Product Overview

Home / Product Overview

SecondWrite adds another dimension to malware analysis by including a component on deep program analysis at run time. This pushes the envelope of malware detection.

As opposed to other solutions where malware is able to hide itself, our patented technology acts as a lie detector that analyzes all the code in the malware by using complete code exploration. Other sandboxes handle evasion after the fact. Our technology is independent of the underlying evasive mechanism and proactively defeats any known or unknown zero-day evasion techniques.

Other solutions achieve only partial visibility into malware by examining its OS-level behavior only. SecondWrite’s solution achieves complete visibility into malware by examining Program-level behavior in addition to OS-level behavior.  This can be used to detect anti-analysis malware. Anti-analysis malware is malware that hides from a variety of detection tools, such as anti-virus (AV), endpoint, debugging, sandbox, and reverse engineering tools. Other tools cannot detect this anti-analysis behavior since it cannot be detected using OS-level monitoring alone. We can detect such behavior by combining OS-level and Program-level behavior. When present, such anti-analysis behavior is a good indicator of malicious intent.

Product Features

Detects Evasive Malware

Zero-day evasions, Targeted attacks, Stalling code, Anti-VM malware, time bombs and others.

Capture Anti-Analysis IOCs

These include internal program structure, anti-debugger, anti-endpoint, anti-binary analyzer, and obfuscation.

Handles all file types

Executables, documents, PDFs, .NET, VB, URLs

Easy-to-use API

Integrates easily with other security solutions.

SecondWrite’s advanced malware sandbox detects and stops all types of malware including advanced evasive malware. Our sandbox is meant for use by at least the following customer segments:

  • Network security companies.
  • Endpoint security companies.
  • Security operations centers (SOCs) at enterprises.
  • Managed security providers running SOCs.
  • Incidence response teams
  • Threat intelligence vendors.

In each of these segments, the customer submits files to our sandbox for evaluation. Our sandbox then returns a report for each file describing its dynamic behavior.


70% more indicators of compromise detected on randomly selected malware data sets than a leading sandbox containing ad-hoc anti-evasive techniques.

Handles all kinds of evasive malware. Other bare-metal or full-system emulation only handle anti-VM malware.

Handles zero-day or previously unknown evasions. Ad-hoc techniques used in other sandboxes are easily circumvented by advanced malware.

Example Comparison

For each malware sample, an excerpt of the report showing indicators of compromise produced by the widely used open-source Cuckoo sandbox is on the left, and the corresponding excerpt of the report produced by the SecondWrite sandbox is on the right. Unlike the Cuckoo report, the SecondWrite report discovers indicators not present in Cuckoo, and classifies those indicators by type.

This comparison is with Rombertik, a highly evasive widespread spyware that steals confidential information from victims and was highly active in 2015. SecondWrite sandbox shows around 2X more IOCs with better classification compared to Cuckoo.

Without SecondWrite

With SecondWrite