Yes, images that are being analyzed have access to the Internet for the duration of the DTA analysis. This is done in order to provide the image with as close as possible normal operation conditions, ensuring DTA can accurately detect malicious behaviors.
Two examples:
- A container image infected with code designed to avoid detection by traditional vulnerability scanning tools might be downloading malicious payloads in run-time. To detect such behavior, DTA will provide the inspected container access to the internet and will be able to observe the download process and accurately classify the downloaded malicious code
- Some malware payloads require communication with command-and-control servers before they get activated. DTA will monitor such communications and provide a full report of the malware activation process