Norman Sandbox

Discussion in 'other anti-virus software' started by I_lack_commonsense, Aug 19, 2003.

Thread Status:
Not open for further replies.
  1. I_lack_commonsense

    I_lack_commonsense Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    44
  2. raman

    raman Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    10
    AFAIK Sandox mean that Norman "creates" an own new Computer environment where Norman starts the file it wants to analyse and than decides if it is Malware or not. . But it is not able to search with Sigatures inside the Sandbox. It is more a heuristic than a generic unpacker.
    The second problem is, that activating "sandox" really slowes down the scanning and sometimes make the scanner unstable.
    Test it on your own, to see if it fits your requirements.


    Like you said: The ITW detection seems to be well.
     
  3. Madsen DK

    Madsen DK Registered Member

    Joined:
    Nov 23, 2002
    Posts:
    324
    Location:
    Denmark
    Depends of your system i guess.
    I trailed NVC a while ago, and i had no notiable slowdown, but this AV is a little expensive IMO.
    Regards
    Ole :)
     
  4. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I was hoping that NVC will stop Blaster by using "sandbox" but it didn't. :(


    tECHNODROME
     
  5. Madsen DK

    Madsen DK Registered Member

    Joined:
    Nov 23, 2002
    Posts:
    324
    Location:
    Denmark
    Perhaps this Sandbox technology isnt so advanced as i thought o_O
    Regds.
    Ole
     
  6. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Well they claim "sandbox" has been able to identified some of big threads, such as bugbear, klez, yaha, sobig etc. Don't know maybe there is a future for this concept. It sounds good though...


    tECHNODROME
     

    Attached Files:

  7. Madsen DK

    Madsen DK Registered Member

    Joined:
    Nov 23, 2002
    Posts:
    324
    Location:
    Denmark
    It sure does.
     
  8. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    Although I think, raman explained the sandbox concept well, I'd also say that there is not a very big difference between this heuristic sandbox and a 'real' unpacking engine, which is normally based on an emulated environment, too (KAV, McAfee,...)

    So I'd imagine, that it wouldn't be too hard to add a signature-based scan in this (yet purely heuristic) sandbox, which would result in a combined heuristic and unpacking sandbox... :rolleyes:

    But note, that a sandbox/emulation can't possibly be used for _every_ scanned file, because that would be far too slow (as mentioned above.)
    That's why sandboxing is only used for certain files, which are in some way 'suspicious' to the scanner.
    With regards to 'unpacking', this means that the packing/crypting format has normally to be 'known' to the AV scanner, so that it is able to unpack it... (e.g. Kaspersky is continiously adding 'detection' of new packers/crypters to their database, as you can see in almost every weekly update overview.)

    Therefore, I wouldn't call an emulation-based unpacking engine automatically a 'generic unpacker'... ;)
     
  9. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Sandbox is totally closed environment but unpacking it’s done usually in your temporary folders...Plus there is no need for adding support for new packers.
    Sandbox is able to watch behaviors of infected file, unpackers are not.


    tECHNODROME

    NVC on my 2Ghz P 4 with sandbox enabled runs faster then KAV, McAfee, Avast Pro, F-Secure, AVK and Norton.
     

    Attached Files:

    • nvc.jpg
      nvc.jpg
      File size:
      49.7 KB
      Views:
      999
  10. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    Yes, but some "advanced" AVs are unpacking runtime-compressed/crypted files via emulation, right? (as emulation is also used for 'decrypting' polymorphic viruses, this is obviously not a too bad idea...)

    Well, and Norman's Sandbox is also based on emulation - that's why I think, it shouldn't be too difficult to 'expand' their technique to unpack packed/crypted files.


    Are you now referring to unpacking emulators?
    If the AV emulates _every_ file from the "beginning to the end", then probably not, but since the scanner would be too slow this way, it has to decide, _which_ files to emulate and how 'long' ... that's why, I think, AVs need to have special corresponding 'rules' for most 'new' packers/cyrpters.

    If that's wrong, why would Kaspersky constantly add support for new packers/crypters? o_O
     
  11. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    _anvil

    Please read this write up form Kurt Natvig (Norman) about Technique used by NVC sandbox.
    http://secinf.net/uplarticle/20/Sandbox2_vb2002.pdf

    I am pretty sure that you can find an artical about Unpacking enigines (such as kavs).

    Comapre these to and see difference...


    tECHNODROME
     
  12. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    Thanks, Technodrome, I didn't know this (part of the) article - I had only read the first part, available here:
    http://www.norman.com/documents/nvc5_sandbox_technology.pdf :)

    So I think, we have enough information about Norman's Sandbox (and from what I see, we both have totally agreed on how it works :) ) - but there seems to be confusion about how a proper unpacking engine (KAV, McAfee,...) works in detail (does it use emulation, like a Sandbox, or not?)
    Can you provide additional information or links on this matter (unfortunately, I have'nt found any)?

    There is one interesting paragraph in 'your' part of Norman's article, called "COMPRESSED EXECUTABLES":
    Imho, this somewhat confirms, what I wrote above: it should not be such a big deal to use the Sandbox for unpacking purposes - but according to Norman, it isn't the "preferred" way, because it's too slow (well, for Norman the preferred way is obviously doing (almost) _nothing_ about unpacking of packed/crypted files, according to different tests... :rolleyes: )

    So, how is e.g. KAV doing it's (outstanding) unpacking job?
    Does it use special unpacking routines for every supported packer/crypter? Does it only use emulation, when the "static unpacking" didn't work? Does it use emulation at all? o_O
     
  13. Kurt Natvig

    Kurt Natvig Guest

    Hi, The sandbox is a closed simulated computer that runs our Win32 compatible OS. When enabled it puts every executable file into this simulated computer and lets it go. During the last month or so we have detected new strains and new viruses almost every day (e.g. W32/Swen.A was detected before we knew about it). We detected two new strains of W32/Blaster just based on the exploit (port 135). 3 new w32/Yaha variants, modified LoveGate's etc etc. It does unpack most PE compressors, like UPX, Petite, ASPack and even tELock. Working on ASProtect. It emulates through them, and the sandbox doesn't really know they are compressed at all. The sandbox is under constant development and will be updated and updated, but compared to "normal" techniques it doesn't search for anything. Another strength of the sandbox is that it creates a short description of the virus on the fly so you get an idea what it is in plain text.
     
Thread Status:
Not open for further replies.