Ok,
if I run any safe program e.g. windows calculator in sandboxie (and check this by BSA) i have red flags when working on LimitedUserAccount (under SuRun)
(I already disable ctfmon)
I wonder how bypass this,
because it coud be difficult to know if program I test have falsepositiv keylogger flag or its REAL malware keylogger

Post here the LOG_API.TXT generated by BSA when analyzing on LUA Windows Calculator.

log api

Executing: c:\windows\surun.exe
LoadLibrary(surunext.dll) [c:\windows\surun.exe]
LoadLibrary(shell32.dll) [c:\windows\surun.exe]
LoadLibrary(msvcrt.dll) [c:\windows\surun.exe]
LoadLibrary(shlwapi.dll) [c:\windows\surun.exe]
LoadLibrary(ole32.dll) [c:\windows\surun.exe]
LoadLibrary(mpr.dll) [c:\windows\surun.exe]
LoadLibrary(psapi.dll) [c:\windows\surun.exe]
LoadLibrary(kernel32.dll) [c:\windows\surun.exe]
LoadLibrary(user32.dll) [c:\windows\surun.exe]
LoadLibrary(gdi32.dll) [c:\windows\surun.exe]
LoadLibrary(comdlg32.dll) [c:\windows\surun.exe]
LoadLibrary(comctl32.dll) [c:\windows\surun.exe]
LoadLibrary(advapi32.dll) [c:\windows\surun.exe]
LoadLibrary(winmm.dll) [c:\windows\surun.exe]
LoadLibrary(version.dll) [c:\windows\surun.exe]
LoadLibrary(netapi32.dll) [c:\windows\surun.exe]
LoadLibrary(secur32.dll) [c:\windows\surun.exe]
LoadLibrary(rpcrt4.dll) [c:\windows\surun.exe]
LoadLibrary(crypt32.dll) [c:\windows\surun.exe]
LoadLibrary(msasn1.dll) [c:\windows\surun.exe]
LoadLibrary(userenv.dll) [c:\windows\surun.exe]
GetModuleHandle(lz32.dll) [c:\windows\surun.exe]
LoadLibrary(lz32.dll) [c:\windows\surun.exe]
GetModuleHandle(kernel32.dll) [c:\windows\surun.exe]
VirtualQueryEx(c:\windows\surun.exe) [c:\windows\surun.exe]
GetModuleHandle(KERNEL32.DLL) [c:\windows\surun.exe]
GetModuleHandle(Kernel32) [c:\windows\surun.exe]
GetModuleHandle(LPK.DLL) [c:\windows\surun.exe]
GetModuleHandle(psapi.dll) [c:\windows\surun.exe]
GetModuleHandle(advapi32.dll) [c:\windows\surun.exe]
OpenProcessToken(C:\windows\SuRun.exe) [c:\windows\surun.exe]
GetComputerName() [c:\windows\surun.exe]
AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [c:\windows\surun.exe]
OpenProcess(c:\windows\surun.exe) [c:\windows\surun.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\windows\surun.exe]
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\windows\surun.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\windows\surun.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\windows\surun.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\windows\surun.exe]
SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\windows\surun.exe]
SystemParametersInfo(SPI_GETFLATMENU,0) [c:\windows\surun.exe]
CreateEvent(DINPUTWINMM) [c:\windows\surun.exe]
FreeLibrary(C:\windows\system32\ADVAPI32.dll) [c:\windows\surun.exe]
CreateEvent(Global\crypt32LogoffEvent) [c:\windows\surun.exe]
CreateEvent(Global\userenv: User Profile setup event) [c:\windows\surun.exe]
FreeLibrary(C:\windows\system32\lz32.dll) [c:\windows\surun.exe]
CreateRemoteThread(c:\windows\surun.exe) [c:\windows\surun.exe]
ResumeThread() [c:\windows\surun.exe]
GetModuleHandle(Kernel32.dll) [c:\windows\surun.exe]
SetProcessDEPPolicy() [c:\windows\surun.exe]
LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\windows\surun.exe]
LoadLibrary(uxtheme.dll) [c:\windows\surun.exe]
IsDebuggerPresent() [c:\windows\surun.exe]
FreeLibrary(C:\windows\system32\uxtheme.dll) [c:\windows\surun.exe]
LoadLibrary(c:\windows\surunext.dll) [c:\windows\surun.exe]
GetModuleHandle(version.dll) [c:\windows\surun.exe]
LoadLibrary(c:\windows\system32\msctfime.ime) [c:\windows\surun.exe]
FreeLibrary() [c:\windows\surun.exe]
LoadLibrary(c:\windows\system32\ole32.dll) [c:\windows\surun.exe]
LoadLibrary(msctfime.ime) [c:\windows\surun.exe]
GetModuleHandle(C:\windows\system32\ntdll.dll) [c:\windows\surun.exe]
OpenSCManager((null),(null)) [c:\windows\surun.exe]
OpenService(SuRunSVC) [c:\windows\surun.exe]
GetModuleHandle(mscoree.dll) [c:\windows\surun.exe]
GetModuleHandle(C:\windows\system32\Msctf.dll) [c:\windows\surun.exe]
OpenProcess(c:\windows\explorer.exe) [c:\windows\surun.exe]
OpenProcess(c:\program files\sandboxie\sbiectrl.exe) [c:\windows\surun.exe]
OpenProcess(d:\program files\avira\antivir desktop\avgnt.exe) [c:\windows\surun.exe]
GetModuleHandle(EXPLORER.EXE) [c:\windows\surun.exe]
FreeLibrary(C:\windows\system32\IMM32.DLL) [c:\windows\surun.exe]
Executing: c:\windows\system32\notepad.exe
LoadLibrary(comdlg32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(comctl32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(msvcrt.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(shlwapi.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(shell32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(winspool.drv) [c:\windows\system32\notepad.exe]
LoadLibrary(advapi32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(kernel32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(gdi32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(user32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(shimeng.dll) [c:\windows\system32\notepad.exe]
GetModuleHandle(kernel32.dll) [c:\windows\system32\notepad.exe]
VirtualQueryEx(c:\windows\system32\notepad.exe) [c:\windows\system32\notepad.exe]
CreateMutex(SHIMLIB_LOG_MUTEX) [c:\windows\system32\notepad.exe]
LoadLibrary(acgenral.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(winmm.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(ole32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(oleaut32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(msacm32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(version.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(userenv.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(uxtheme.dll) [c:\windows\system32\notepad.exe]
GetModuleHandle(lz32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(lz32.dll) [c:\windows\system32\notepad.exe]
GetModuleHandle(KERNEL32.DLL) [c:\windows\system32\notepad.exe]
GetModuleHandle(Kernel32) [c:\windows\system32\notepad.exe]
SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\windows\system32\notepad.exe]
SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\windows\system32\notepad.exe]
SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\windows\system32\notepad.exe]
OpenProcessToken(C:\windows\system32\notepad.exe) [c:\windows\system32\notepad.exe]
SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\windows\system32\notepad.exe]
SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\windows\system32\notepad.exe]
SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\windows\system32\notepad.exe]
SystemParametersInfo(SPI_GETFLATMENU,0) [c:\windows\system32\notepad.exe]
GetModuleHandle(LPK.DLL) [c:\windows\system32\notepad.exe]
CreateEvent(DINPUTWINMM) [c:\windows\system32\notepad.exe]
CreateEvent(Global\userenv: User Profile setup event) [c:\windows\system32\notepad.exe]
FreeLibrary(C:\windows\system32\lz32.dll) [c:\windows\system32\notepad.exe]
CreateRemoteThread(c:\windows\system32\notepad.exe) [c:\windows\system32\notepad.exe]
ResumeThread() [c:\windows\system32\notepad.exe]
LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\windows\system32\notepad.exe]
IsDebuggerPresent() [c:\windows\system32\notepad.exe]
FreeLibrary(C:\windows\system32\UxTheme.dll) [c:\windows\system32\notepad.exe]
BitBlt() [c:\windows\system32\notepad.exe]
LoadLibrary(c:\windows\surunext.dll) [c:\windows\system32\notepad.exe]
GetModuleHandle(psapi.dll) [c:\windows\system32\notepad.exe]
GetModuleHandle(advapi32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(rpcrt4.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(surunext.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(mpr.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(psapi.dll) [c:\windows\system32\notepad.exe]
GetComputerName() [c:\windows\system32\notepad.exe]
AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [c:\windows\system32\notepad.exe]
OpenProcess(c:\windows\system32\notepad.exe) [c:\windows\system32\notepad.exe]
GetModuleHandle(api-ms-win-core-libraryloader-l1-1-0.dll) [c:\windows\system32\notepad.exe]
GetModuleHandle(api-ms-win-core-processthreads-l1-1-0.dll) [c:\windows\system32\notepad.exe]
GetModuleHandle(user32.dll) [c:\windows\system32\notepad.exe]
EnumProcessModules() [c:\windows\system32\notepad.exe]
GetModuleHandle(version.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(c:\windows\system32\msctfime.ime) [c:\windows\system32\notepad.exe]
FreeLibrary() [c:\windows\system32\notepad.exe]
LoadLibrary(c:\windows\system32\ole32.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(msctfime.ime) [c:\windows\system32\notepad.exe]
GetModuleHandle(C:\windows\system32\ntdll.dll) [c:\windows\system32\notepad.exe]
LoadLibrary(imm32.dll) [c:\windows\system32\notepad.exe]
GetModuleHandle(UxTheme.dll) [c:\windows\system32\notepad.exe]
GetModuleHandle(USER32) [c:\windows\system32\notepad.exe]
GetModuleHandle(C:\windows\system32\Msimtf.dll) [c:\windows\system32\notepad.exe]
SystemParametersInfo(SPI_GETCARETWIDTH,0) [c:\windows\system32\notepad.exe]
GetKeyboardState() [c:\windows\system32\notepad.exe]
GetKeyState() [c:\windows\system32\notepad.exe]
SystemParametersInfo(SPI_GETFONTSMOOTHINGTYPE,0) [c:\windows\system32\notepad.exe]
GetModuleHandle(mscoree.dll) [c:\windows\system32\notepad.exe]
GetModuleHandle(C:\windows\system32\Msctf.dll) [c:\windows\system32\notepad.exe]
FreeLibrary(C:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll) [c:\windows\system32\notepad.exe]
OpenProcess(c:\program files\sandboxie\sbiectrl.exe) [c:\windows\system32\notepad.exe]
OpenProcess(c:\windows\explorer.exe) [c:\windows\system32\notepad.exe]
OpenProcess(d:\program files\avira\antivir desktop\avgnt.exe) [c:\windows\system32\notepad.exe]
OpenProcess(c:\windows\surun.exe) [c:\windows\system32\notepad.exe]
GetModuleHandle(EXPLORER.EXE) [c:\windows\system32\notepad.exe]
FreeLibrary(C:\windows\system32\IMM32.DLL) [c:\windows\system32\notepad.exe]

report

[ General information ]
* File name: c:\windows\surun.exe

[ Changes to filesystem ]
* No changes

[ Changes to registry ]
* Modifies value "NukeOnDelete=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
old value empty
* Modifies value "UseGlobalSettings=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
old value empty
* Modifies value "Common Start Menu=C:\Documents and Settings\All Users\Start Menu" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders
old value empty
* Modifies value "Common Documents=C:\Documents and Settings\All Users\Documents" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders
old value empty
* Modifies value "Common Desktop=C:\Documents and Settings\All Users\Desktop" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders
old value empty
* Creates value "SymbolicLinkValue=5C00520045004700490053005400520059005C0055005300450052005C00530061006E00640062006F0078005F0072006F0062006F0063007A0065005F0041004200550053005400450052005C0075007300650072005C00630075007200720065006E0074005F0063006C0061007300730065007300" in key HKEY_CURRENT_USER\software\classes
binary data=\REGISTRY\USER\Sandbox_kabaczek_ABUSTER\user\current_classes
* Modifies value "lfWeight=90010000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "lfCharSet=EE000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "lfOutPrecision=01000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "lfClipPrecision=02000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "lfQuality=02000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "lfPitchAndFamily=21000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "iPointSize=64000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "lfFaceName=Lucida Console" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "szHeader=&f" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "szTrailer=Page &p" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "iMarginTop=C4090000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "iMarginBottom=C4090000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "iMarginLeft=D0070000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "iMarginRight=D0070000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "iWindowPosX=7D010000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "iWindowPosY=B4000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "iWindowPosDX=E2020000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "iWindowPosDY=94010000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
old value empty
* Modifies value "BaseClass=Drive" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bc22f56c-a5c4-11e1-83fa-001060d01fd6}
old value empty
* Modifies value "BaseClass=Drive" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebc790e8-a5c7-11e1-ad08-806d6172696f}
old value empty
* Modifies value "BaseClass=Drive" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebc790ea-a5c7-11e1-ad08-806d6172696f}
old value empty
* Modifies value "BaseClass=Drive" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebc790eb-a5c7-11e1-ad08-806d6172696f}
old value empty
* Modifies value "Desktop=C:\Documents and Settings\kabaczek\Desktop" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
old value empty
* Modifies value "Start Menu=C:\Documents and Settings\kabaczek\Start Menu" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
old value empty
* Modifies value "Personal=C:\Documents and Settings\kabaczek\My Documents" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
old value empty
* Creates value "LastFailedCmd=C:\windows\system32\notepad.exe" in key HKEY_CURRENT_USER\software\SuRun

[ Network services ]
* No changes

[ Process/window/string information ]
* Keylogger functionality.
* Enables process privileges.
* Gets computer name.
* Opens a service named "SuRunSVC".
* Creates a mutex "SHIMLIB_LOG_MUTEX".

Solution: In API exclude file include next line:

c:\windows\surun.exe

problem solved thanks

now I have only "assorted suspicious action" flag:
Detailed report of suspicious malware actions:

Created a mutex named: SHIMLIB_LOG_MUTEX
Detected process privilege elevation
Got computer name


but... I can live with that

p.s.
what is SHIMLIB_LOG_MUTEX?

I would say that SHIMLIB_LOG_MUTEX is a mutex related to some Windows process. In my personal BSA config I have it excluded in API exclude file.

If you exclude it (I suggest you do it) from Notepad you finally would have these malware behaviours:

Detected process privilege elevation
Got computer name

That would be more exact.

Released Buster Sandbox Analyzer 1.64.

Changes:

+ Added new malware behaviours
+ Improved “Hide Driver “ manager
+ Improved anti anti-Sandboxie capabilities
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Updated LOG_API
+ Fixed several bugs

A few comments about the new release...

I have added a few new malware behaviours, mainly related to the detection of anti-malware software like Process Explorer, Process Monitor, etc.

I improved "Hide Driver" manager. Now it is possible to change the name of the service (one less static info that malwares could check) and how the driver can be started. Until now the driver was being loaded on demand. From this version is possible to configure it as autostart, so it will not be necessary to start the driver manually or configure BSA to start it automatically.

For this new release I have tested over 50,000 malware samples. Some of these samples were giving troubles to BSA. The new version is able to process them.

I got a problem. I just started using buster and i cant get buster to work with any sandbox other than DefaultBox. I entered these entries under the entries that belong to the sandbox which i want to run

InjectDll=C:\BSA\LOG_API.DLL

OpenWinClass=TFormBSA

NotifyDirectDiskAccess=y

This works with DefaultBox but not with the other sandbox that i have.

And i have a question, does buster edit sandboxie's ini file without user's knowledge?

No, BSA does not edit SANDBOXIE.INI without user´s knowledge.

Copy&paste your SANDBOXIE.INI to know what is the problem, please.

I uploaded an updated BSA package of version 1.64.

It includes updated Brazilian and Russian language files and a bugfix related to the endianess that tzuk commented.

Released Buster Sandbox Analyzer 1.65.

Changes:

+ Improved “Additional Information” feature
+ Fixed several bugs

Notes about BSA 1.65:

I added PE exports to the "Additional Information" feature.

I fixed a problem that appeared with the release of Sandboxie 3.70: windows were not being showed.

Using FakeNet with Buster Sandbox Analyzer.



I guess some people using Sandboxie + Buster Sandbox Analyzer to analyze malwares disable internet connection in Sandboxie to avoid troubles. The problem is you will miss network related information.

A kind of solution would be using FakeNet. With this program you would avoid any information leaves your machine, but you would be able to see DNS requests, HTTP information, mails being sent, etc.

Give it a try!

Released Buster Sandbox Analyzer 1.66

Changes:

+ Added new malware behaviours
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Improved “Dump Executable Processes” feature
+ Updated BSA.DAT
+ Updated LOG_API
+ Fixed several bugs