[PeekPoke]

Most Sandbox solutions do their detection inside the VM so can be beaten by these techniques. Good sandboxes do their detection lower in the stack - typically in the CPU using full system emulation. I use Lastline to protect my networks and it does it this way.

[dogma1138]

Lastline doesn't only do CPU emulation, I don't know if it's still the case but their "OSX emulation" was a bunch of iMac mini's in a rack not that long ago ;) There are also quite a few ways of detecting Lastline's sandboxing, and there is malware that does this in the wild.

[PeekPoke]

Yes, my understanding is they don't emulate OSX as such - they run code on the Mac Minis. More to do with Apples licensing model requiring hardware for each OSX license than anything else. I'd be interested to know what malware avoids Lastline, I wasn't aware of any and they scored 100% with no false positives in this years NSS Labs test which impressed me.

[dogma1138]

>I'd be interested to know what malware avoids Lastline

The one you don't hear about unless it ends up as front page news ;)

NSS is hardly a benchmark for directed threats.