Malware is analyzed and destroyed in virtual machines

Sep 1, 2015 09:48 GMT  ·  By

Microsoft has started work on a new service called Project Sonar, which would rely on virtual machines to detect, analyze, and destroy malware before reaching customers.

The company revealed in a job posting on its on Careers website that it's looking for a security software engineer who can help improve the service and develop new ways to detect and block malware.

According to the very same job ad, similar malware-blocking features are already being used in the Windows App Store and Exchange Online, but with Project Sonar, Microsoft might be looking into making the service available to more customers in the near future.

“The Sonar team builds and operates a VM based malware detonation platform as a service. Our system spins up 10's of thousands of VMs a day to detect malware and protect customers. We're deployed in places like the Windows App Store and Exchange Online. We are taking the service to the next level to handle more customers and data at scale,” the ad reads.

The idea of analyzing malware in a closed sandbox isn't really new, but for the moment, there still are a number of questions as to how exactly Microsoft is planning to handle collected data. As Microsoft watcher Mary Jo Foley notes, Redmond could allow customers to run Sonar directly and then look into the information their own systems collected, or the company could run Sonar itself and let customers analyze data.

The detonation chamber

There are still are a number of challenges to be address, Microsoft reveals, and that's why the Sonar team is expanding with new developers.

“[You need] to figure out how to store and search that data in performant manner, build a web-based Analyst Studio to make that data discoverable and actionable by analysts, build data pipelines to get our most interesting data to other Microsoft security systems in near real time, and also build publicly consumable Web APIs and portals for these services,” the job posting reveals.

Microsoft has already provided hints regarding the way such a “malware detonation” system would work, explaining that it can analyze emails submitted to its customers before reaching their inboxes with multiple filters and antivirus engines coupled with Exchange Online protection.

The detonation chamber, which is more of a sandbox where attachments are analyzed, can decide whether a file is dangerous or not for customers' computers, and then determine whether it can be sent to the recipient or not.

Microsoft is yet to publicly acknowledge work on this project, so we've reached out to the company to ask for more information and will update the article should we receive an answer.