Hi

I have recently been reading about Norman AV. Mainly about its sandboxing feature http://www.norman.com/technical_sandbox_faq.shtml . From the description, I was wondering if this is at all similar to unpacking, and if they are in any way comparable, in this regard?

Norman also seems to do quite well in VB tests, especially on the Windows platform.
http://www.virusbtn.com/vb100/archives/products.xml?norman.xml

AFAIK Sandox mean that Norman "creates" an own new Computer environment where Norman starts the file it wants to analyse and than decides if it is Malware or not. . But it is not able to search with Sigatures inside the Sandbox. It is more a heuristic than a generic unpacker.
The second problem is, that activating "sandox" really slowes down the scanning and sometimes make the scanner unstable.
Test it on your own, to see if it fits your requirements.


Like you said: The ITW detection seems to be well.

Depends of your system i guess.
I trailed NVC a while ago, and i had no notiable slowdown, but this AV is a little expensive IMO.
Regards
Ole :)

I was hoping that NVC will stop Blaster by using "sandbox" but it didn't. :(


tECHNODROME

Perhaps this Sandbox technology isnt so advanced as i thought ???
Regds.
Ole

Well they claim "sandbox" has been able to identified some of big threads, such as bugbear, klez, yaha, sobig etc. Don't know maybe there is a future for this concept. It sounds good though...


tECHNODROME

It sure does.

Although I think, raman explained the sandbox concept well, I'd also say that there is not a very big difference between this heuristic sandbox and a 'real' unpacking engine, which is normally based on an emulated environment, too (KAV, McAfee,...)

So I'd imagine, that it wouldn't be too hard to add a signature-based scan in this (yet purely heuristic) sandbox, which would result in a combined heuristic and unpacking sandbox... ::)

But note, that a sandbox/emulation can't possibly be used for _every_ scanned file, because that would be far too slow (as mentioned above.)
That's why sandboxing is only used for certain files, which are in some way 'suspicious' to the scanner.
With regards to 'unpacking', this means that the packing/crypting format has normally to be 'known' to the AV scanner, so that it is able to unpack it... (e.g. Kaspersky is continiously adding 'detection' of new packers/crypters to their database, as you can see in almost every weekly update overview.)

Therefore, I wouldn't call an emulation-based unpacking engine automatically a 'generic unpacker'... ;)

Sandbox is totally closed environment but unpacking it’s done usually in your temporary folders...Plus there is no need for adding support for new packers.
Sandbox is able to watch behaviors of infected file, unpackers are not.


tECHNODROME

NVC on my 2Ghz P 4 with sandbox enabled runs faster then KAV, McAfee, Avast Pro, F-Secure, AVK and Norton.

{QUOTE-> Sandbox is totally closed environment but unpacking it?s done usually in your temporary folders... <-QUOTE}

Yes, but some "advanced" AVs are unpacking runtime-compressed/crypted files via emulation, right? (as emulation is also used for 'decrypting' polymorphic viruses, this is obviously not a too bad idea...)

Well, and Norman's Sandbox is also based on emulation - that's why I think, it shouldn't be too difficult to 'expand' their technique to unpack packed/crypted files.


{QUOTE-> Plus there is no need for adding support for new packers. <-QUOTE}

Are you now referring to unpacking emulators?
If the AV emulates _every_ file from the "beginning to the end", then probably not, but since the scanner would be too slow this way, it has to decide, _which_ files to emulate and how 'long' ... that's why, I think, AVs need to have special corresponding 'rules' for most 'new' packers/cyrpters.

If that's wrong, why would Kaspersky constantly add support for new packers/crypters? ???

_anvil

Please read this write up form Kurt Natvig (Norman) about Technique used by NVC sandbox.
http://secinf.net/uplarticle/20/Sandbox2_vb2002.pdf

I am pretty sure that you can find an artical about Unpacking enigines (such as kavs).

Comapre these to and see difference...


tECHNODROME

Thanks, Technodrome, I didn't know this (part of the) article - I had only read the first part, available here:
http://www.norman.com/documents/nvc5_sandbox_technology.pdf :)

So I think, we have enough information about Norman's Sandbox (and from what I see, we both have totally agreed on how it works :) ) - but there seems to be confusion about how a proper unpacking engine (KAV, McAfee,...) works in detail (does it use emulation, like a Sandbox, or not?)
Can you provide additional information or links on this matter (unfortunately, I have'nt found any)?

There is one interesting paragraph in 'your' part of Norman's article, called "COMPRESSED EXECUTABLES":
{QUOTE-> Speed is the only problem, since it requires emulation
of millions of instructions to decompress large compressed executables. With an average
speed of one million instructions emulated per second (on an average desktop ? PIII 700 MHz),
this isn't the preferred way of decompressing these executables, but it can be done if the engine
doesn't support the format. If an external handler knows how to decompress the executable,
they should do this before the decompressed executable is inserted into the sandbox to save
CPU cycles. <-QUOTE}

Imho, this somewhat confirms, what I wrote above: it should not be such a big deal to use the Sandbox for unpacking purposes - but according to Norman, it isn't the "preferred" way, because it's too slow (well, for Norman the preferred way is obviously doing (almost) _nothing_ about unpacking of packed/crypted files, according to different tests... ::) )

So, how is e.g. KAV doing it's (outstanding) unpacking job?
Does it use special unpacking routines for every supported packer/crypter? Does it only use emulation, when the "static unpacking" didn't work? Does it use emulation at all? ???

Hi, The sandbox is a closed simulated computer that runs our Win32 compatible OS. When enabled it puts every executable file into this simulated computer and lets it go. During the last month or so we have detected new strains and new viruses almost every day (e.g. W32/Swen.A was detected before we knew about it). We detected two new strains of W32/Blaster just based on the exploit (port 135). 3 new w32/Yaha variants, modified LoveGate's etc etc. It does unpack most PE compressors, like UPX, Petite, ASPack and even tELock. Working on ASProtect. It emulates through them, and the sandbox doesn't really know they are compressed at all. The sandbox is under constant development and will be updated and updated, but compared to "normal" techniques it doesn't search for anything. Another strength of the sandbox is that it creates a short description of the virus on the fly so you get an idea what it is in plain text.