Buster Sandbox Analyzer

BSA too, that´s why I asked.

If all sandboxed processes finishes before the given time is reached, next file will be processed. That´s logic, other thing would be crazy.

 

I will consider it.

 

Featured added.

 

Released Buster Sandbox Analyzer 1.34.

Changes:

+ Added a feature to copy/move processed files in automatic mode
+ Added a feature to export RegHive to .REG format
+ Updated LOG_API
+ Removed HideDriver
+ Fixed a bug

 

mantra: Try the feature and let me know what you think.

It´s available under Utilities > Sandbox > RegHive > Export To .REG

The file will be saved in the same folder RegHive is located.

It will only process RegHive file located in current defined sandbox folder.

 

thanks a lot!!!!!!!!!!!!

 

I know, it is FP. I reported it to TrendMicro.

 

@Buster_BSA

I have been testing Buster Sandbox Analyzer and is awesome, although I have a couple of questions.

When I select "Common analisys options" -> "Reports" -> "Virus Total...."
and I select both entries I dont get any info about the sandboxed files from Virus total in the report , what I'm doing wrong?

 

Maybe the files are not detected by any antivirus. In that case in the report will not appear anything.

Make a test using a file identified by antivirus, i.e. the EICAR test file:

http://www.eicar.org/download/eicar.com

I just made a test and it works fine:

[ General information ]
* File name: c:\m\j\eicar.com
* File length: 68 bytes
* File executed by: c:\windows\system32\ntvdm.exe
* File type: Unknown
* MD5 hash: 44d88612fea8a8f36de82e1278abb02f
* SHA1 hash: 3395856ce81f2b7382dee72602f798b642f14140
* SHA256 hash: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
* VirusTotal detections:
AhnLab-V3: EICAR_Test_File
AntiVir: Eicar-Test-Signature
Antiy-AVL: AVTEST/EICAR.ETF
Avast: EICAR Test-NOT virus!!!
Avast5: EICAR Test-NOT virus!!!
AVG: EICAR_Test
BitDefender: EICAR-Test-File (not a virus)
CAT-QuickHeal: EICAR Test File
ClamAV: Eicar-Test-Signature
Commtouch: EICAR_Test_File
Comodo: Teststring.Eicar
DrWeb: EICAR Test File (NOT a Virus!)
Emsisoft: EICAR-ANTIVIRUS-TESTFILE!IK
eSafe: EICAR Test File
eTrust-Vet: the EICAR test string
F-Prot: EICAR_Test_File
F-Secure: EICAR_Test_File
Fortinet: EICAR_TEST_FILE
GData: EICAR-Test-File
Ikarus: EICAR-ANTIVIRUS-TESTFILE
Jiangmin: EICAR-Test-File
K7AntiVirus: EICAR_Test_File
Kaspersky: EICAR-Test-File
McAfee: EICAR test file
McAfee-GW-Edition: EICAR test file
Microsoft: VirusOS/EICAR_Test_File
NOD32: Eicar test file
Norman: EICAR_Test_file_not_a_virus!
nProtect: EICAR-Test-File
Panda: EICAR-AV-TEST-FILE
PCTools: Virus.DOS.EICAR_test_file
Prevx: EICAR
Rising: EICAR-Test-File
Sophos: EICAR-AV-Test
SUPERAntiSpyware: NotAThreat.EICAR[TestFile]
Symantec: EICAR Test String
TheHacker: EICAR_Test_File
TrendMicro: Eicar_test_file
TrendMicro-HouseCall: Eicar_test_file
VBA32: EICAR-Test-File
VIPRE: EICAR (v)
ViRobot: EICAR-test
VirusBuster: EICAR_test_file

[ Changes to filesystem ]
* No changes

[ Changes to registry ]
* No changes

 

What you guys think of Joe Sandbox?

 

This thread is about Buster Sandbox Analyzer. You can create a new topic about Joe Sandbox if you want.

 

Just downloaded 1.34, Avast 6 thinks Log_API.dll is malware, but so do 17 others at VirusTotal ~ VirusTotal Results Link Removed per Policy ~.

Just curious, why is it being tagged?

BTW, already submitted it to Avast so they can clear it.

 

A hook at NtQuerySystemInformation I guess.

Thanks for reporting the false positive.

 

eek sorry my appoligies mr buster. How is your analyzer? Can a person test it?
got a forbidden 403 when I tried to download it?
http://bsa.qnea.de/bsa.rar
Is that the correct link

 

No, the actual link is:

http://bsa.isoftware.nl/

 

Thanks got it. Oh reason I asked bout the joe one coz I want to know if it is only compatible Sandboxie. Sorry if its a stupid question

 

I don´t understand why you need to mention JoeBox to ask if BSA is only compatible with Sandboxie.

BSA only works with Sandboxie.

 

Aah sorry. I got it running after a struggle. My own stupidity btw as my default drive is not c but e so after changing it in the config its running. Great little tool. One question if I run the program must I close the program and sandboxie by exiting it and then press finish analysis?

 

I guess you are talking about the manual analysis mode, aren´t you?

In that case, you can wait until all the sandboxed processes finish or you can click on Sandboxie´s "Terminate All Programs".

You must click on "Finish analysis" when there are not processes being sandboxed. (Sandboxie´s icon is completely yellow, without red dots)

 

Thx man your a star. Great app wish i discovered it earlier. That download link you provided. Its static doesnt change if one wants to link to it?

 

It´s static while BSA is hosted in isoftware.nl.

 

Released Buster Sandbox Analyzer version 1.35.

Changes:

+ Added HideDriver again
+ Added LOG_API version for 64 bit systems
+ Fixed several bugs

 

Released Buster Sandbox Analyzer 1.36.

Changes:

+ Added support for ssdeep
+ Improved the support for DLL files
+ Report informations can be selected individually
+ Updated BSA.DAT
+ Fixed several bugs

 

I guess last release is working fine as nobody reported bugs, right?

 

more comfortable options menu...
And you can add malicious actions table as csv on automatic analysis