I want to know which sandbox is comparatively safer for malware examination. I want one which is easy to setup Windows environment and safe. Malware should not exploit the network.
If I am not mistaken, most experts who really know what they're doing, use Virtual Machines to do that kind of stuff. Acadia
This is a good point: "experts who really know what they're doing". Consequently, you should refrain from examining malware samples and leave it to the experts.
Now that I think about it, I believe most experts actually try to use another pc altogether, a second physical computer, disconnected from everything else. A Virtual Machine is only used if they have no choice, they only have one pc. Acadia
For a rigorous examination of malware any sandbox really won't do at all. For example, malware run in SBIE will indeed keep the system safe but will yield little (if any) data on what the malware is doing. Comodo Containment would be better- the real system will also be protected, but only gross changes would be seen in the Containment (VTRoot) directory. Of the two Comod would also be preferable in that there is a much more Blocking and alerting for anything trying to connect out robust (essential for data stealers). As was mentioned above a VM is preferable but one also must be cognizant that some malware will be VM aware and thus won't be able to run at its full capability (if at all). Also some malware will be able to differentiate between systems set up as plain analysis machines versus a real system. To analyze malware such as these one would need a dedicated sacrificial system. But best practice for beginner is to start using an online sandbox which may already provide explanations.
Shadow Defender can also be used to test malware behaviour, it is not a sandbox but a virtual system, and as far as I know it hasn't been bypassed by anything (tested under extreme conditions by our late moderator Peter2150 a real expert).
Actually this would be a very, very bad idea. Although SD will certainly roll back any changes made by malware (such as ransomware) , it will not prevent either the harvesting or transmission of data collected by data miners (such as keyloggers, password stealers, etc). So although fine on a test system in a VM, it should be understood that as any sort of anti-malware app on the real system it is Double Plus Ungood.
You are certainly right, SD can't stop data harvesting, I guess that testing malware in a computer having sensitive data would also be to say the least irresponsible. I personally don't keep anything financially compromising on my machine, and never ever test malware...
Just want to know views on this: I have created Windows Hyper-V virtual machine. In that VM, I have installed Sandboxie-Plus. To test any sample in VM, I follow these steps: Disable network in VM Select "Run" from "Sandboxie" and browse to the path of malware Execute it. Is it safe or still has loopholes to get my primary local machine getting infected ?
i keep it simple: you are not able to examine malware. no kind of basics, no kind of anything around malware. i remember you about your compromised windows, that issue is still not resolved. while you are heading towards dead ends. malware research simply need another kind of understanding and tools like a generic and stu4pid antivirus (suite or endpoint). #edit hint: malware is aware if it is run in a sandbox, thus it behave "normal" keep with https://any.run/ if you want to gather knowledge about results. for you, and ofc me too, we only can recognize results of malware - if we know about the results. for real examining it need a lot more, in special knowledge about programming - different kind of programming languages, api knowledge and much more. any.run is also only top of an iceberg, its just examining processes in a honey trap.
What you remember but missed is that the system was not compromised. That is an isolated environment and G Data intercepted it. Not all malware are written with Sandbox in mind. Have been testing few in isolated environment, these behaved in Sandbox as malware itself. But you are right, many are aware of sandbox and even check the Antivirus installed before executing. Any.run I am aware of but was using Joe Sandbox.
