These days, when many software vendors are ready to do anything to increase their incomes, including embedding adware and other unwanted programs in their products for advertising and marketing purposes, to analyse a program carefully before to run it, it’s a normal and desirable behaviour install it fully in the computer. I’m talking about less-known programs, sometimes spreaded as freeware, sometimes advertised as program that will do “miracles” in the computer and finishing dropping adware and spyware in the computer of a naïve user.
Using virtual environments as a VMware machine, or a sandbox which will emulate an Operating System are the preffered methods for analysis because they give the “peace of mind” to the researcher, the real computer opearting system can not be affected in any way by an eventual malware. Here I must mention that sometimes the malware creators are including checking code for sandboxes(e.g. Sandboxie), online emulators(e.g. http://anubis.iseclab.org/) or virtual machines(e.g. VMware) and in the case that one are detected, the program will kill its processes immediately in a try to hide their actions in an infected computer.
Maybe not for all, but for a few of you, logging the actions a program does is fascinating, “the hacking”(white-hat hacking anyway) is in human nature and the analysis are the main part of preventing computer infections.
Today we will talk about Sandboxie “add-ons”, little programs that reveal what sandboxed programs does in the sandbox helping to understand what they will do in a real operating system, and logs their actions.
Buster Sandbox Analyzer , is a tool for monitoring the behaviour of the processes from the sandbox, or simply to reveal the changes a program try to do in a system, files or registry. It can capture the network traffic generated by the analysed(sandboxed) application by using the WinPCap and using several checking procedures, the program can decide if a process has a malicious behaviour. Here is the official site of the program : http://bsa.isoftware.nl
Another program that continuously checks all sandboxes for new processes and shows the name of the sandbox and process in a balloon tip, is Sandbox Observer .
Features
– File verification based on previously saved hash
– Exclusion list for sandboxes and processes
– Check sandboxes for missing ‘DropAdminRights’ setting
The latest version is v1.18 – BETA, with a new feature added, to scan sandboxed files with Emsisoft Commandline Scanner 5.0.
For a simple tracking of files and registry changes made in a system by a sandboxed application there is : SandboxDiff v. 2.1 , download the latest version here. It is reported to work correctly under Windows XP,Vista or 7, 32 and 64 bits. User feedback for it here.
Hello,
as author of Sandbox Observer I would like to thank you for writing about my spare time project. What a surprise, the first public talking about SO I know of.
You already mentioned its website. To all the readers, feel free to place constructive comments or even requests in the appropriate thread at the Sandboxie forum.
The current beta, with support of a2cmd will be released as final later this day, it seems to work as it should – at least for me 🙂
Regards from Germany,
Patrick
I really liked reading your website. Excellent content. Please keep posting such really good cotent.
Great information. Wish i could get more knowledge like this by others! Thank you!
Very nice blog, will come back for an update. Thank You
Fantastic! This is EXACTLY what I was searching for earlier. I cannot understand how it took me this long to find someone who write what I needed in plain a way I could understand. Thank you from the bottom of my heart!
I wanted to thank you for this excellent weblog!! I definitely loved every little bit of it. I have you bookmarked your website to check out the latest stuff you posts
Hello, sry for my bad english but Ih ave found your site and would say that I locate your posts great due to the fact they have give me new suggestions and new aspects. Thank you for this details.