Hi.

I just uploaded SandDiff 1.02. The URL is: http://sanddiff.qnea.de/sanddiff.rar

The changes I introduced are:

+ SandDiff performs a file modification checking so modificated files will be reported in FileDiff.TXT.

I didn´t explain it but in the reports (FileDiff, RegDiff, ...) there are 3 symbols initiating each line

"+" means that a file or registry entry was added.

"~" means that a file or registry entry was modified.

"-" means that a file or registry entry was removed.


+ I introduced a new button with the label "Meanwhile".

At the moment this button is used to capture a log of connections so SandDiff can compare opened ports.


+ I added a feature to easily recover already used sandbox folders.


+ The switch button of the viewer will change from File -> Registry -> Ports (if available) and then back to File again.


+ RegHive and RegHive.LOG are automatically discarded from file difference comparisions.


As usual I may miss something. Just try the new version and drop your comments.

Actually the TODO list contains:

+ Feature to exclude from differences user defined files, registry and maybe port values too.

+ Include a module that analyzes all the information obtained from comparisions and presents a malware
behaviour evaluation.

I have uploaded SandDiff 1.03.

Changes:

+ Certain files will be stored under a folder named "Config".

+ I added the exclusion list feature.

The user can define what strings must be discarded from difference files. String search is case-insensitive.


With that changes the part of the program comparing differences between 2 sandboxes is, at least at the moment, finished. I don´t plan adding new features to this part, only fix bugs if any is found, but if someone suggests an interesting feature I will be glad to consider adding it.

Now I will start working in the part of the program that analyzes all the differences and evaluates if taken actions can be considered as suspicious.

My final goal is to create a report listing all the actions that were considered suspicious, if any, and give an evaluation based on them. For this I must create a list of suspicious actions and assign them a "malicious ratio".

Finally the analysing module would say that analysed program(s) has a "low", "medium" or "high" risk of being a malware.

I say it now and I would like to don´t have to repeat it very much: Nobody can expect 100% accurate results, probably not even a 1% in some cases.

Some malwares will detect Sandboxie is running so they will abort operations. In such cases the analysis will be useless.

Some malwares don´t start malicious actions inmediately after being run. Again, in such cases the analysis will be very probably useless.

Some malwares (backdoors mainly) just open a port and wait for an incoming connection. It´s very risky to evaluate a program as malware just because it opens a port.

People should know that in malware analysis, the automatic processes can not be compared to the human analysis, specially when it´s done by experts. I´m not an expert coder, malware analyzer or similar. SandDiff just pretends to be an orientative tool.

There are no malware actions "per se", so I can not say "this program is malware because it did this or that". E.g. A malware may add itself to an autorun registry, but legit software may do it too.

It´s the user who must, in last term, evaluate if the analyzed program should be doing certain things or not.

Building a list of malicious actions will take time. I will wait for tzuk to release a Sandboxie version including the message logging feature as it will be a very important part of the analyzer. Therefore there will not be new version of SandDiff for a while.

Meanwhile test as much as possible the current version and send your feedback!

I'm getting a very vague 'file access denied' error message from Sandiff trying to run Step 1. It happens in any sandbox, no programs running obviously.

Sandiff 1.03
Win7 Pro RTM 32-bit

Could you check with File Monitor what file is giving the error, please?

Looks like I get an ACCESS DENIED error for 'C:\Windows\System32\NETSTAT.EXE' ... probably because it doesn't exist there on Win7. I have that file here:

C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7600.16385_none_329d49cdb031b824\NETSTAT.EXE

Thanks for the report. I will change it.

Edit: I just checked my Windows 7 and NETSTAT.EXE is in Windows\System32 folder.

The problem is that for a reason I don´t know, I can not call it directly from my program.

The workaround I did was to copy NETSTAT.EXE to SandDiff´s folder and execute it from there.

Sounds like it has to do with some kind of SideBySide installation. I don't know why netstat would be installed that way though...

How are you calling it from your program? CreateProcess? ShellExecute? Through cmd?

Don´t you have NETSTAT.EXE in your Windows\System32 folder?

I have it there and in the path you mentioned.

ShellExecute but the problem is that the file seems to be in use.

Hmm, weird. My file manager shows netstat in both System32 and that winsxs directory. However my search program Everything (www.voidtools.com) only shows the copy in the winsxs folder.

I installed Windows 7 just a few days ago and I didn´t have time yet to take a close look at it but it´s obvious that there are different things compared to XP. (I never wanted to try Vista)

When I try to open NETSTAT.EXE (both from systems32 and winsxs folders) I get in return a "file in use" but I can copy the file to other folder.

Meanwhile I don´t understand why it happens the workaround should work anyway.

wraithdu, I have uploaded a new version:

http://sanddiff.qnea.de/sanddiff.rar

Let me know if the bug is gone, please.

Sweet, works well.

What is your command line for launching netstat? I'd like to test if I have the same problem as you. You said you used ShellExecute right?

Using the latest Everything alpha build (1.2.1.432) here on Vista, it appears that Everything is ignoring the contents of \System32.

First edit: I reverted back to build 1.2.1.371 and get the same result.

Final edit: It turns out that C:\Windows\System32\netstat.exe is a hardlink...

netstat -ano

ShellExecute, right.

It´s something like this (Delphi code)

Is it a security rights issue maybe? Is your app running in a lowered rights mode of sorts so that it can't run apps in system directories?