Product overview

About the service

ESET Dynamic Threat Defense (Cloud Sandbox) is a paid service provided by ESET. Its purpose is to add a layer of protection specifically designed to mitigate threats that are new in the wild.

How it works

Suspicious samples that are not yet confirmed as malicious and may potentially carry malware are automatically submitted to the ESET cloud. Submitted samples are run in a sandbox and are evaluated by our advanced malware detection engines. Malicious samples or suspicious spam emails are submitted to ESET LiveGrid®. Email attachments are handled separately and are subject to submission to ESET Dynamic Threat Defense. Administrators or users can define the scope of files that are submitted as well as the retention period of the file in the ESET cloud. Documents and PDF files with active content (macros, javascript) are not submitted by default. See the detailed description of How detection layers work.

In the Submitted files section of the remote management console, administrators get a brief report of the observed sample's behavior for each of the submitted files. If a file turns out to be malicious, it is blocked for all users participating in ESET LiveGrid® as a suspicious object. If evaluated as suspicious, it is blocked on all machines within the user’s organization, depending on the sensitivity threshold.

Files can be submitted manually or automatically based on policy configuration. In the ESET PROTECT Web Console user can submit .exe files reported from client machines.

What are the differences between ESET Dynamic Threat Defense, ESET LiveGrid® and ESET Threat Intelligence?


ESET security products and management console

Whenever a sample is uploaded to ESET Dynamic Threat Defense for analysis, that sample's metadata is uploaded to the management console, if the Client can connect to the Server. This provides the console Administrator with a list of samples uploaded to the ESET cloud.

ESET security products and ESET Dynamic Threat Defense

Whenever an activated and configured ESET security product decides a sample needs to be analyzed, it uploads the sample to ESET Dynamic Threat Defense. After ESET Dynamic Threat Defense analyzes the sample, it provides the result to all machines in that company (or MSP customer) and to all companies that have ever submitted that file. The security product takes the appropriate action based on the policy in place. In Endpoint and Server products version 7.2 and later, you can select an action to take on suspicious files downloaded by browsers and email clients.

All transferred packages are signed by ESET to mitigate the risk of attack. When using an HTTP connection in the internal network, the product always checks if the connection is upgraded to HTTPS behind a proxy. If the proxy is not configured correctly, the HTTPS connection is also used in the internal network.

ESET management consoles and  ESET Dynamic Threat Defense

The ESET Dynamic Threat Defense is available in on-premise and cloud-based, management consoles (ESET Security Management Center, ESET PROTECT, ESET PROTECT Cloud). After ESET Dynamic Threat Defense receives a sample from an ESET security product, it automatically informs the management console about the status of analysis. Once the analysis is completed, the result is transferred to the management console.

Roaming Endpoints and ESET Dynamic Threat Defense

A roaming Endpoint is any client with an ESET security product that is operating outside of your company's perimeter and has no connection to ESMC. Usually, it is a computer at home or on a business trip without a VPN. A roaming client takes full advantage of ESET Dynamic Threat Defense. However, it does not notify ESET PROTECT about samples that have been submitted for analysis. When the client returns to your perimeter and connects to ESET PROTECT, the client's metadata is synchronized and the list of submitted files is updated. Other clients on your network can receive updates that result from discovered threats while a client is roaming even before it synchronizes with ESMC.

Global Database

ESET Dynamic Threat Defense uses two Azure data centers (the USA and Europe) to store hashes of the files and the results of their analysis. Data centers provide faster results for already analyzed files. The ESET Headquarters (located in Slovakia) stores all the submitted files and performs the analysis. Each customer's (company's) data is stored separately in one global database. ESET routes user connections to the nearest data center.


We highly recommend that you use a Proxy for caching responses from ESET servers, especially for users with a high number of client machines (hundreds or more), since using a Proxy can save significant network traffic.

You can exclude selected folders and processes to decrease the number of submitted files and improve the overall performance.

ESMC/ESET PROTECT and ESET Dynamic Threat Defense scheme


ESET PROTECT Cloud and ESET Dynamic Threat Defense scheme