For organizations that care to characterize and study the evolution of malware, Norman, the Norwegian anti-virus, anti-spyware and firewall company offers the Norman Sandbox a virtual environment that allows viruses and malware to reveal their actions without threat to live systems and data. Of course, the technology works for organizations that worry about catching viruses before they become widespread, when everybody has the cure figured out. That's the zero-hour requirement.
The core idea of the Sandbox is that the application studies and blocks nasty behaviors, not matching the signature of files. It does this through an emulated or virtual replica of the host system. It fools the malware into recognizing the virtual environment as a real environment, which renders the threat harmless.
Arvid Gomez, the company's OEM and Technology sales VP based in San Ramon CA said that the sandbox provides protection against the dynamic signature virus or the zero-hour type malware before AV publishers can model the signature. This zero-hour type characterization is a great complement to remediation or even signature-based solutions to cover users for the short, but highly vulnerable window between release of the malware and publishing of the signature.
A behavior model is very powerful idea since most damage occurs as a result of unintended or unapproved system actions. It also depends less on global updates of PC clients to account for the latest malware signatures.
Norman trades publicly on the Oslo Stock Exchange, has 200 employees and $60 million in 2007 revenues. The role of Arvid from his office in San Ramon is to focus on OEMing this and other security capabilities into solutions by other vendors.