CMA supports Windows, macOS, Linux, Android, and common document formats (Office, PDF, archives). It also includes specific IoT/ICS protocol analysis, which is uncommon among generalist sandboxes, making it viable for industrial control SOCs. 2. Detection Capabilities (The Core Function) Behavioral Analysis Quality Symantec uses a combination of dynamic analysis (process tree, registry, network connections) and kernel-level monitoring. It effectively captures typical malware behaviors: process hollowing, reflective DLL injection, and persistence mechanisms.
This is Symantec’s most significant shortfall. Compared to purpose-built sandboxes, CMA historically struggles with advanced environment-aware malware —samples that check for mouse movement, CPU temperature, uptime, or specific VM artifacts (e.g., MAC OUI prefixes common to VMware/Hyper-V). While Symantec has added sleep-editing and time-bomb detection, independent tests (e.g., SE Labs, MRG Effitas) frequently show that 10-15% of evasive malware can remain undetonated in CMA, where competitors like FireEye (now Trellix) or CrowdStrike catch nearly all. CMA supports Windows, macOS, Linux, Android, and common
Symantec’s sandbox does not perform deep memory introspection (e.g., scanning for unlinked or injected code after execution). It relies primarily on execution traces. This makes it weaker against fileless malware or scripts that live exclusively in memory. 3. SOC Operational Experience User Interface & Workflow The CMA console is functional but dated. It presents a process tree, network flows, and extracted IOCs (hashes, domains, IPs). However, it lacks the intuitive, timeline-based visualizations of modern competitors. Analysts often report difficulty quickly identifying the moment of malicious intent within a long execution log. and extracted IOCs (hashes