Buster Sandbox Analyzer

I 'm a little busy with college , but I will try soon.

 

I will go back to testing again, but I am on strike waiting for this feature

 

Released Buster Sandbox Analyzer 1.67.

Changes:

+ Improved “[File_Strings]” section at BSA.DAT
+ Added “[Custom_LogAPI_Entries”] section to BSA.DAT
+ Added support for wildcards in RegistryExclude.TXT
+ Added support for Hexacorn´s HexDive tool
+ Added new malware behaviours
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Added LOG_API support for 64-bit applications

 

1.67
it terminate 64-bit executable when try test
with 32-bit everything is OK

this is lines:

tested with both lines in sandboxie.ini at once, and also test just with one line, once for 32-bit and once for 64-bit

if remove line for 64-bit then apps will start normaly in BSA sandboxie profile, without termination

same termination problem when try analyze .msi installers

 

Copy&paste from a post I made at Sandboxie´s forum:

I am working to fix the problem.

 

bleiburg: Please download this version of LOG_API for 64-bit applications and test it:

http://bsa.isoftware.nl/log_api64.rar

Let me know if applications crashes or if it works fine, please.

Thanks in advance!

 

try dozen 64-bit executable and now it's OK, msi installers also work
there is just one problem with winrar-x64-411.exe installer, after almost everything goes ok at the end of installation window pop up with message "Windows Explorer has stopped working" and mouse disappeared, so must hit enter and then once more same explorer crash pop up.
i guess this explorer crash in sandbox is not related to log api dll, probably something else, don't know what, but not crash in sandboxie deafault sandbox without BSA

 

Edit Sandboxie.ini, disable DLL injection (you can comment lines with a ";" in front of the line), reload configuration and test again with winrar-x64-411.exe installer.

Let me know if with DLL disabled the crash also happens or not, please.

 

I just downloaded winrar-x64-411.exe and tested. Here everything works fine. No crash.

 

no crash with disabled DLL injection
so it seems that crash happen when on end try to open explorer window with winrar shortcuts
(C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR)

 

It will be not possible to fix that problem if I am unable to reproduce it.

If I can reproduce it I will work to fix it.

 

Released Buster Sandbox Analyzer 1.68.

Changes:

+ Added support to analyze URLs from command line
+ Added support for FakeNet
+ Updated ssdeep tool to version 2.8
+ Updated BSA.DAT
+ Updated LOG_API
+ Fixed several bugs

 

bleiburg: Could you verify that everything´s fine with version 1.68, please?

 

Next Buster Sandbox Analyzer release will contain the last feature in my TO-DO list: generate statistics.

It will be like this:

http://img440.imageshack.us/img440/4253/pruebawk.jpg

 

Released Buster Sandbox Analyzer 1.69.

Changes:

+ Added a feature to generate statistics
+ Updated “Report Manager” feature
+ Updated LOG_API
+ Fixed several bugs

 

Released Buster Sandbox Analyzer 1.70.

Changes:

+ Added new malware behaviours
+ Improved “Additional Information” feature
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Added deutsch language translation (thanks to AV-Comparatives)
+ Updated BSA.DAT
+ Updated LOG_API
+ Updated HexDive
+ Updated SIGNSRCH.SIG

 

BSA 1.70 package has been re-released to fix a bug.

 

Released Buster Sandbox Analyzer 1.71.

Changes:

+ Added new malware behaviours
+ Added BSA_USER.DAT feature
+ Improved “Dump Executable Processes” feature
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Updated BSA.DAT
+ Updated LOG_API
+ Updated Exeinfo
+ Fixed several bugs

 

Released Buster Sandbox Analyzer 1.72.

Changes:

+ Added wildcard support for FileExclude.TXT and APIExclude.TXT
+ Updated Exeinfo
+ Fixed several bugs

 

guest & xXDarkStalkerxX: You promised feedback about new features... where is it?

 

Am I losing anything by not installing wpcap rather than moving the dll(s) from their folder?

I did a search and the first thing that popped up was:

Q-7: Do I need to be Administrator in order to execute programs based on WinPcap on Windows NT/2000/XP?

A: Yes/no. The security model of WinPcap is quite poor, and we plan to work on it in the future. At the moment, if you execute a WinPcap-based application for the first time since the last reboot, you must be administrator. At the first execution, the driver will be dynamically installed in the system, and from that moment every user will be able to use WinPcap to sniff the packets.

---------------------------------------------------------------

I realize that may have changed but it's in the website FAQs

 

Yes, you are missing all the network information: to what IP addresses connected, from what ports connected, to what ports connected, the information transmitted.

If you do not want to use your internet connection while analyzing with Buster Sandbox Analyzer you can copy/move the dlls to avoid the warning message and also use FakeNet.

Using FakeNet will give you the ability to get some network information even if programs do not connect to internet really.

Let me know if you have any other doubt.

 

Released Buster Sandbox Analyzer 1.73.

Changes:

+ Added “Launch Internet Explorer” feature
+ Added new malware behaviours
+ Improved “Report Manager” feature
+ Updated BSA.DAT
+ Updated LOG_API
+ Fixed several bugs

 

Released Buster Sandbox Analyzer 1.74.

Changes:

+ Added functionalities to locate bugs
+ Added analysis duration information to reports
+ Removed the option to include version information
+ Fixed several bugs

 

Released Buster Sandbox Analyzer 1.75.

Changes:

+ Updated HexDive to version 0.4
+ Removed functionalities to locate bugs
+ Fixed several bugs