SMI! uses Norman Sandbox technology to proactively search for worms and malware inside executable files.

SandBox is Norman’s technology for detecting new, unknown viruses and other malware. The SandBox uses a safe virtual environment inside a computer. This allows the malware to reveal itself without damaging the system. 

SandBox detects most new types of viruses. Since the program that is tested for viral activity is executed on a simulated computer system in a simulated network, they can either spread locally on the system, or try to infect other machines. They can also use services of remote machines, like SMTP, News, IRC, DNS etc.

SandBox does not detect all viruses. The intention of the SandBox is to detect current threats to your system. Legacy DOS COM viruses and other non-executable viruses (like macros and scripts) are not detected by the SandBox. The SandBox focuses on detecting binary email and network worms, as these are the most common and dangerous malware at the present.

SandBox emulates a real PC network and runs "the emulator" within a contained environment on the PC. This facilitates both testing files and stopping virus before it can disrupt critical processes.

Norman’s SandBox detects infected files based on the actual behaviour of the specific file. If a file suddenly starts performing actions beyond the defined pattern, this is detected as nonstandard behaviour, and Norman’s SandBox will make the file inoperable, inform the user of the type of malicious software that is found, and suggest further action.