Configuring Buster Sandbox Analyzer - Analysis modesFirst you must understand that Buster Sandbox Analyzer has two analysis modes: manual and automatic.
In the manual mode, you start/stop Sandboxie when you want. You decide what programs must run sandboxed and when to terminate sandboxed processes.
In the automatic mode, you configure the amount of time that Buster Sandbox Analyzer will let sandboxed programs to run. After that time, BSA will terminate processes.
Knowing this you will understand why there are like two Buster Sandbox Analyzer configurations: one for the manual mode and other for the automatic.
Now I will explain each option one by one...
Options > RestartThis option will be enabled as soon as an analysis starts and tt is used to stop the analysis.
This option is available both in manual and automatic mode.
Options > Analysis ModeBuster Sandbox Analyzer can be configured to run in "Automatic" or "Manual" mode.
Later I will explain what are the differences between running an analysis in automatic or manual mode.
Options > Automatic Analysis OptionsUnder this menu you will find the options related to the configuration of BSA in automatic mode.
Options > Automatic Analysis Options > Automate SetupsMany malwares are included inside an installation package. The installation requires the user click on buttons and checkboxes like "Next", "I accept", "Install", "Finish", ...
In order to analyze properly a malware included inside an installation package, it is required that the installation is done correctly.
When enabled, this option will automatize a big number of installation setups.
Options > Automatic Analysis Options > Do Not Process Unknown File TypesBuster Sandbox Analyzer will recognize most file types: EXE, DLL, VBS, BAT, DOC, PDF, ...
Usually, Windows has associated these extensions to applications, so when you run a file, the associated application will launch the file.
If you want that BSA launches, let´s say, a PDF with Adobe Acrobat Reader, you must do the association.
When enabled, this option will make that unknown file types will not be processed with Buster Sandbox Analyzer.
Options > Automatic Analysis Options > Keep Sandbox FileWhen enabled, this option will make that Buster Sandbox Analyzers keeps a copy of the sandbox folder.
This is useful to keep a copy of every modified or created (dropped or downloaded from internet) file of the analyzed application.
Options > Automatic Analysis Options > Manage Processed FileWhen enabled, this option will copy or move (depending of the configuration) the processed file to the report folder.
Options > Automatic Analysis Options > Process Selected Folder RecursivelyWhen enabled, this option will make Buster Sandbox Analyzer to process every file on the given folder and subfolders.
Options > Automatic Analysis Options > Resume Process When AvailableAs I commented previously, an analysis can be stopped clicking on "Options > Restart". In the automatic mode analysis mode, a bunch of files can be processed. When the automatic analysis is stopped, Buster Sandbox Analyzer keeps a list of the files that were not processed.
When enabled, this option checks if there are pending files to be processed, and if that is the case, continues processing the pending files.
Options > Automatic Analysis Options > Run Custom Command On FinishWhen enabled, this option will make Buster Sandbox Analyzer to execute a BATCH file that allows the user to execute "post-analysis" processes.
In the BATCH file you can run the programs you want.
The name of the BATCH file must be "PROCESS.BAT" and must be located on the same folder BSA.EXE is located.
Options > Automatic Analysis Options > Take ScreenshotsWhen enabled, this option will make Buster Sandbox Analyzer to take screenshots of the sandboxed applications.
One screenshot per sandboxed application will be done.
Options > Common Analysis OptionsUnder this menu you will find the options that are common to both automatic and manual analysis modes.
Options > Common Analysis Options > Adjust Time Limit InManual analysis mode can run with or without time limite. In the automatic analysis mode the time limit is mandatory. For both automatic and manual modes, the time limit can be adjusted in minutes or seconds.
Options > Common Analysis Options > Exclusion ListsI will comment the meaning of the exclusion lists later. Right now you just need to know that exclusion lists (API, File and Registry) can be enabled or disable in this menu.
Options > Common Analysis Options > Packet SnifferWith the help of WinPCap, Buster Sandbox Analyzer is able to capture network traffic. Under this menu you will find the options to configure the packet sniffer module.
Options > Common Analysis Options > Packet Sniffer > Do Not Capture PacketsWhen enabled, this option will make Buster Sandbox Analyzer to do not capture network traffic.
Options > Common Analysis Options > Packet Sniffer > Do Not Filter Local PacketsWhen enabled this options will make Buster Sandbox Analyzer to do not discard packets which have the origin and destination on the same PC.
Options > Common Analysis Options > Packet Sniffer > Do Not Show UDP PacketsIt is possible to know what application generated TCP packets, but this is not possible with UDP packets.
Buster Sandbox Analyzer filters network packets and only processes those TCP packets that were generated by sandboxed applications. As it is not possible to know who generated an UDP packet, it is possible that an UDP packet coming from an unsandboxed application is processed.
You can mitigate this problem if you do not run unsandboxed applications while analyzing malware.
If you can not avoid running unsandboxed applications, then you must realize that UDP packets coming from unsandboxed applications may be included on the analysis. Other option is not processing UDP packets and this is what this option is for.
When enabled, UDP packets will not be processed.
Options > Common Analysis Options > Packet Sniffer > Save Capture To FileIt is possible to save captured network traffic to disk. Buster Sandbox Analyzer captures traffic in a PCap compatible file format. This file can be used to do forensic analysis.
When enabled, this option will make Buster Sandbox Analyzer to capture network traffic.
Options > Common Analysis Options > Packet Sniffer > Select AdapterThis option is used to select the network adapter from where network traffic will be captured.
Options > Common Analysis Options > Packet Sniffer > Show Full PathBuster Sandbox Analyzer includes in the generated reports the file name of the application which generated a network connection.
When enabled, this option makes Buster Sandbox Analyzer to include the full path to the application which generated the network connection.
Options > Common Analysis Options > ReportsUnder this menu you will find the options to configure reports: what information must be included and what not.
The information can be related to the main file or to dropped files.
Main file is the file (application, document, whatever) that was launched first.
Dropped files are all the files that were created (dropped, downloaded from internet, modified, ...) on the sandbox folder.
The reports can be configured individually. You can include a certain information from main file and not include the same information about dropped files, you can include the information for dropped files but not about the main file, or you can include or not include none of them.
Options > Common Analysis Options > Reports > Digital SignatureIf you want to know more about digital signature I suggest you google for "Sigcheck" by Mark Russinovich. Buster Sandbox Analyzer uses his tool to check the digital signature.
When enabled, this option will make Buster Sandbox Analyzer to include the digital signature verification information.
Options > Common Analysis Options > Reports > Do Not Resolve URLsWhen enabled, this option will make Buster Sandbox Analyzer to do not resolve IPs.
Options > Common Analysis Options > Reports > File EntropyIf you want to know more about the relation between file entropy and malwares you should read this paper:
http://citeseerx.ist...p=rep1&type=pdfBuster Sandbox Analyzer uses Shannon´s entropy algorithm.
When enabled, this option will make Buster Sandbox Analyzer to include file entropy information.
Options > Common Analysis Options > Reports > File LengthWhen enabled, this option will make Buster Sandbox Analyzer to include file length information.
Options > Common Analysis Options > Reports > File SignatureA file signature consists in the compiler and/or the packer used to encrypt/compress a file.
Buster Sandbox Analyzer includes two tools to extract file signatures: PEiD and Exeinfo. You can use both if you want, just one of them or none.
PEiD gives you the chance to include your own file signatures.
When enabled, this option makes Buster Sandbox Analyzer to include file signature (PEiD and/or Exeinfo) information.
Options > Common Analysis Options > Reports > File TypeAs I commented previously, Buster Sandbox Analyzer identifies most file formats: EXE, DLL, VBS, PDF, DOC, XLS, ...
When enabled, this option makes Buster Sandbox Analyzer to include file type information.
Options > Common Analysis Options > Reports > HashIf you want to know more about hashes I suggest you review the wikipedia:
http://en.wikipedia....i/Hash_functionWhen enabled, this option makes Buster Sandbox Analyzer to include the MD5, SHA-1 and SHA-256 hashes information.
Options > Common Analysis Options > Reports > ssdeepIf you want to know more about ssdeep I suggest you visit the official site:
http://ssdeep.sourceforge.net/When enabled, this options makes Buster Sandbox Analyzer to include ssdeep information.
Options > Common Analysis Options > Reports > Virus TotalVirus Total is a free service where you send a file and it is scanned with over 40 antivirus engines. Additionally it offers a service where you send a hash and you obtain information about the file. Buster Sandbox Analyzer uses this service to check if the file is identified by the antivirus used by Virus Total.
When enabled, this option makes Buster Sandbox Analyzer to retrieve file information from Virus Total.
Options > Manual Analysis OptionsThis menu contains the options related to the configuration of the manual mode analysis.
Options > Manual Analysis Options > Ignore If Sandbox Folder Is Not EmptyIn automatic analysis mode, if the sandbox folder contains files, they will be deleted.
In manual mode, Buster Sandbox Analyzer checks if the sandbox folder to process contains files. If there are files, it asks what you want to do with them: keep or delete.
When enabled, this option makes Buster Sandbox Analyzer to do not ask what to do with the files on sandbox folder. Directly the files will be kept.
Options > Manual Analysis Options > Set A Time Limit For AnalysisThe manual analysis mode can be configured to run a specified amount of time.
When enabled, this option makes Buster Sandbox Analyzer to set a time limit.
Options > Program OptionsIn this menu you can configure options not directly related to malware analysis.
Options > Program Options > Check For Updates On StartWhen enabled, this option will make Buster Sandbox Analyzer to check if there is available a new version.
Options > Program Options > Remember Windows PositionBy default, when launched, Buster Sandbox Analyzer will be at the center of the window. If you dislike this behaviour, you can configure BSA to remember the position on screen when you closed the tool.
When enabled, this option will make Buster Sandbox Analyzer to locate the GUI window on the position it was when the program was closed.
Options > Program Options > Save Settings on ExitWhen enabled, this option will make Buster Sandbox Analyzer to save settings on close.
Options > Program Options > Windows Shell IntegrationWhen enabled, this option will make Buster Sandbox Analyzer to include a menu at Windows Explorer.
The first option you should configure/enable is "
Options > Program Options > Save Settings on Exit". That way you will not lose your configuration when you close BSA.