95 replies to this topic

[Buster_BSA]

And we now apparently invite posters, who if they read the rules, might not be so quick to take offence & offer advice such as "grow up child".
I could care less about such "I'm always right, don't argue" attitudes, but to find after several site visits, that we are receiving "serialised" material is a bit much, particularly since no warning was given.
Worse still the excuse is we probably would not have read a longer initial post.
This feels like the hand of god approach.

If you don´t like to hear certain things you should adopt a more mature attitude. Something like "I was going to try your SW but now I´ll not" is a childish attitude if you like it or not.

Could you explain what you mean with "serialised"? I just don´t understand why I should have made any warning.

Excuse will be for you. In my experience it was the right way to do things. I repeat, I have experience introducing my tool and you don´t, so you are talking about something you don´t know, which is again a childish attitude.

If you feel the hand of god approach I feel the hand of troll approach.

[Peter O]

"I'm right, I know best, your wrong".

WOW I rest my case

[Buster_BSA]

"I'm right, I know best, your wrong".

WOW I rest my case

Childish attitude again. I repeat, grow up.

And yes, obviously and without any discussion I know best about introducing Buster Sandbox Analyzer to new users.

Do you have any problem with that? because seems so...

[Brito]

Guys..

Can we please reach a peace agreement?

Would be nice to learn a bit more about this type of topic. My personal apologies if the software is trial to some extent and not fully freeware as I expected. Last time I used sandboxie I didn't even noticed it was a trial.

From what I can read:

Buster Sandbox Analyzer is free of charge. You just must pay for a Sandboxie license which is very cheap and it´s lifetime.

Sandboxie is the software that requires registration and not Buster's Analyzer which is free.

In fact, we had already talked about SandBoxie in boot land as far back as 2006: http://www.boot-land...p?showtopic=228

At the time I found the concept interesting but didn't had the chance to learn much more about it.

I'm liking to read Buster's presentation about malware, he is an invited guest lecturer and probably not very used to inquisitive minds from boot land so you ought expect some shock from those who arrive fresh in here..

Let's be nice and let the explanation continue.
(please.. )

[Buster_BSA]

Thanks Nuno!

"You just must pay for Sandboxie" if you want to. As I told, BSA will work with an unregistered version of Sandboxie.

[Wonko the Sane]

@Buster_BSA

Let's make it like this.

Sandboxie is a Shareware app which can be used Free of charge with a few limitations.

What would be interesting to know, would be exactly WHICH limitations does the "unlicensed" version have when compared to a paid-for, licensed one.

Wonko would approve if in one of the next episodes of this saga you could produce (and of course only if you are wishing to) a table similar to this one (just an example):
http://www.partition...comparison.html



Wonko

[Buster_BSA]

What would be interesting to know, would be exactly WHICH limitations does the "unlicensed" version have when compared to a paid-for, licensed one.

http://www.sandboxie...gisterSandboxie

[Wonko the Sane]

http://www.sandboxie...gisterSandboxie

Sure, rest assured I can find (and read) almost anything, if it exists.

But still, out of the 4 limitations:

• nag screen after 30 days of use (how much nagging? )
• possibility to run only 1 (one) sandboxie concurrently
• Forced Programs
• Forced Folders

Only the first two are clear to me, the latter two, and expecially last one, being, in my current ignorance , like what may severely limit the functionalities of your app.



Wonko

[Buster_BSA]

But still, out of the 4 limitations:

• nag screen after 30 days of use (how much nagging? )
• possibility to run only 1 (one) sandboxie concurrently
• Forced Programs
• Forced Folders

Only the first two are clear to me, the latter two, and expecially last one, being, in my current ignorance , like what may severely limit the functionalities of your app.

Buster Sandbox Analyzer only needs the use of one sandboxie concurrently and forced programs and forced folders are not required.

I don´t know how much nagging will be the nag screen but I don´t think too much when running BSA.

[Buster_BSA]

Hi.

I will start talking about Buster Sandbox Analyzer and I will write about the tool several posts because there are many features and options.

I must say that Buster Sandbox Analyzer is not for computer newbies. To use the tool is required a medium-high computer knowledge.

The official page of the tool is: http://bsa.sandboxie.info/

The last version of the tool can be downloaded from: http://bsa.sandboxie.info/bsa.rar

Development forum can be reached here: http://sandboxie.com...opic.php?t=6557

What´s Buster Sandbox Analyzer? A behavioural analyzer and its purpose is to evaluate if sandboxed applications have a malicious behaviour.

What´s evaluated? File changes, registry changes, port connections and system actions.

It´s considered as a file change : the creation of a file, the deletion of a file, the modification of a file.

It´s considered as a registry change: the creation/deletion/modification of registry keys and values.

As port connections BSA considers: opening a local port or connect to other computer.

System actions are a variety of things like: try to shutdown or restart the computer, end windows sessions, create or start a service, log keystrokes, ...

When an application performs one or several of these actions it will be considered as malicious, but we must consider that there are not good and bad actions. This is very important to understand.

Is bad that a file is copied to Windows folder? Normal applications do it all the time.

Is bad that a program tries to connect to internet? Many trustable programs do it.

Therefore more important than BSA´s evaluation, it´s the user´s evaluation. We must learn to know when an action should be done and when not.

Let´s say we analyze mIRC, the IRC client. We install mIRC and connect to a server. BSA will report that the sandboxed application dropped files to Program files, that connected to internet, ... so it will be reported as highly suspicious.

But we, knowing that mIRC should do that, should not consider it as suspicious.

Now let´s say we analyze a keygen and this keygen opens a connection on port 31173, connects to internet, drops a file to windows folder and modifies the registry. BSA will report as highly suspicious.

Is a keygen supposed to open ports, connect to internet, drop files to windows folder and modify the registry? Maybe modifying the registry is ok but the rest is really suspicious so we must agree with BSA´s evaluation.

Conclusion: BSA´s evaluation system is pretty irrelevant. We, with our experience, must be the real evaluation system. Probably takes some time to learn but it´s worth.

Next day I will talk about how to install BSA and about a few things we must consider before using BSA.

[n00bie]

Well... I pollyjize for stepping in so late, I've been fighting with the
"box"

so... I got to this part:
[quote]
a thread which is mere discussion of a principle.
[quote]

(and alot of other debating)

Aw... y'all c'mon.... 4Starters "PRINCIPLE" is the foundation... of what? Everthing. FWIW, that part was refreshing Running in "chroot" or "jail" is OLD-SCHOOL with *nix...

a "sandbox" used to be a drive-directory where unfinished source project-FILES were stored, and they were (still are) compiled and RUN in a "chroot/jail" memory/processor {volatile, temporary) space...

msdos-windoz wasn't originally coded modular like *nix. The *nix's were built for multi[networked]-everything, for HARDWARE that was built to do that... *nix and *bsd's (like OSx) all implement a standard, tried and true "permission protocol" that was designed for a mult-user, multi-machine environment. Ideal for writing and testing code... The old "file permission" attributes of DOS/win and FAT drives did OK until everybody's brother in law got a modem and email.

dos/win32 was originally built "linear" to run on ONE 8086 box all by it's 640k limitted self... Programs/applications were retailed to non-programmer end users to run "out of the box" The core of OS couldn't evolve faster than the supporting hardware...

It's like.... Win32 is to Capitalism as *nix is to Compassion...

The need for "Chroot/jail" under win32 is clear... So far the only app I've seen that does it with sufficient simplicity for end user is the "Sandboxie"... About the only open source option was "Virtual Box" but now Sun's bought them out...

The *IDEA* of "behavioral analysis" for security... That's a no-braner... Running it in Sandboxie is one option...

Me personally, I do thus:

[boot loader]timeout=30default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=AlwaysOff/fastdetectmulti(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=AlwaysOff /fastdetectC:\ = "Microsoft Windows"

So when I get a minute, maybe I'll see if this idea keeps me from having to "ghost" sdb0 every time I hose it

God Bless...

n00b

[Peter H]

I appreciate both sides of the comments posted, my only observation is that on first inspection it appears BusterSandbox is indeed free but only in conjunction with SandboxIE which is shareware.

I appreciate the author's time in posting but as he states this is not a simple tool to use. In fact anyone with the skill to use and interpret the results sensibly would be more than likely be of a level where they have their own regime for handling suspect files.

I used to use Altiris' free offering for some of this work and Winternals free tools - if Buster could interface all these (and possibly others or hooks for other developers) then I feel it would be of far more use.

I pretty much gave up on sandbox programs when VPC and VirtualBox were launched, they give a clean environment which can be rolled back or destroyed at a moments notice.

[Buster_BSA]

VPC and VirtualBox are indeed nice and useful software, but many users use virtual machines to try the software and decide if they will install it in the real system.

VPC and VirtualBox are not a solution in that case to the malware problem, as the real system will become compromised when the malicious program is installed.

What Buster Sandbox Analyzer provides is a safe environment to test the software and get an opinion about if the software is or not malicious, something that VPC and VirtualBox can not do.

Sandboxie is shareware but can be used in unregistered mode in conjunction with BSA. If you decide BSA is useful you can decide to register Sandboxie (very useful software used alone too) or continue using it unregistered.

The most similar software to Buster Sandbox Analyzer (and the only one if I´m not wrong) is Norman Sandbox Analyzer. The license for one year of Norman´s product was not many time ago around 10.000 euros.

I don´t understand why there are people complaining about if Sandboxie is shareware or not, and if I have been dishonest (I´m still waiting for a quote of what I said that it´s considered dishonest) when you are getting a valuable software at cost 0 or nearly to 0 if you decide to register Sandboxie, when other alternatives could not be afforded by your pockects.

[niche99]

VPC and VirtualBox are not a solution in that case to the malware problem, as the real system will become compromised when the malicious program is installed.

What Buster Sandbox Analyzer provides is a safe environment to test the software and get an opinion about if the software is or not malicious, something that VPC and VirtualBox can not do.

Buster Sandbox Analyzer does not provide a safe environment to test software, SandboxIE attempts to do that.

Anyone that thinks VPC, VirtualBox and Sandboxie provide a safe environment to test software (viz a viz malware behaviour) before installing it on a Live system are in for a BIG shock. Unless you can disassemble the software you are testing to understand exactly what it's behaviour is, malware writers can easily code for detection of VPC, VirtualBox and Sandboxie and others. The software will therefore exhibit no malware behaviour in those environments. Once you have been lulled into thinking the malware is clean and install it on your live system the malware comes to life.

Sure VPC, VirtualBox and Sandboxie may be useful tools, but they are by no means SAFE in themselves.
Saying or implying that Sandboxie provides a safe environment to test whether software is malware or not is reckless behaviour, especially by giving that advice to those who know no better.

[Buster_BSA]

Buster Sandbox Analyzer does not provide a safe environment to test software, SandboxIE attempts to do that.

That´s right.

The software will therefore exhibit no malware behaviour in those environments. Once you have been lulled into thinking the malware is clean and install it on your live system the malware comes to life.

That´s why I added countermeasures to hide Sandboxie from malwares. Did you notice them?

[niche99]

That´s right.



That´s why I added countermeasures to hide Sandboxie from malwares. Did you notice them?

Yes, I tested hidedriver, I am satisfied that I can still detect (programatically), that I'm running in a sandboxed environment.

My original statement stands. It is irresponsible to promote your application as a 'SAFE' environment to test malware.

[Wonko the Sane]

My original statement stands. It is irresponsible to promote your application as a 'SAFE' environment to test malware.

Well, if it isn't safe (or better said "safe enough") then:

• which is the use you propose of it (if any)?
• which is the alternative to it you propose?

In other words, what should the less knowledgeable users (or even more knowledgeable ones) do? please choose one:

• never install anything they cannot previously analyze
• never install anything
• always install everything blindly
• try installing first in a "virtual something" stoopidly thinking that the whatever something they chose is 100% safe
• try installing it in a "virtual something" knowingly thinking that the whatever something they chose is NOT 100% safe

If I get it right you are saying that this thread somehow "tricks" people in #4 whilst they should be in case #5, and you suggest to be in case #1 or #2


Wonko

[niche99]

Well, if it isn't safe (or better said "safe enough") then:

* which is the use you propose of it (if any)?
* which is the alternative to it you propose?

I don't intend to use it. I presonally, have no need to use it.
I am not proposing any alternative methods, others here have detailed their personal preferences as alternatives. I have my own security and recovery regime that I'm happy with.

If I get it right you are saying that this thread somehow "tricks" people in #4 whilst they should be in case #5, and you suggest to be in case #1 or #2

What individual users decide to do with their computers is up to them. I am not advising them to do one thing or another, the choice is theirs, BUT it should be an informed choice, and the information they are given should be accurate. If they want to use Buster Sandbox Analyser and many other analysis and security tools, I have no problems with that.

I am simply stating that it is irresponsible to promote an application as a 'safe' environment to test for malware behaviour, as it encourages less knowledgeable users to take ill informed risks in the mistaken belief that their data is safe.

As an aside, what kind of software would lead you test it in such a fashion? Most likely, software obtained from a dubious or disreputable source. Would we be talking about warez? If you are unsure about the software and have reason to suspect it is malware, why play with fire in the first place? Should you not have sought other sources of information about the software in question before considering installing it?

[Buster_BSA]

Yes, I tested hidedriver, I am satisfied that I can still detect (programatically), that I'm running in a sandboxed environment.

My original statement stands. It is irresponsible to promote your application as a 'SAFE' environment to test malware.

It´s not only hidedriver, you must inject LOG_API too.

Did you do it?

Meanwhile you can not probe that it´s not safe, then it´s safe.

Do you have proofs that it´s not safe?

[Wonko the Sane]

I am not proposing any alternative methods, others here have detailed their personal preferences as alternatives. I have my own security and recovery regime that I'm happy with.

Well, that's what I was asking, of course if it's a trade secret or however you feel like not telling us what you are using, you are perfectly free not to.

To recap:

• Nuno asked Buster_BSA to post here about his/her program
• Buster_BSA started the saga about this app, initially NOT posting a link to the app
• This unconventional approach was criticized by a few people (including niche99)
• Buster_BSA explained his approach, explaining how, being an "advanced tool" it was NOT aimed to the "casual user", and that that was the reason why he didn't post a link in first place:
  http://www.boot-land...?...=10679&st=9
• but however (not such a difficult thing, less than 30 seconds of google) the link to the app "was leaked"
• Then he is criticized because his app requires the use of a "base" program that may be Shareware <-this issue is solved now .
• Then he is criticized because he posted about the app without enough warnings

Maybe you are a bit too early in your current critique:

Hi.

I will start talking about Buster Sandbox Analyzer and I will write about the tool several posts because there are many features and options.

......

Conclusion: BSA's evaluation system is pretty irrelevant. We, with our experience, must be the real evaluation system. Probably takes some time to learn but it's worth.

Next day I will talk about how to install BSA and about a few things we must consider before using BSA.

We are not even at the episode in which we install it, and well before attempting to use it, and you are already whining about irresponsability and lack of related warnings?

Let's make it like this:
DON'T EVENT THINK to install and use this program until ALL the episodes will have been posted AND anyway keep in mind that you are the only one responsible for anything that may happen as a consequence of the use of this program, that you should NOT use unless you have fully understood not only the way this program works but also all the theory behind it.

Would this be OK as a warning and allow to go on?


Wonko

[niche99]

It´s not only hidedriver, you must inject LOG_API too.

Did you do it?

Yes.

I am not beta testing a program I am not going to use and as such I don't need to provide proof. I can see all sandboxie processes and also BSA process from inside the sandbox. I just wanted to satisfy my own curiosity, and I have.
As I have already said if others want to use your program that's fine by me. But please don't tell people it's a safe environment.

[Buster_BSA]

Wonko: If I have not written more episodes it´s because I´m getting critics before the program has been explained and discussed. What´s the point of this?

I read things like "I am satisfied that I can still detect (programatically)" when he didn´t install everything properly.

I read things like Sandboxie + BSA is not safe, but I don´t see any proof of such claim.

I start to wonder if it´s worth to continue discussing the tool here or if it´s better that if anyone wants to know more about it he goes directly to Sandboxie´s forum where the development thread is. There people is much more receptive and fair in their critics.

[Buster_BSA]

I am not beta testing a program I am not going to use and as such I don't need to provide proof. I can see all sandboxie processes and also BSA process from inside the sandbox. I just wanted to satisfy my own curiosity, and I have.
As I have already said if others want to use your program that's fine by me. But please don't tell people it's a safe environment.

First: BSA is not in beta phase so you don´t beta test it.

Second: Of course you must provide proofs if you want people believe you.

Third: You must probe it´s not a safe environment. The easy is to say that it´s not safe but things don´t work like that. It´s not "guilty until proben innocent". It´s "innocent until proben" guilty.

Meanwhile you don´t present proofs that Sandboxie is not a safe environment you are just blah, blah, blahing...

[niche99]

I read things like "I am satisfied that I can still detect (programatically)" when he didn´t install everything properly.

I am curious, how do you know that I didn't install everything properly?

Meanwhile you can not probe that it´s not safe, then it´s safe.

This is naïve logic.

Third: You must probe it´s not a safe environment.

I assume you do read the sandboxie forums, especially the Open Issues? So I guess these people are just blah, blah, blahing...

From your own website:

As any other security software Sandboxie is not 100% bullet proof. Take the measures you consider necessary to avoid OS corruption/infection. I suggest a disk image solution.

Yet you say on these forums that it provides a safe environment.

[Wonko the Sane]

Wonko: If I have not written more episodes it's because I'm getting critics before the program has been explained and discussed. What's the point of this?

Yep , what I am trying to do is just to hopefully help in keeping this thread as "plain" as possible, avoiiding a fight, not that they are not nice (the fights I mean ), but I think that right now they are unneeded as most users are simply confused by them.

What I am proposing is a time-out until you will have had the time to post the complete set of episodes of the saga, this way there will be all the explanations at the top and all the questions/critics/discussions/additions/clarifications at the bottom, that is how a "normal" thread should be.

I personally don't like the approach in which people make critics without giving evidence of their claims, but cannot do anything about it, if not asking everyone to please be kind and either say what they want to say AND give some support to it or shut up and wait until we have more data.

niche99 has expressed his/her opinion, has apparently satisfied his/her curiosity, he/she now claims to be not interested further to this topic, let's go on, just assume that you got no critics from him/her .

Again personally, I wouldn't give too much weight on unsustained by proofs/details claims, if you want to discuss the critics you had, you will need some data which has not been given AFAIK, so I guess it would be pointless to reply to them.

I guess everyone has now taken note of the opinions and claims by niche99 and just as he/she had the freedom to express them, each one has the freedom to choose whether to trust them and avoid reading further or continue trying to understand some more details about your app, but if you stop writing about it to "fight back" or abandon the thread, many people will get the impression that the critics were founded.

@niche99
Ok, your point is very clear, I don't think there is any need to beat the poor dead horse, can we go on?



Wonko