Old BSA thread

Hi!

I would like to introduce Buster Sandbox Analyzer, a malware analysis tool.

Buster Sandbox Analyzer website is: http://bsa.isoftware.nl/

And the package can be directly downloaded from: http://bsa.isoftware.nl/bsa.rar

A historial of changes is available here: http://bsa.isoftware.nl/frame8.htm

First a bit of background is required to understand the power of this kind of technology.

First PC viruses appeared around 1989-1990. In that days just a few persons in the world were writing that kind of software.

In the middle of 90´s virus writing became a kind of art. The best virus writers of the world formed groups like VLAD, Immortial Riot, 29A, The CodeBreakers, etc.

In that period the amount of viruses being produced every year was very small, that´s why antivirus company decided to detect the menaces using the pattern detection technology. This technology is based in looking for groups of bytes inside binaries. The technology was suitable for many years due the production of viruses was very low and spaced in time. AV researches had enough time to analyze new viruses because just a few new specimens were arriving to antivirus laboratories.

From year 2000 to nowadays things changed. If virus writing was an activity reduced to a few people in the world, after year 2000 malware writing became a business. This change was produced due the popularity that Internet got all over the world. Cyber criminals saw an opportunity of getting money hacking computers, stealing bank information, etc., from inexpert computer users.

If in the past AV laboratories were receiving a few new specimens every day, now AV laboratories are overloaded. Actually the pattern detection technology is insufficient because many new malware appears every day and it´s not possible for antivirus laboratories to analyze everything.

With Internet we have a big advantage. We can scan files not only with the antivirus we have installed locally in our computer. We can submit files for analysis to services like Virus Total (http://www.virustotal.com) where the files will be analyzed by dozens of antivirus scanners.

Apart of pattern detection, antivirus companies have used other detection technologies in the past. The most famous would be the heuristics.

Heuristic is a technology that allows to detect menaces without the use of known patterns. The problem is that with the use of file encryptors, compressors, etc., the detection efficiency decreases.

Other malware approach, the one that Buster Sandbox Analyzer uses, is the behaviour analysis. How does this technology works? The file to analyze runs and actions are monitorized. When file stops running all the actions are analyzed and depending of what was done we will be able to say if the file acts like a malware or not.

Of course, this technology is not the grial. Actually there is no 100% malware detection technology and never will, but behavioural detection is a good technology.

If it´s good, why is not being used by antivirus?

Well, there are several problems. As any malware detection technology it has the problem of the false positive and false negative detections. A false positive is when a harmless software is detected like a menace and a false negative is when a dangerous software is not detected.

Pattern detection technology has a low false positive ratio but a medium-high false negative ratio. Heuristics and behavioural detection technologies have a medium-high false positive ratio and a medium-low false negative ratio.

Other problem with behavioural detection technology is that the file to analyze must be run in order to analyze actions. How to run safely a suspicious file? This problem has been solved recently with the use of sandboxes. A sandbox is a security mechanism for separating running programs, so their actions don´t affect the whole system.

So, with what detection technology to stay? The best solution is the combination of all technologies: Use an antivirus with traditional pattern detection technology (using a service like Virus Total is also recommended) and use an behavioural analysis tool.

As introduction is enough. On next message I will talk more deeply about behavioural analysis and sandboxing technologies.

Regards.

Hi Buster_BSA

Thanks for the good info and welcome to the board

Today I will comment briefly about sandboxing and behavioural technologies. They are the base of Buster Sandbox Analyzer so it´s important to understand how they work to understand how Buster Sandbox Analyzer works.

As I commented in the previous message, a sandbox is a security mechanism for separating running programs. Basically what this technology does is intercept (detours) write operations using a driver.

This means sandboxed software, instead writing to real disk folders, registry, etc, writes to sandboxed folders. This is easier to say than to do it, but it´s pretty simple, isn´t it?

Behavioural malware detection is also simple in theory. This technology analyzes the actions (file operations, registry operations, port connections, etc) and tries to determine if they are malicious.

We must understand that there are no good and bad actions. That´s why behavioural is not an exact science.

Is trustable or is malicious if a program opens a connection to other computer? And copy a file to Windows folder? Trustable applications take these actions all the time, so how is decided if they are good or they are bad? It´s the user who will decide if they are trustable or not.

Let´s imagine we download a sofware to view videos and it opens a port at 31137. Is logic this action? No, it´s not, so we must consider the software as a threat.

Behavioural technology involves the user in the detection process. We must learn to know what´s right and what´s wrong with certain actions. This takes some work, but it´s the price to pay to reach a point where traditional antivirus software can not reach.

Next day I will talk about Sandboxie (http://www.sandboxie.com), the software providing sandboxing technology to Buster Sandbox Analyzer.

Regards.

Thanks for the good info and welcome to the board

Thank you very much!

I was directed to this topic by an email from Bootland stating that a new security tool was available.

And this week we also saw a new tool being present that is called "Buster Sandbox Analyzer". This is really useful when you suspect that your computer is not behaving as it should.


It's a behavioral antivirus, developed by a community member which I really recommend giving a try:
http://www.boot-land...showtopic=10679

So far I have not seen a link to this tool, nor have I been told anything I didn't already know.
This is looking like an advert for Sandboxie so far.

@Buster_BSA
If you have new security tool you want to share then make it available from day 1 and then feel free to discuss some history and background all you want, not the other way around.

Thanks for the excellent post.

Thanks a lot Buster_BSA.

"Yours" Tool Box seems to be a Powerfull Viruses, Troijans, and others Malware scanner dector and so "We" hope You post a link to us make a "clear' download.

by this way I just say one more time thank You Very Much!

Leonam

I am a bit disappointed to find myself directed to a thread which is mere discussion of a principle.
Where is the "newly developed tool we are asked to download & try".
This sort of thing reflects badly on BootLand & IMHO an explanation is needed.

Peter O

Well.. don't really know why the link is not present on the first post. Must have been a lapse from the author (to err is human..)

But you guys can google and easily find it: http://www.google.co...=buster sandbox

The homepage is found at http://bsa.sandboxie.info/

Have fun!

Edited by Nuno Brito, 14 March 2010 - 03:54 AM.

I didn´t add a link because I considered it would be a mistake to put a link and let people that don´t know anything about sandboxing and behavioural analysis play with the tool from the beginning.

I have had enough negative experiences with users that didn´t understand the concept and that didn´t read BSA´s manual to learn that lesson.

Anyway nobody needs a link in this post to find the tool if he wants.

That aseems like weird logic to me.
You could have explained the method is advanced if you felt there were some risks.
And who is to say who might wish to take the next step.
Even I was considering trying the SW but I'm turned off now.

Peter O

From the website:

Buster Sandbox Analyzer will run on any computer where Sandboxie is installed and working.

Buster Sandbox Analyzer is free of charge. You just must pay for a Sandboxie license which is very cheap and it´s lifetime.

Yes, I can see why you didn't give a link in the first place.
If my reading of the above quotes are correct, this tool is really only of use and interest to Sandboxie users and not to the wider community, as I don't see a use for Sandboxie in a PE environment.

Yes, I can see why you didn't give a link in the first place.
If my reading of the above quotes are correct, this tool is really only of use and interest to Sandboxie users and not to the wider community, as I don't see a use for Sandboxie in a PE environment.

You can see why I didn´t give a link in the first place in one of my replies in this post.

I was invited by Nuno Brito to talk about my tool in this forum. I was not told about PE environments or anything else.

The tool is of use and interest to anyone that wants to analyze files, Sandboxie installation is just a requirement. If you don´t like it, just don´t use it, but I don´t think I or anyone else is interested in knowing why you don´t want to use it. If every user of this forum put a post to say why he doesn´t want to use my tool this topic would be the one with more replies.

That aseems like weird logic to me.
You could have explained the method is advanced if you felt there were some risks.
And who is to say who might wish to take the next step.
Even I was considering trying the SW but I'm turned off now.

You have your logic and I have mine. If all the people think the same the world would be very boring. Apart, I have experience supporting my tool and you don´t, so probably I know better how to introduce my tool than you.

I didn´t say to anyone he can not take the next step, did I? Instead you are saying me how I must introduce my tool. A bit contradictory, isn´t it?

Your last sentence make you to appear like an annoyed 5 years old boy. Grow up.

Hi.

Ignoring the critics (they are always welcome, but this time they not shared) I will continue with my introduction to Buster Sandbox Analyzer.

Before presenting my tool I must talk about Sandboxie (http://www.sandboxie.com), the environment used to run safely the files to analyze.

From a technical point of view the hard work, which is containing possible infections, is done by Sandboxie. Sandboxie allows us to run a file and avoid that it writes files to our hard drive or makes modifications to the registry. All these changes are done in a sandbox. A sandbox is just a folder in a hard disk which contains the files that otherwise would be written in other locations like Windows folder, Program files folder, or wherever.

So we must understand that Sandboxie protects our system from modifications but these modifications are redirected to other location on disk: the sandbox folder.

We must understand this because an antivirus may detect a malware inside sandbox folder and someone may think that Sandboxie didn´t do its work. That´s wrong. The sandbox folder is a protected folder and the place where sandboxed files are saved.

Sandboxie doesn´t overload the system and it doesn´t take much system resources.

Before using Buster Sandbox Analyzer is necessary to know how to use Sandboxie in basic terms. It´s not necessary to know how to configure every option, it´s required to know how to start sandboxed a program, how to terminate sandboxed processes, ...

I will not write a tutorial for Sandboxie as there is enough information already in internet about that.

Next day I will start talking about Buster Sandbox Analyzer.

The problem is that the product you promote isn't free, that makes it an infomercial. I'm surprised Nuno asked you to promote a commercial product here, I actually thought that was against forum rules. Next time, make it clear up front that your wishing to sell a product and there won't be any mis-understanding of this sort.

The problem is that the product you promote isn't free, that makes it an infomercial. I'm surprised Nuno asked you to promote a commercial product here, I actually thought that was against forum rules. Next time, make it clear up front that your wishing to sell a product and there won't be any mis-understanding of this sort.

I consider you are wrong. Sandboxie can be used without paying anything.

Quoted directly from http://www.sandboxie...p?FAQ_Licensing

Q. Is Sandboxie freeware or shareware?

* A. Sandboxie is shareware software. The free version is missing a few features which are available in the paid version. After 30 days of use, the free version displays reminders to upgrade to the paid version, but remains functional.

In order to use Buster Sandbox Analyzer is not required any of the features you enable when get the paid version. That´s why I consider you are wrong.

I´m here to talk about BSA, not Sandoxie, so this is not any informercial.

I was invited to join this community and talk about my tool. I didn´t join for any personal interest. I joined because Nuno Brito helped with my tool and asked me to talk about it.

I don´t pretend to sell any product. I don´t get any beneffit if a license of Sandboxie is sold. I make the request that if someone likes BSA buys Sandboxie because tzuk, author of Sandboxie, has been so nice to make some necessary changes in his product to make BSA possible.

Hey peeps, why don't you take it easy ?

There are already other areas of the board where fights are being carried, right now.

It seems to me like there have been a few misunderstandings, and misunderstandings tend to create a conflictual environment, for which I see no actual grounds till now.

I personally like the "serial" approach, and I am waiting for next episode where we will be given yet more info.

I presume that before the end of the week we will have, fragmented in a miriad of posts, all the info that could have been written in a single loooong post that noone would have read, or read properly.



Wonko

I presume that before the end of the week we will have, fragmented in a miriad of posts, all the info that could have been written in a single loooong post that noone would have read, or read properly.

I could have written a remix of BSA´s PDF but I prefered to write new stuff.

As you say, I could have written a post of 300 or 400 lines that almost nobody would have readed until the end or readed properly.

I considered it´s better to split concepts and write about them in different days so people can read carefully and get more information if they want. Not to mention that I have a family, a work, I continue developing BSA, etc, and I don´t have all the time I would wish to write in the forums. When I´m writing this post is 1:10am and I wake up at 7:45am.

I´m happy that someone shows some common sense.

As you say, I could have written a post of 300 or 400 lines that almost nobody would have readed until the end or readed properly.

Here, I'll sum it up for you: "Buster Sandbox Analyzer will run on any computer where Sandboxie is installed and working."

I've read the complaints of people who tried to use the 'free' version and have tried it myself, not a classy program (imo).

To say that this entire thread has been dishonest is an understatement but as long as people know that you are only promoting a product that works if you pay for it, that's fine! I guess we're selling products on the forum now, good to know.

Here, I'll sum it up for you: "Buster Sandbox Analyzer will run on any computer where Sandboxie is installed and working."

I've read the complaints of people who tried to use the 'free' version and have tried it myself, not a classy program (imo).

To say that this entire thread has been dishonest is an understatement but as long as people know that you are only promoting a product that works if you pay for it, that's fine! I guess we're selling products on the forum now, good to know.

What´s up? Didn´t you read that Sandboxie + Buster Sandbox Analyzer can be used without paying anything?

You are the dishonest for repeating a lie.

In BSA´s manual I wrote:

Buster Sandbox Analyzer is freeware. If you like this software, please, buy a license of Sandboxie.

I don´t say "you must" or "you have to". Buster Sandbox Analyzer and Sandboxie will work even if you don´t buy a license.

So all these guys telling that I´m promoting a product that works if you pay for it are lying.

I don´t know if they lie on purpose or because they talk from the ignorance.

What´s up? Didn´t you read that Sandboxie + Buster Sandbox Analyzer can be used without paying anything?

You are the dishonest for repeating a lie.

This is a silly discussion, a 'free trial' is not the same as a free tool (sorry if that's complicated). People can go to the site and get the details for themselves to determine which one of us is being dishonest. I also encourage them to read reviews of those that tried to continue use of the 'free tool' beyond the trial period. like I said, not very classy.

This is a silly discussion, a 'free trial' is not the same as a free tool (sorry if that's complicated). People can go to the site and get the details for themselves to determine which one of us is being dishonest. I also encourage them to read reviews of those that tried to continue use of the 'free tool' beyond the trial period. like I said, not very classy.

Just tell me: What did I say that could make me dishonest? Please, quote my words.

And we now apparently invite posters, who if they read the rules, might not be so quick to take offence & offer advice such as "grow up child".
I could care less about such "I'm always right, don't argue" attitudes, but to find after several site visits, that we are receiving "serialised" material is a bit much, particularly since no warning was given.
Worse still the excuse is we probably would not have read a longer initial post.
This feels like the hand of god approach.
Peter O