Buster Sandbox Analyzer

Utilities designed for use with Sandboxie
Locked
Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sat Mar 02, 2013 5:48 pm

After a few tests with Sandboxie version 4 and due the major changes to underlying architecture I have considered Sandboxie is not suitable for malware analysis anymore, therefore Buster Sandbox Analyzer development will be discontinued.

I pretend releasing a last BSA version including a fix to support new VirusTotal information and hopefully MAEC report format.

I want to thank Ronen for all the support he has bringed all these years.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Mar 04, 2013 2:19 am

Ronen: I know Sandboxie 3.x line will be discontinued but I would like to request a last release in consideration for BSA users including next fixes:

+ Bug related to the malware I reported which disables logoff
+ WMI not working on Windows 8
+ API information being truncated

It would be nice if additionally you hook NtQueryInformationProcess (ProcessImageFileName) as you do with NtQueryObject in order to return faked path instead real one.

I would make of this Sandboxie 3.76 bugfixed version the official release to be used with BSA on last release.

Also as I mentioned by mail, if you consider updating 3.x from time to time I would reconsider my decission of stopping BSA development.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Mar 04, 2013 4:53 am

We already discussed all of this in email so I'm not sure why you are trying to restart the discussion here.
But for the benefit of readers, my position is that I disagree with Buster's conclusion that Sandboxie version 4 is not useful for BSA.
Therefore, it does not make sense to me that I should maintain a line of version 3 releases in parallel with newer version 4 releases.
On a more practical note, maintaining old version 3 would be a considerable time investment, at the expense of improving version 4.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Mar 04, 2013 5:06 am

tzuk wrote:We already discussed all of this in email so I'm not sure why you are trying to restart the discussion here.
I do not pretend to restart any discussion. I am just doing a public request for the benefit of BSA users and you can blame me if you want just because I pretend you make a public statement about your decission. :roll:
tzuk wrote:But for the benefit of readers, my position is that I disagree with Buster's conclusion that Sandboxie version 4 is not useful for BSA.
That malwares fail to run properly due new restrictions in Sandboxie version 4 is a fact that has no discussion.

I tested two malwares with Sandboxie version 4 and one works and other fails: that is a 50% of success and for me that is not acceptable when in Sandboxie version 3 most malwares run fine or at least to an acceptable point.

As emulation from LOG_API is not an option for the reasons I explained by mail, I keep thinking Sandboxie 4 is not suitable for malware analysis.
tzuk wrote:Therefore, it does not make sense to me that I should maintain a line of version 3 releases in parallel with newer version 4 releases. On a more practical note, maintaining old version 3 would be a considerable time investment, at the expense of improving version 4.
I did not request you keep maintaining old version 3. I just requested: 3 bugfixes and a feature. That´s all.

I did not request that if a software does not run fine in version 3 you update it to get it working. You can continue with Sandboxie version 4 production line and forget about version 3 line. I am just saying that in the future I may request a bugfix, but that´s all.

The time investment I am requesting is near to null as you already fixed the bugs I mentioned and if in the future I request a bugfix for version 3 you probably will solve it in no time.

I consider my request is fairly reasonable.
Last edited by Buster on Mon Mar 04, 2013 5:34 am, edited 7 times in total.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Mar 04, 2013 5:19 am

Note: Ronen did major changes to Sandboxie´s underlying architecture due PatchGuard technology. As he commented:
to mitigate the risk that a future update to Windows 7 will include the new PatchGuard, and break compatibility with Sandboxie
Meanwhile this update does not happen, Sandboxie version 3.x would be a valid option for malware analysis. Even maybe this update never happens.

Therefore I consider well worth keeping the door open to small updates from time to time to version 3.76 so Sandboxie and BSA can continue being a nice association.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Mar 04, 2013 5:40 am

Buster, I don't appreciate the misrepresentation you're doing here. The changes I've made to the underlying architecture are not the reason that one of your malware samples doesn't work. Or more correctly: Such a change could have gone into version 3 at any time.

I really don't see the point of going through all of this again. You know my position is that I'm not going to spend time to make Sandboxie be able to run malware for the sake of running malware. This would not be in the best interest of most people using Sandboxie and expect it to protect them. If even one malware, which would potentially steal data, would fail to run under Sandboxie, then it is a win for people who use Sandboxie.

Therefore I suggested that you should extend BSA to provide whatever compatibility tweaks that you need to make your malware samples run correctly in case where they fail under Sandboxie. That you refuse to do this, for reasons that you don't seem to want to go into here, is your decision. But I think it is not reasonable that you request that I accomodate you by continuing to maintain a line of old version 3 releases.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Mar 04, 2013 5:52 am

I do not pretend to argue but this time is you who is misleading things.

I repeat: I am not requesting a line of old version 3 releases. I am requesting:

+ 3 bugfixes in version 3.76 (fixes you already made for version 4.01.02)

+ A feature request (no hurry with it)

+ Keep the door open to the possibility of fixing other bugs I may find. And I want to remark this is just a possibility. Maybe I never find any other problem so with the 3 bugfixes would be enough and you would not have to release any other version 3 update ever.

For the sake of clarity: with "other bugs I may find" I mean things like the logoff issue with the malware I sent you. I am not talking about compatibility software.

Obviously this version would be for people interested in running BSA and analyze malware and rest of people will use Sandboxie 4 versions.

And obviously this solution would not last forever because Windows 9 will be released in some years and then most probably Sandboxie 3 will not be compatible, but I think BSA users can live with that until then.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Mar 04, 2013 9:15 am

You're asking me to releasing another Sandboxie version based on version 3 now, and more versions in the future. Who knows what kind of a support load that's going to end up being?

Maybe a Windows Update a couple of months from now would break Sandboxie 3 on Windows 7, but not affect Sandboxie 4. Would I then have to spend time fixing Sandboxie 3 because you're relying on it?

What if it turns out 50% of the people using BSA are also using some other security software X, and this security software X changes in the next version in a way which is no longer compatible with Sandboxie version 3, but fine with Sandboxie version 4. Do I spend time to fix that issue in Sandboxie version 3 because you're relying on it for BSA?

You know I appreciate all the work you've done with BSA and I think it's a fine tool. But what you're asking here in my opinion is a black hole of time investment for me, and I am sorry but -- again -- the answer is no.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Mar 04, 2013 9:22 am

tzuk wrote:You're asking me to releasing another Sandboxie version based on version 3 now, and more versions in the future. Who knows what kind of a support load that's going to end up being?
I promise that near to none.
tzuk wrote:Maybe a Windows Update a couple of months from now would break Sandboxie 3 on Windows 7, but not affect Sandboxie 4. Would I then have to spend time fixing Sandboxie 3 because you're relying on it?
In that case I would suggest BSA users to uninstall the windows update breaking Sandboxie. If that update was totally necessary then I would say: ok, this is the end of BSA.
tzuk wrote:What if it turns out 50% of the people using BSA are also using some other security software X, and this security software X changes in the next version in a way which is no longer compatible with Sandboxie version 3, but fine with Sandboxie version 4. Do I spend time to fix that issue in Sandboxie version 3 because you're relying on it for BSA?
In that case I would say to BSA users they must decide: use BSA or use the other security software X.
tzuk wrote:You know I appreciate all the work you've done with BSA and I think it's a fine tool. But what you're asking here in my opinion is a black hole of time investment for me, and I am sorry but -- again -- the answer is no.
Fine, but I just want to remark you are taking your decission based in supositions and things that may or not happen and telling the time investment is going to be big when in fact it would be very low because you already made the fixes for the bugs.

So if time investment is the only reason to say no, please reconsider the answer because the reason is wrong.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Mar 04, 2013 10:33 am

I am making the decision based on my experience that nothing is "just this once", and nothing has a zero cost. And in any case my position is the request itself is wrong. Continued release of versions 3 of Sandboxie is not the correct long term solution to your problem. Your problem is that Sandboxie is not providing a perfect execution environment for malware, and the correct long term solution is to have BSA provide the missing functionality that is needed to accomplish that.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Mar 04, 2013 10:44 am

Sandboxie version 4 replaces user token for the sandboxed processes with an access with no privileges. For that reason required data will not be available and sandboxed processes that can not work without them will fail.

At this point there is nothing BSA/LOG_API can fix because there is nothing to fix and emulating everything is not an option.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Mar 04, 2013 11:02 am

That is an implementation detail of the way Sandboxie works in version 4 and is irrelevant to this discussion. I am certain that the vast majority of your malware samples will continue to run just like in Sandboxie version 3. We are talking here about a few fringe samples which fail because they use esoteric aspects of Windows that are not simulated correctly by Sandboxie. You would have to provide support for that in BSA. That is the correct long term solution in my opinion. Alternatively accept that Sandboxie version 4, just like version 3, is not going to be able to run all types of malware, and some malware will fail to run under Sandboxie. Nothing has changed in principle, and this entire discussion serves no point.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Mar 04, 2013 1:02 pm

Ok, let´s move on.

BSA will be discontinued.

TonyKlein
Posts: 14
Joined: Sun Oct 07, 2012 8:03 am
Location: The Netherlands

Post by TonyKlein » Tue Mar 05, 2013 4:11 am

Rats. The main reason I purchased SandboxIE in the first place was in order to be able to analyze malware with BSA... :roll:
Tony

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Apr 21, 2013 3:49 pm

Released Buster Sandbox Analyzer 1.88 - Final Release

Changes:

+ Added support for MAEC 3.0 reports
+ Fixed VirusTotal report information

Locked

Who is online

Users browsing this forum: No registered users and 1 guest