 |
 |  |
|
Buster
|
|
Thanks, tzuk!
When you implement the message log file feature BSA will be more accurate. BSA is, apart of nice, very cheap. Probably many people don´t know that the most similar tool to BSA is Norman Sandbox Analyzer and it costs around 12.000 euros for one year license. Of course Norman´s product is more advanced as it has been developed for some years by anti-malware professionals. Anyway I think that with a bit of work we can make of BSA a tool worth to have. |
|||||||||||
|
|||||||||||||
 |
| |
|
Ruhe
|
|
Hi Buster,
even if the current version only consists of two files - a documentation in .txt or .pdf could be added too - do you think it could be useful to offer an executable setup? I know from experience that some (unexperienced) users prefer a setup. |
|||||||||||
|
Last edited by Ruhe on Tue Nov 03, 2009 12:42 pm; edited 1 time in total
|
|||||||||||||
|
| |
|
Buster
|
|
I guess I should write a manual.
I dislike executable setups. If prefer "portable" tools. |
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
Buster Sandbox Analyzer is working fine.
In next thread you can see results of the first "field test" I did with it: http://sandboxie.com/phpbb/viewtopic.php?t=6591 |
|||||||||||
|
|||||||||||||
|
| |
|
Mark_
|
|
you might wanna take a look at sqlite for storing signatures, and maybe make some simple server/client protocol where u can submit locally created rules to a central server
|
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
It´s not in my plans to create an anti-malware product. |
|||||||||||||
|
|||||||||||||||
|
| |
|
Buster
|
|
Meanwhile I wait for the inclusion of the feature I requested I have continued improving the tool.
I have included an API logger in the package that can help to obtain additional valuable information from the analyzed programs. Here you can see a report generated from a variant of Bagle worm: [ Changes to filesystem ] * Creates file D:\WINDOWS\AVBgle.exe * Creates file D:\WINDOWS\base64.tmp [ Changes to registry ] * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 * Creates value "MSInfo=D:\WINDOWS\AVBgle.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run * Modifies value "AppData=D:\Documents and Settings\Test\Datos de programa" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders old value "AppData=D:\DOCUME~1\Test\Datos de programa" * Modifies value "SavedLegacySettings=3C0000004E000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections old value "SavedLegacySettings=3C0000004D000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" [ Network services ] * Looks for an Internet connection. * Connects to "212.27.42.58 (free.fr)" on port 25 (TCP). * Connects to "74.125.79.114 (1e100.net)" on port 25 (TCP). * Connects to "64.12.138.57 (aol.com)" on port 25 (TCP). * Connects to "72.167.238.201 (secureserver.net)" on port 25 (TCP). [ Process/window information ] * Creates a mutex Bgl_*L*o*o*s*e*. * Creates a mutex _!MSFTHISTORY!_. * Creates a mutex d:!documents and settings!test!configuración local!archivos temporales de internet!content.ie5!. * Creates a mutex d:!documents and settings!test!cookies!. * Creates a mutex d:!documents and settings!test!configuración local!historial!history.ie5!. * Creates a mutex (null). * Creates a mutex RasPbFile. |
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
I found an elegant solution to avoid having the API logger as an external module. In current beta version the API logger is included inside Buster Sandbox Analyzer. The solution was to use Sandboxie to inject the API logger DLL in sandboxed processes.
The manual is almost finished. |
|||||||||||
|
|||||||||||||
|
| |
|
UPieper
|
|
That looks very interesting...If you need any beta testers, I'm ready
 |
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
You are welcome as tester, of course! All the help will be really appreciated. You have available a beta version. Did you try it already? Just let me know any bugs, suggestions, requests, ... you have. tzuk has been so kind to add the feature I requested so I expect to release 1.0 version really soon... a couple of days, maybe less. btw... you joined in 2007 and you only published 9 messages. Amazing! |
|||||||||||||
|
Last edited by Buster on Mon Nov 23, 2009 7:09 am; edited 1 time in total
|
|||||||||||||||
|
| |
|
UPieper
|
|
Hi Buster, Great....but I can't find a download link in this thread?
Greetings, UP |
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
URL has been posted in this thread.
|
|||||||||||
|
|||||||||||||
|
| |
|
UPieper
|
|
God...I must be blind!
 |
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
No problem! Blind testers are welcome too!
 |
|||||||||||
|
|||||||||||||
|
| |
|
UPieper
|
|
Hi Buster,
a very useful tool indeed. A small suggestion I have is to add two buttons in the GUI "Open FileDiff" and "Open RegDiff"... Greetings, |
|||||||||||
|
|||||||||||||
|
 | Buster Sandbox Analyzer | |
|
||
Use the RSS feed to watch this topic for replies |
|
|