I forgot to comment a new feature in version 1.37.

* Added "Version Information" feature. This feature will include a header in reports with the version and date of creation of reports.

Released Buster Sandbox Analyzer 1.38.

Changes:

+ Added risk evaluation module
+ Added several improvements
+ Fixed several bugs

I noticed a bug in version 1.38 and updated BSA package with the fix.

If anyone notices a "invalid integer value" error message, redownload the package.

Great addition to sandboxie for paranoid people like me

I am trying to analyze a program that protects itself from the debuggers by running CheckRemoteDebuggerPresent().
When I run this program in sandboxie, everything works ok, but if I inject LOG_API.DLL in the config, the program chrushes. Here is what I see in the API call log:

...
LoadLibrary(shell32.dll) [c:\program files\copytrans suite\ilibs\ilibs.exe]
LoadLibrary(imagehlp.dll) [c:\program files\copytrans suite\ilibs\ilibs.exe]
CheckRemoteDebuggerPresent() [c:\program files\copytrans suite\ilibs\ilibs.exe]
CreateProcess(C:\Windows\system32\WerFault.exe,C:\Windows\system32\WerFault.exe -u -p 2560 -s 356,C:\Windows\system32) [c:\program files\copytrans suite\ilibs\ilibs.exe]

The program I tried (copytrans suite/ilibs) is freely downloadable on http://www.copytrans.net/download.php

I will try to find out what the bug is. Thanks for the report.

The program is protected with Themida and it does not like the things LOG_API does. There is nothing I can do to fix that, sorry.

Released Buster Sandbox Analyzer 1.39.

Changes:

+ Fixed several bugs.

Released Buster Sandbox Analyzer 1.40.

Changes:

+ Usability improvement in File Hash, File Scanner, File Signature and automatic analysis features: last used folder will be remembered
+ Usability improvement in File Hash, File Scanner and File Signature features: added drag and drop support
+ Added Exeinfo support to File Signature feature
+ Improved File Hash feature: all hashes can be checked at VirusTotal at once, VirusTotal reports can be saved to disk

In reports, additional information like file length, file hash, file entropy, etc., is showed for created files. For modified files no information is added.

Should I change this behaviour and treat the same both new created and modified files or keep it as is now?

I was thinking that at least VirusTotal information should be showed for modified files.

Hi!

I think BSA is unable to detect where some program connects.

If you are willing to try it, there you can download that program (it's slow connection):

http://ykhwong.x-y.net/

It is a DOSBox SVN build. Original DOSBox doesn't connect to the internet but this one does. And I can't find out where to.

Thanx.

Sandboxie does not support 16 bit program, so BSA does not too. If that application is 16 bit... bingo! you got the explanation. If that´s the case, if you want to check where it´s connecting check with WireShark.

DOSBox is a 32-bit application.

Ok, then ellaborate your comment... You say it connects to internet but you can not find out where.

Copy&paste the connection log to know what you talk about.

When I finish the BSA test Viewer\View Connections is greyed out. But when I run the program in a sandbox with denied internet access it says that this program wants to connect to the internet.

We recently were discussing a similar situation in this thread:

http://sandboxie.com/phpbb/viewtopic.php?t=10856

I don´t think there is any need to repeat the same things, and not, I´m not talking about cracking.

This thing I told should be enough:

"If there is a connection, WinPCap´s driver will catch it, so BSA will too. If there are not connections to view, then it means WinPCap didn´t catch anything... ergo there were not connections.

Maybe the application wanted to access a resource related to internet and Sandboxie denied it, even if later the application would not connect anywhere. "

http://sandboxie.com/phpbb/viewtopic.php?p=70419#70419