprietary cloud-based CyberCapture technology, we focused on shortening the time between malware discovery and the deployment of a detection.  The average lifespan of today’s malware is just a few hours and cybercriminals focus on quick, fast campaigns to hit a high volume of victims in the shortest time frame. Malware criminals are also using server polymorphism, where one malware attack instance targets a single user before the code morphs and attacks the next user.   Our proprietary, cloud-based CyberCapture technology addresses all of this, identifying, isolating and quickly determining whether unknown files are potentially harmful and then analyzing these in real-time in the cloud.

As the last guard in our chain of security shields and threat detection engines, CyberCapture works by seizing, or ‘capturing,’ any low prevalent or low reputation files – files that have not been seen by users – for deeper analysis in a safe cloud environment. CyberCapture is unique due to the variety, type and volume of new malware it can continually identify.  For example, CyberCapture gains an advantage through the vast size and global reach of our Avast user base and threat detection network -- more than 400 million business, consumer and mobile device endpoints continually provide insights that power our threat detection and enable technologies like CyberCapture to continually and proactively identify new malware before it becomes common.

Cybercapture works its magic on malware that is using encryption to hide its payload. For example, if you download an executable file from the internet and according to our threat database, it has never been seen before by any of our users, it will be put into an isolated environment where it can be observed and behavioral data will be collected. To analyze the file, we clear away the malware creator’s false code and misdirection so we can observe the binary level commands inside malware and understand the instructions hidden there. Based on this data, CyberCapture can decide that more analysis is required. In that case, the file is further analyzed by our machine learning and behavior analysis systems.  Once that analysis is completed, the user is notified and the file is either released back and can be run, or if it is identified as malicious, it is quarantined so it can no longer execute on a user’s system.  

CyberCapture continually gathers intelligence on new viruses, analyzing over 10,000 new files each day to protect businesses and their end users against the latest threats. Since its release in June 2016 for our consumer AV products, CyberCapture has analyzed 18.8 million files.  An estimated 24.8% of these files -- 4.7 million -- have been identified as malware. Decisions are made for more than half of the files within 5 minutes or less.

For SMBs and the IT teams that support these businesses, CyberCapture is a front line defense against threats like ransomware. For example, we used CyberCapture for early identification of Locky ransomware in 2016. Locky is a malware delivered by email with an attached Microsoft Word attachment that contains malicious macros.  Malware in this form, for example, contained in an unknown installer and packaged as a well known application, will continue to keep SMBs challenged. With CyberCapture, these types of threats are caught early and automatically.

Sandbox & CyberCapture

Compared to CyberCapture’s automated inspection process, our Sandbox feature can be used for any situation where the user, or IT team, wants to run a given file or application safely in a virtual space isolated from a user’s PC, to observe any potential unwanted or harmful actions the untrusted file or application may perform.  This can be done with just a click and can be run as long as needed.  Any changes made by the executable are not saved and discarded once the Sandbox is closed, eliminating risks like corrupted software or stolen data.   

Our Sandbox feature not only lets a user safely run a program that they are unsure about, but the nature of the Sandbox itself allows us to see what the program is doing. By collecting what the Sandbox 'sees' and feeding that to CyberCapture, it allows us to better determine malicious behavior and non-malicious behavior and at the same time, continually make our endpoint protection solutions smarter.

Simplifying security protection

CyberCapture and Sandbox are examples of ways we are reducing the complexity of protecting small businesses through advanced threat detection, smart features that enhance online security for businesses and their employees, and simplified service options that help SMBs or their IT partners more easily secure IT environments.

You can find more information about our Avast Business endpoint protection solutions here or download free trials for our Antivirus, Antivirus Pro or Antivirus Pro Plus solutions.

--> -->