Managing the Sandbox component through the web interface

The Sandbox web interface is located on the server hosting the Sandbox component.

The Sandbox web interface is protected against CSRF attacks and operates only if the web interface user's browser provides the Referrer header of an HTTP POST request. Make sure that the browser that you are using to work with the Sandbox web interface does not modify the Referrer header of an HTTP POST request. If the connection with the web interface is established through a proxy server of your organization, check the settings and make sure that the proxy server does not modify the Referrer header for an HTTP POST request.

To begin working with the Sandbox web interface, proceed as follows:

1. In a browser on any computer on which access to the server with the Sandbox component is allowed, enter the IP address of the server with the Sandbox component.

   This opens the Sandbox component administrator credentials input window.

2. Enter the Sandbox component administrator user name and password that you specified when installing the Sandbox component.

You can now start working in the Sandbox web interface.

If you use more than one servers with the Sandbox component, configure settings of each Sandbox component from the Sandbox web interface of such server.

Updating the Sandbox component databases

The Sandbox component databases are files with records that make it possible to detect a malicious code and signs of suspicious behavior in scanned objects.

Virus analysts at Kaspersky detect hundreds of new threats daily, create records to identify them, and include them in database updates packages (or update packages). Update packages consist of one or more files containing records to identify threats that were detected since the previous update package was released. We recommend that you regularly receive update packages.

During the license validity period, you can obtain update packages automatically once every hour or update the databases manually.

Updating databases manually

To start a database update manually:

1. Select the Database Update section in the Sandbox web interface window.

   The Last update settings group will show time and status of the last Sandbox database update.

2. Click Start.

Selecting a database update source

To select a database update source:

1. Select the Database Update section in the Sandbox web interface window.
2. In the Update source settings group, select a source from which you want to receive update packages:
   • Kaspersky update server.

     The program connects to Kaspersky update server over HTTP and downloads up-to-date databases.

   • Kaspersky update server (secure connection).

     The program connects to Kaspersky update server over HTTPS and downloads up-to-date databases. It is recommended to use HTTPS for database updates.

   • Custom server.

     The program connects to your FTP or HTTP server or to the folder with program databases on your computer to download up-to-date databases.

3. If you selected Custom server, in the field under the name of the setting, enter the full path to the folder that contains the program database update package.
4. Click Apply in the lower part of the window.

Enabling and disabling a proxy server for database update

To enable or disable a proxy server for updating the Sandbox component databases:

1. Select the Database Update section in the Sandbox web interface window.
2. In the workspace, do one of the following:
   • Enable the switch next to the Proxy server settings group name if you want to use the proxy server for the Sandbox component database update.
   • Disable the switch next to the Proxy server settings group name if you do not want to use the proxy server for the Sandbox component database update.

Configuring proxy server connection settings for database update

To configure the proxy server connection for updating Sandbox component databases:

1. Select the Database Update section in the Sandbox web interface window.
2. Enable the switch next to the Proxy server settings group name.
3. In the Address field, enter the proxy server address.
4. In the Port field, enter the proxy server port number.
5. In the User name field, enter the proxy server user name.
6. In the Password field, enter the password to obtain connection to the proxy server.
7. Do one of the following:
   • Select the check box Bypass proxy server for local addresses, if you do not want to use the proxy server for internal emails of your organization.
   • Clear the Bypass proxy server for local addresses check box if you want to use the proxy server irrespective of email affiliations to your organization.
8. Click Apply in the lower part of the window.

Configuring connection between the Sandbox and Central Node components

The following procedure is used to configure the Sandbox component connection with the Central Node component:

1. A request for connection to the Sandbox component is created in the program web interface.
2. The Sandbox web interface shows connection requests.

   You can accept or reject a request.

Processing connection requests from the Central Node servers in the Sandbox web interface

You can accept, reject or revoke a previously accepted connection request from the Central Node servers in the Sandbox web interface.

To accept, reject, or revoke a connection request from Central Node servers:

1. Select the Authorization section in the window of the Sandbox web interface.

   The Central Node connection requests section will show a list of connection requests from the Central Node components.

   Each connection request contains the following information:

   • IP—IP address of the Central Node server.
   • Certificate fingerprint—Thumbprint of the Central Node TLS certificate used to establish an encrypted connection between servers.
   • State—Status of the connection request.

     May have the values Pending or Accepted.

2. Make sure that the Central Node certificate thumbprint matches the certificate thumbprint configured for the Central Node.

   You can check the Central Node certificate thumbprint from the Central Node server administrator menu in the Manage Server Certificate section.

3. Click one of the following buttons in the line containing the connection request from the Central Node component:
   • Accept if you want to accept the connection request.
   • Reject if you want to reject the connection request.
   • Revoke if you want to revoke a previously accepted connection request.
4. Click Apply in the lower part of the window.

Configuring the Sandbox component network interfaces

This section describes configuration of the Sandbox component network interfaces.

Configuring DNS settings

To configure DNS:

1. Select the Network Interfaces section in the window of the Sandbox web interface.
2. In the Host name field, enter the name of the server on which you are installing the Sandbox component in FQDN format (for example, sandbox).
3. To the right of the DNS servers parameter name, click the Add button.

   This will add an empty field for the DNS server IP address input.

4. Enter the IP address of the primary DNS server in IPv4 format.
5. Click the button to the right of the entry field.

   The DNS server will be added.

6. If you want to add an additional DNS server, repeat steps 2-5.
7. If you want to remove a previously added DNS server, click the button to the right of the line containing the DNS server IP address.

   You can only remove additional DNS servers. You cannot remove the primary DNS server. If you added 2 and more DNS servers, you can remove any of them, and the remaining DNS server will be used as the primary server.

Configuring settings of the management network interface

A management network interface is intended for providing access to the server with the Sandbox component via the SSH protocol, and the Sandbox component will also receive objects from the Central Node component via this interface.

You can configure a management network interface during installation of the Sandbox component.

You can also configure a management network interface from the Sandbox web interface.

To configure a management network interface from the Sandbox web interface:

1. Select the Network Interfaces section in the window of the Sandbox web interface.
2. In the Management interface settings group from the Interface drop-down list, select a network interface, which you want to use as a management interface.
3. In the IP field, enter the IP address that you want to assign to this network interface if no IP address is assigned.
4. In the Mask field, enter the network mask in which you want to use this network interface.
5. Click Apply in the lower part of the window.

Configuring settings of a network interface used for Internet access of processed objects

Objects processed by the Sandbox component may attempt activities on the Internet via the network interface used for Internet access of processed objects. The Sandbox component can analyze the behavior of these objects.

If you block Internet access, the Sandbox component cannot analyze the behavior of objects on the Internet, and will therefore only analyze the behavior of objects without Internet access.

The network interface used for Internet access of processed objects must be isolated from the local network of your organization.

If the security policy of your organization denies access to the Internet from computers of local network users, and you have configured the Sandbox network interface for Internet access of processed objects, there is a risk of the following scenario:

A hacker can attach a malicious program to a random file and initiate a Sandbox scan of this file from the computer of a local network user. This file will be taken over outside the local network through the network interface used for Internet access of processed objects in the course of scanning the file by the Sandbox component.

Unavailability of the Sandbox network interface for Internet access of processed objects eliminates any risk of such data transfer but compromises the quality of alerts.

To configure the network interface used for Internet access of processed objects:

1. Select the Network Interfaces section in the window of the Sandbox web interface.
2. In the Internet interface settings group from the Interface list, select a network interface that you want to use for Internet access of processed objects.

   The management network interface that you configured previously cannot be selected from this list of network interfaces.

3. In the IP field, enter the IP address that you want to assign to this network interface.
4. In the Mask field, enter the network mask in which you want to use this network interface.
5. In the Default gateway field, enter the gateway address of the network in which you want to use this network interface.
6. Click Apply in the lower part of the window.

Adding, changing and removing static network routes

You can configure static network routes during installation of the Sandbox component.

You can also add, remove or change static network routes from the Sandbox web interface.

To add a static network route:

1. Select the Network Interfaces section in the window of the Sandbox web interface.
2. In the Static Routes settings group, click the Add button.

   A line with empty fields will be added in the list of static network routes.

3. In the IP field, enter the IP address of the server for which you want to configure a static network route.
4. In the Mask field, enter the subnet mask.
5. In the Gateway field, enter the IP address of the gateway.
6. From the Interface list, select a network interface for which you want to add a static network route.
7. Click .
8. Click Apply in the lower part of the window.

To remove a static network route, proceed as follows:

1. Select the Network Interfaces section in the window of the Sandbox web interface.
2. In the Static Routes settings group in the line containing the static network route that you want to remove, click the button.
3. Click Apply in the lower part of the window.

To modify a static network route:

1. Select the Network Interfaces section in the window of the Sandbox web interface.
2. In the Static Routes settings group in the line containing the static network route that you want to change, click the button.

   The static network route line will become editable. You can change one or more parameters of a static network route.

3. In the IP field, change the IP address of the server for which you want to configure a static network route.
4. In the Mask field, change the subnet mask.
5. In the Gateway field, change the IP address of the gateway.
6. From the Interface list, select the network interface for which you are editing the network route.
7. Click .
8. Click Apply in the lower part of the window.

Updating the Sandbox system

Kaspersky can issue update packages for Kaspersky Anti Targeted Attack Platform and individual program components. For example, there can be issued urgent update packages eliminating vulnerabilities and errors, scheduled updates adding new or improving existing features of the program and its components.

After Sandbox updates have been issued, you can install them through the Sandbox web interface.

Prior to installing updates through the Sandbox web interface, you need to download an update package in TGZ format and the instructions for installing this update from the Kaspersky website to your computer.

To update the Sandbox system using the web interface:

1. Select the System Upgrade section in the window of the Sandbox web interface.

   The current version of the Sandbox component is displayed to the right of the Current version setting label.

2. Click the Browse button to the right of the Upgrade package field.

   This opens the file selection window.

3. Select an update file to download and click the Open button.

   This closes the file selection window.

You can keep track of the Sandbox system update progress in the Upgrade log window of the System Upgrade section of the Sandbox web interface.

The update package will be installed automatically. The update process can take a while. The Sandbox server will restart. The Sandbox component will be unavailable during the system update.

Setting the Sandbox system date and time

To set the date and time on the server hosting the Sandbox component:

1. In the Sandbox web interface window, select Date and Time.
2. In the Country drop-down list, select the relevant country.
3. In the Time zone drop-down list, select the relevant time zone.
4. If you prefer to synchronize the time with the NTP server, select Synchronization with NTP servers.
5. If you prefer to set the date and time manually, do not enable the switch to the right of the Synchronization with NTP servers parameter name and proceed as follows:
   1. In the Date field, enter the current date or click the button and select a date in the calendar.
   2. In the Time field, enter the current time.
6. Click Apply in the lower part of the window.

Installing and configuring images of operating systems and software required for the operation of the Sandbox component

The distribution kit includes ISO images of the following operating systems: Windows XP SP3, Windows 7 64-bit, Windows 10 64-bit, and CentOS 7.8, Astra Linux 1.7, as well as software required for the operation of the Sandbox component. You do not have to activate these operating systems and programs. The images already include a license key.

The Sandbox component starts objects in these operating systems and analyzes the behavior of these objects to in order to detect malicious activity and signs of targeted attacks and intrusions into the corporate IT infrastructure.

In case of problems with activation of operating systems or software, the web interface of the Sandbox component displays an error message. If this happens, please contact Kaspersky Technical Support.

Downloading ISO images of operating systems and software required for the operation of the Sandbox component

To download an ISO image of an operating system and software required for the operation of the Sandbox component, do the following for each ISO image:

1. Select the Virtual Machines section in the window of the Sandbox web interface.
2. In the Virtual Machine images settings group, click the Upload button.

   This opens the file selection window.

3. Select an ISO file that you want to download and click the Open button.

   This closes the file selection window.

The Virtual Machine images list shows the downloaded image of the operating system and software required for operation of the Sandbox component.

Proceed with downloading images of operating systems and software required for the operation of the Sandbox component for each ISO image.

Creating virtual machines with images of operating systems and software required for the operation of the Sandbox component

To create a virtual machine with an image of an operating system and software required for the operation of the Sandbox component, do the following for each virtual machine:

1. Select the Virtual Machines section in the window of the Sandbox web interface.
2. In the Virtual Machine images list, in the line containing the name of the image of the operating system and software required for the operation of the Sandbox component, click Create VM.

   When installing virtual machines with the Windows XP SP3, Windows 7, Windows 10 and Astra Linux 1.7 operating systems, the EULA window opens, which contains the contents of the following license agreements:

   • For Windows XP SP3, Windows 7, and Windows 10 operating systems:
     • MICROSOFT WINDOWS 7 PROFESSIONAL SERVICE PACK 1.
     • MICROSOFT WINDOWS XP PROFESSIONAL EDITION SERVICE PACK 3.
     • MICROSOFT OFFICE 2010 DESKTOP APPLICATION SOFTWARE.
     • MICROSOFT OFFICE 2007 DESKTOP APPLICATION SOFTWARE.
     • MICROSOFT OFFICE 2003 DESKTOP APPLICATION SOFTWARE.
     • ADOBE Personal Computer Software License Agreement.
     • MICROSOFT VISUAL C++ 2005 RUNTIME LIBRARIES.
     • MICROSOFT VISUAL C++ 2008 RUNTIME LIBRARIES (X86, IA64 AND X64), SERVICE PACK 1.
     • MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES.
     • MICROSOFT VISUAL C++ 2012 RUNTIME LIBRARIES.
     • MICROSOFT VISUAL C++ REDISTRIBUTABLE FOR VISUAL STUDIO 2013.
     • MICROSOFT VISUAL STUDIO 2017 TOOLS, ADD-ONs and C++ REDISTRIBUTABLE.
   • For the Astra Linux 1.7 operating system:
     • THE END USER LICENSE AGREEMENT FOR ASTRA LINUX SOFTWARE is included in Kaspersky Anti Targeted Attack Platform.

   When installing a virtual machine that runs the CentOS 7.8 operating system, the EULA window does not appear because you do not need to accept the terms of the end user license agreement to use this operating system.

3. Read the End User License Agreements and click the Accept button in the right lower corner of the EULA window.

   This opens the Unpack window. The archive containing an image of the operating system and software required for the operation of the Sandbox component is unpacked.

4. The Not installed Virtual Machines list of the Virtual Machines window shows the virtual machine, which is ready for activation of the operating systems and software as well as for installation.

Proceed with creating virtual machines with images of operating systems and software required for the operation of the Sandbox component for each virtual machine.

Installing virtual machines with images of operating systems and software required for the operation of the Sandbox component

To install all ready-to-install virtual machines with images of operating systems and software required by the Sandbox component:

1. Select the Virtual Machines section in the window of the Sandbox web interface.
2. In the left lower corner of the Not installed Virtual Machines list, click the Install ready VMs button.

   Virtual machines with operating systems, next to the names of which the Not installed Virtual Machines list shows the Ready to install status, will be installed and shown in the list at the top of the Virtual Machines window.

Deleting all pending virtual machines

To delete all pending virtual machines:

1. Select the Virtual Machines section in the window of the Sandbox web interface.
2. In the left lower corner of the Not installed Virtual Machines list, click the Delete all pending VMs button.

   Pending virtual machines with operating systems and programs required for operation of the Sandbox component are deleted.

Setting the maximum number of simultaneously running virtual machines

Set a limit on the number of simultaneously running virtual machines with operating systems in which the Sandbox component will process objects.

The number of simultaneously running virtual machines cannot exceed 200.

Calculate the number of simultaneously running virtual machines with images of operating systems as follows: multiply the number of logical cores by 1.5.

To set the maximum number of simultaneously running virtual machines:

1. Select the Virtual Machines section in the window of the Sandbox web interface.
2. In the Guest Virtual Machines settings group in the Maximum simultaneous VMs field, enter the number of simultaneously running virtual machines.

   You can enter a number ranging from 1 to 200.

3. Click Save.

Downloading the Sandbox system log to the hard drive

Log data in the Sandbox system is stored in open, non-encrypted form. The data is stored for the last 7 days.

To download the Sandbox system log to the hard drive:

1. In the Sandbox web interface window, select the Administration section.
2. In the System Log settings group, click the Download button.
3. The Sandbox system log is downloaded to your computer's hard drive into the folder set as the file download folder in the settings of the browser that you use for working with the program.

Exporting Sandbox settings

To export the settings of a Sandbox system:

1. In the Sandbox web interface window, select the Administration section.
2. In the Settings settings group, click the Export button.

   This opens the Warning window containing a warning on specifics of exporting the system parameters.

   The Sandbox system parameters are dependent on hardware and software parameters of the server, on which the Sandbox component is installed. The Sandbox system exported parameters are intended to be imported to the same or another server strictly identical in configuration. Any attempt to restore the configuration of the Sandbox system with parameter values saved to another Sandbox system may disrupt the Sandbox system.

3. Click Save.

A tar.gz file is downloaded to your computer's hard drive into the folder set as the file download folder in the settings of the browser that you use for working with the program. The file contains all the Sandbox system current parameters.

Archives with backup copies of the system parameters can contain confidential information, such as passwords and privacy keys. The Kaspersky Anti Targeted Attack Platform administrator must independently ensure the security of this data.

Importing Sandbox settings

To import Sandbox settings:

1. In the Sandbox web interface window, select the Administration section.
2. In the Settings settings group, click the Import button.

   This open the Warning window containing a warning on specifics of importing the system parameters.

   The Sandbox component parameters are dependent on hardware and software parameters of the server, on which the Sandbox is installed. The Sandbox exported parameters are intended to be imported to the same or another server strictly identical in configuration. Any attempt to restore the configuration of one Sandbox system with parameter settings saved to another Sandbox system may disrupt the system.

3. Click Restore.

   This opens the file selection window.

4. Select a tar.gz file with the Sandbox parameters that you want to download and click the Open button.

   This closes the file selection window.

   If the Sandbox parameters have been successfully imported, the Sandbox server will restart. A few minutes later, you need to refresh the browser window and log in again.

Archives with backup copies of the system configuration can contain confidential information, such as passwords and privacy keys. The Kaspersky Anti Targeted Attack Platform administrator must independently ensure the storage security of this data.

Restarting the Sandbox server

To restart the Sandbox server:

1. In the Sandbox web interface window, select the Administration section.
2. In the Power settings group, click the Restart button.

   This opens the Sandbox server restart confirmation window.

3. Click Yes.

The Sandbox server will restart. In a few minutes, you will be able to log in to the system.

Powering off the Sandbox server

To power off the Sandbox server:

1. In the Sandbox web interface window, select the Administration section.
2. In the Power settings group, click the Power off button.

   This opens the Sandbox server shutdown confirmation window.

3. Click Yes.

The Sandbox server powers off.

Changing the Sandbox administrator account password

To change the Sandbox administrator account password:

1. In the Sandbox web interface window, select the Administration section.
2. The Change password settings group will show the Sandbox administrator account name that you set during installation of the Sandbox and the fields for changing the password.
3. In the Current password field, enter the current password for the Sandbox administrator account.
4. In the New password field, enter a new password for the Sandbox administrator account.
5. In the Confirm password field, enter the new password for the Sandbox administrator account again.
6. Click Change password.

   The Sandbox administrator account password will be changed.