Let’s say you are a security solution. You were hired by webserver and your job is to filter the traffic that tries to enter the webserver. Obviously you would need to block malware as well. But how do you do it? How do you know what is good and what is bad? There are various ways to analyze what is malware but if we have to divide it into two categories, it would be static analyze and dynamic analyze. Static analysis is a process of analyzing the file itself; without executing the file, at the same time inferring the contents that will be processed by the program. It’s not an actual file execution so you might say it’s a simple analogy. For example if you encounter .exe or .dll file, you are not actually running the file, but examine what will happen if that file is executed. This is the limitation of static analysis as the result is not as reliable as actual result of file execution. It is a pre-prediction method before your detail investigation. Meanwhile dynamic analysis is simply analyzing the file with the execution. Of course you can’t execute the file in the webserver; you don’t know what it can do! This is where sandbox comes in. Sandbox creates similar environment with analysis function as to the actual web server. By executing the suspicious file in the sandbox will demonstrate what would happen when the file is executed, and analyzing the status at each second. Combining these analysis method will help you figure out malware and what it can do. There are more ways to navigate suspicious traffic, and more technologies to extract malware is being developed.