Understanding SandCastle: Trend Micro's Advanced Sandbox Engine

SandCastle is Trend Micro's sandbox engine designed to analyze files. Files sent to SandCastle are run in a virtual environment, where SandCastle collects all of their behaviors and documents them in our report. Additionally, we rate each file to determine whether it is malicious or not. The process of analyzing a file includes both static and dynamic analysis.

In the static analysis phase, we retrieve strings and macros, and even extract URLs from QR codes using SandCastle. In the dynamic analysis phase, we directly run the file to observe its behavior on our system, gather all of the information, and include it in the report. After that, SandCastle rates the file based on the results and sends the findings to the frontend service.

Understanding the QR Code Scan Function in SandCastle

In today's world, malicious links may be hidden in QR codes. SandCastle extracts the URLs from QR codes and sends them to the next stage for analysis. The QR Code Scan function is responsible for extracting URLs for SandCastle and is executed during our static analysis phase.

SandCastle Sample Analysis Process

^{Click the image to enlarge.}

Supported File Types for QR Code Scan in SandCastle

If SandCastle encounters any of the following file types, it will activate its QR Code Scan function:

• PDF
• Word
• PowerPoint
• HTML