Thanks, tzuk!
When you implement the message log file feature BSA will be more accurate.
BSA is, apart of nice, very cheap. Probably many people don´t know that the most similar tool to BSA is Norman Sandbox Analyzer and it costs around 12.000 euros for one year license.
Of course Norman´s product is more advanced as it has been developed for some years by anti-malware professionals. Anyway I think that with a bit of work we can make of BSA a tool worth to have.
Buster Sandbox Analyzer
Hi Buster,
even if the current version only consists of two files - a documentation in .txt or .pdf could be added too - do you think
it could be useful to offer an executable setup? I know from experience that some (unexperienced) users prefer a setup.
even if the current version only consists of two files - a documentation in .txt or .pdf could be added too - do you think
it could be useful to offer an executable setup? I know from experience that some (unexperienced) users prefer a setup.
Last edited by Ruhe on Tue Nov 03, 2009 7:42 am, edited 1 time in total.
Buster Sandbox Analyzer is working fine.
In next thread you can see results of the first "field test" I did with it:
http://sandboxie.com/phpbb/viewtopic.php?t=6591
In next thread you can see results of the first "field test" I did with it:
http://sandboxie.com/phpbb/viewtopic.php?t=6591
Meanwhile I wait for the inclusion of the feature I requested I have continued improving the tool.
I have included an API logger in the package that can help to obtain additional valuable information from the analyzed programs.
Here you can see a report generated from a variant of Bagle worm:
[ Changes to filesystem ]
* Creates file D:\WINDOWS\AVBgle.exe
* Creates file D:\WINDOWS\base64.tmp
[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
* Creates value "MSInfo=D:\WINDOWS\AVBgle.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Modifies value "AppData=D:\Documents and Settings\Test\Datos de programa" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
old value "AppData=D:\DOCUME~1\Test\Datos de programa"
* Modifies value "SavedLegacySettings=3C0000004E000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=3C0000004D000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000"
[ Network services ]
* Looks for an Internet connection.
* Connects to "212.27.42.58 (free.fr)" on port 25 (TCP).
* Connects to "74.125.79.114 (1e100.net)" on port 25 (TCP).
* Connects to "64.12.138.57 (aol.com)" on port 25 (TCP).
* Connects to "72.167.238.201 (secureserver.net)" on port 25 (TCP).
[ Process/window information ]
* Creates a mutex Bgl_*L*o*o*s*e*.
* Creates a mutex _!MSFTHISTORY!_.
* Creates a mutex d:!documents and settings!test!configuración local!archivos temporales de internet!content.ie5!.
* Creates a mutex d:!documents and settings!test!cookies!.
* Creates a mutex d:!documents and settings!test!configuración local!historial!history.ie5!.
* Creates a mutex (null).
* Creates a mutex RasPbFile.
I have included an API logger in the package that can help to obtain additional valuable information from the analyzed programs.
Here you can see a report generated from a variant of Bagle worm:
[ Changes to filesystem ]
* Creates file D:\WINDOWS\AVBgle.exe
* Creates file D:\WINDOWS\base64.tmp
[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
* Creates value "MSInfo=D:\WINDOWS\AVBgle.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Modifies value "AppData=D:\Documents and Settings\Test\Datos de programa" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
old value "AppData=D:\DOCUME~1\Test\Datos de programa"
* Modifies value "SavedLegacySettings=3C0000004E000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=3C0000004D000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000"
[ Network services ]
* Looks for an Internet connection.
* Connects to "212.27.42.58 (free.fr)" on port 25 (TCP).
* Connects to "74.125.79.114 (1e100.net)" on port 25 (TCP).
* Connects to "64.12.138.57 (aol.com)" on port 25 (TCP).
* Connects to "72.167.238.201 (secureserver.net)" on port 25 (TCP).
[ Process/window information ]
* Creates a mutex Bgl_*L*o*o*s*e*.
* Creates a mutex _!MSFTHISTORY!_.
* Creates a mutex d:!documents and settings!test!configuración local!archivos temporales de internet!content.ie5!.
* Creates a mutex d:!documents and settings!test!cookies!.
* Creates a mutex d:!documents and settings!test!configuración local!historial!history.ie5!.
* Creates a mutex (null).
* Creates a mutex RasPbFile.
You are welcome as tester, of course! All the help will be really appreciated.UPieper wrote:That looks very interesting...If you need any beta testers, I'm ready
You have available a beta version. Did you try it already?
Just let me know any bugs, suggestions, requests, ... you have.
tzuk has been so kind to add the feature I requested so I expect to release 1.0 version really soon... a couple of days, maybe less.
btw... you joined in 2007 and you only published 9 messages. Amazing!
Last edited by Buster on Mon Nov 23, 2009 2:09 am, edited 1 time in total.
Who is online
Users browsing this forum: No registered users and 1 guest
