Sandbox Detonation

What Is Sandbox Detonation?

Sandbox detonation is a cybersecurity technique where a suspicious file, URL, or executable is deliberately run ("detonated") inside a safe, isolated virtual environment - called a sandbox, so that security software can observe its behavior without risking harm to real systems.

This approach is widely used in email security gateways, endpoint protection platforms, and enterprise threat intelligence systems.

How this affects ISL Online applications

Due to how ISL Online applications establish connections (ISL Light Client joining into session or ISL AlwaysOn adding computer to list of computers when using silent deployment), this can cause sandbox detonations to cause unwanted connections - for example:

- ISL Light Client: When the user downloads ISL Light Client from a join session link, this automatically embeds the session code into the downloaded ISL Light Client executable. When this executable is detonated within a sandbox environment, the executable is run and the session is incorrectly started to the sandbox environment PC (instead of the clients)
- ISL AlwaysOn: When deploying ISL AlwaysOn using silent parameters, the installation executable will automatically perform all needed steps to add a computer to the list of computers. However, when this application is detonated within a sandbox environment, this causes the sandbox environment's computer to be added to the user's list of computers.

Commonly observed sandbox environment symptoms

We have identified several symptoms which seem to be common when applications connect to sandbox environments:

- Connection established to unknown computer
- The computer name of the connected computer is something simple like "JOHN-PC"
- ISL AlwaysOn computers do not stay online long - since sandbox environments get turned off/wiped regularly, the computers remain offline on list of computers

We have also observed several cases where the sandbox environment computers were controller (e.g. by AI) to click on buttons within the executed applications. Therefor, despite ISL Light Client having a built in protection against sandbox environment detonations (session is not initiated upon startup, but requires the end user to click the join button manually), the sandbox environments often simulate these clicks and can get around this protection.

How to avoid sandbox detonations with ISL Online products

There are several ways to avoid ISL Online applications being interfered by sandbox detonations.

1) Add exclusions to ISL Online products to the software utilizing sandbox detonations.
2) Instruct users to download the ISL Light Client application through our downloads page and have them enter the session code manually upon startup.
3) Avoid using ISL AlwaysOn with silent installation parameters in environments where sandbox detonation cannot be disabled.

Common Sandbox Detonation Tools

Several well-known tools perform sandbox detonation:

• Sophos Security
• VirusTotal
• CrowdStrike Falcon
• Palo Alto WildFire
• Cisco Threat Grid
• Microsoft (Windows, Defender, Azure)