Sandbox archive processing
A description of sandbox archive processing.
When a sandbox file contains an archive, the archive is uncompressed and each extracted file is processed to check the presence of malware using the Yara rules and Structured Threat Information Expression (STIX) indicators. The process is repeated recursively for each extracted file to eventually check for malware in nested archives. The 'archive' configurations commands listed below permits to control how this unpacking and checking process is performed. Since the unpacking and checking can consume significant resources, the tuning of these parameters can be important when a large number of potentially large files is present in the sandbox.