I will start talking about Buster Sandbox Analyzer and I will write about the tool several posts because there are many features and options.
I must say that Buster Sandbox Analyzer is not for computer newbies. To use the tool is required a medium-high computer knowledge.
The official page of the tool is: http://bsa.sandboxie.info/
The last version of the tool can be downloaded from: http://bsa.sandboxie.info/bsa.rar
Development forum can be reached here: http://sandboxie.com...opic.php?t=6557
What´s Buster Sandbox Analyzer? A behavioural analyzer and its purpose is to evaluate if sandboxed applications have a malicious behaviour.
What´s evaluated? File changes, registry changes, port connections and system actions.
It´s considered as a file change : the creation of a file, the deletion of a file, the modification of a file.
It´s considered as a registry change: the creation/deletion/modification of registry keys and values.
As port connections BSA considers: opening a local port or connect to other computer.
System actions are a variety of things like: try to shutdown or restart the computer, end windows sessions, create or start a service, log keystrokes, ...
When an application performs one or several of these actions it will be considered as malicious, but we must consider that there are not good and bad actions. This is very important to understand.
Is bad that a file is copied to Windows folder? Normal applications do it all the time.
Is bad that a program tries to connect to internet? Many trustable programs do it.
Therefore more important than BSA´s evaluation, it´s the user´s evaluation. We must learn to know when an action should be done and when not.
Let´s say we analyze mIRC, the IRC client. We install mIRC and connect to a server. BSA will report that the sandboxed application dropped files to Program files, that connected to internet, ... so it will be reported as highly suspicious.
But we, knowing that mIRC should do that, should not consider it as suspicious.
Now let´s say we analyze a keygen and this keygen opens a connection on port 31173, connects to internet, drops a file to windows folder and modifies the registry. BSA will report as highly suspicious.
Is a keygen supposed to open ports, connect to internet, drop files to windows folder and modify the registry? Maybe modifying the registry is ok but the rest is really suspicious so we must agree with BSA´s evaluation.
Conclusion: BSA´s evaluation system is pretty irrelevant. We, with our experience, must be the real evaluation system. Probably takes some time to learn but it´s worth.
Next day I will talk about how to install BSA and about a few things we must consider before using BSA.