Prevasio Sandbox intercepts and inspects all network traffic generated by containers, including HTTPS traffic.
SSL/TLS inspection is enabled with Prevasio's MITM proxy certificate being dynamically injected into the virtual file system of the analysed container images.
Currently, Prevasio Sandbox provides HTTPS interception for the 10 most common Linux distributions.
Prevasio Sandbox scans container images for the presence of any vulnerable packages and libraries.
Any x32/x64 ELF executable files created both during container image build phase and the runtime are scanned with Prevasio's Machine Learing (ML) model.
The ML model used by Prevasio relies on ELF file's static characteristics, its entropy, and the sequence of its disassembled code.
As you see in this example, the use of ML provides resistant detection, even if the malware was modified.Open Report
Full static visibility of the container's internals is not sufficient to tell if a container image in question is safe indeed.
During the last stage of its analysis, Prevasio Sandbox simulates attackers' actions, first trying to fingerprint services running within the analysed container, and then engaging exploits against them.
In addition to that, the pen-test performs a brute-force attack against an identified service (such as SSH, FTP or SQL), in order to find weak credentials that would allow the attackers to log in.
As the pen-test is performed in an isolated environment, it poses no risk to the production environment.
Prevasio collects kernel-level system events within a running container:
These events are then correlated into a hierarchy, visually displayed in form of a force-directed graph. The graph allows to visually identify problematic containers and also quickly establish remote access points.