Buster Sandbox Analyzer

Discussion in 'other anti-malware software' started by Buster_BSA, Feb 27, 2014.

Thread Status:
Not open for further replies.
  1. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I made two small changes to BSA 1.88:

    The first change consists that at Windows Shell if you right-click a file and select "Analyze in BSA", only that file will be analyzed. If you want to analyze a folder, then select the folder, right-click it and select "Analyze in BSA".

    The second change consists that from command line you can analyze just one file using the modifier "-i" or "-file". Example:

    Code:
    bsa.exe -s 30 -i c:\test\notepad.exe
    You can get the updated release from here.
     
  2. chris1341

    chris1341 Guest

    Hi Buster, nice to see BSA back :thumb:

    I take it the Invicea inject.dll fix has resurrected the product?

    Thanks
     
  3. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I am still cautious about the InjectDLL fix and I do not want to announce Sandboxie 4.09.01+ is compatible with BSA until more people make their test and write their opinions. At the moment I just can say that the fix looks promising for BSA users. :)

    I do not know about the future of BSA as the TO-DO list is empty (no feature requests pending) so development will continue stopped anyway.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Hi,

    I will check it out, thanks. ;)
     
  5. Amin

    Amin Registered Member

    Joined:
    May 16, 2012
    Posts:
    437
    Location:
    UK
    how is BSA going on these days? personally haven't been using it for a long time. But I always liked it and still do.. oh and ahh.. I deeply appreciate the time & effort you put into developing this handy app.

    Amin :)
     
  6. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    BSA had been discontinued after version 1.88 release because with the changes to Sandboxie´s internal architecture it stopped working correctly in 4.x releases.

    Sandboxie was acquired by a company named Invincea around one year ago and just recently Ronen Tzur passed the torch to the company and he said goodbye.

    Invincea´s people announced they had found a bug in the mechanism which injects DLLs to sandboxed applications. They released a bugfix within version 4.09.01 and this fix seems like resolved lots of issues.

    I did not make much tests but there is a chance that Sandboxie 4.09.01+ versions are compatible with BSA again.

    Anyway BSA development will continue stopped because TO-DO list is empty so I do not have anything else to incorporate to the program.

    If someone sends a feature request and I consider worth adding it, I may take care of it.

    Regards.
     
  7. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Released update 2 for version 1.88.

    The new update is available here.
     
    Last edited: Apr 23, 2014
  8. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Released update 3 for version 1.88.

    The new update is available here.

    Changes:

    + Fixed a bug.

    + Fixed FileVersion information.
     
  9. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Released update 4 for version 1.88.

    The new update is available here.

    Changes:

    + Fixed a bug related to "Take Screenshots" feature.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I have used Sandboxie in the past, but I have never used Buster Sandbox Analyzer. I knew about it's existence, but never used it. What is the purpose of BSA? Is it to record the behavior of malware in the Sandbox? Does it only work with Sandboxie?
     
  11. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.

    And yes, it only works with Sandboxie.

    You can take a look to know more about the tool here:

    http://bsa.isoftware.nl/
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    Thank You! I will take a look.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    I still need to check out BSA, but I must say that I never really understood why such an option was never integrated into SBIE.

    Years ago I made a request, but Tzuk was not really into it. If I´m correct, Invincea FreeSpace does this out of the box. :)
     
  14. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Tzuk was busy enough developing Sandboxie and something like BSA would be the work for a person alone.

    Taking a look to FreeSpace information I would say it is not as complete as BSA.

    You could try getting a trial version and testing it.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Yes, Tzuk could have added this feature, but it was probably too much work, and he didn´t think it was necessary. :)

    Btw, I highly doubt that FreeSpace is not as complete, check this out:

    http://www.invincea.com/wp-content/uploads/2014/03/ordered-tree-view-of-the-incident-report-.jpg
    http://www.invincea.com/2014/03/fake-british-airways-ticket-receipt-spear-phishing-analysis/
    http://www.invincea.com/2014/03/a-dfir-analysis-of-a-word-document-spear-phish-attack/
     
  16. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    You only will know that if you get a trial version and compare analysis results from several malware samples.
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Buster_BSA

    Hi, good to see you are compatable once more.

    Regards
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    That´s true, but I don´t think it´s that easy to get a copy.

    But I must say, that even though I would love to see this stuff as a native feature in SBIE, I´ve been using an old skool HIPS like Neoava Guard (Win XP) as a workaround for years. So basically, SBIE takes care of the file system and registry virtualization, and NG warns me about suspicious behavior, as seen in the link below. :)

    http://s9.postimg.org/v8hn8dvm7/NG_RF.png
     
  19. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    HIPS and malware behavior analyzers are different things for different purposes.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Yes I know what you mean, of course this approach is not as extensive as BSA. I just wanted to say how awesome the combination of HIPS + sandbox can be. And if you think about it, HIPS are in a way behavior analyzers. :)
     
  21. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Returning to the talk... I doubt FreeSpace is as complete as BSA. I doubt it can take screenshots/videos, analyze the screenshots and many other things.
     
  22. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I can say now that Sandboxie 4.09.01 - 4.10 are not compatible with LOG_API 64 bit. Something fails in their API hooking engine.
     
Loading...
Thread Status:
Not open for further replies.