2. Pros, cons, warnings and limitations
Buster Sandbox Analyzer has pros and cons as any other malware analyzer.
Brief list of pros and cons:
Pros of Buster Sandbox Analyzer / Cons of other malware analyzers:
Buster Sandbox Analyzer will run on any computer where Sandboxie is installed and working. An Internet connection is not required but it is recommended.
Web-based malware analyzers require an Internet connection to be able to submit the sample to analyze and retrieve analysis results.
Buster Sandbox Analyzer will be able to analyze any kind of file type (EXE, BAT, VBS, PDF, XLS, DOC, ...). If the file can be executed Buster Sandbox Analyzer will be able to analyze it.
Usually malware analyzers just process PE files (Win32 executables).
With Buster Sandbox Analyzer if a library (DLL, OCX, ...) or other software is required you can accomplish the requirement just copying or installing whatever it´s necessary to get the application working properly.
Some other malware analyzers just run a program at a time. If a library or anything else is required the analysis will fail and there is nothing you can do about this.
With Buster Sandbox Analyzer if a program requires to click any button to continue or whatever, e.g. installations and setups, you will be able to do it.
Other malware analyzers are "automatic" (unattended) and can only analyze programs that perform actions directly, without human intervention. The analysis will stop if the program waits for the user to click "Next" or click in "Accept the agreement" checkbox e.g.
Buster Sandbox Analyzer shows information that can be clearly understood even by non advanced users.
Other malware analyzers usually show a big amount of information when the analysis finishes. A neverending list of used APIs can be a scaring thing for non advanced users and probably they will not be able to understand what they are seeing.
Buster Sandbox Analyzer is free of charge. You just should pay for a Sandboxie license which is very cheap and it´s lifetime.
Web-based malware analyzers are free of charge but the service can be discontinued at any time. Norman Sandbox, GFI Sandbox or ValidEDGE are really expensive.
Buster Sandbox Analyzer can be configured. You can define what file types to watch, what registry entries must be considered as AutoStart locations, etc. You can configure BSA to save network traffic.
Other malware analyzers can not be configured by the user.
With Buster Sandbox Analyzer advanced users can enhance the analysis running additional software inside the sandbox to retrieve more information, like Mark Russinovich´s Process Monitor, Process Explorer, etc.
In other malware analyzers the analysis can not be improved at all.
Buster Sandbox Analyzer is Windows version independant. It can be used in Windows 2000, Windows XP, Windows Vista, Windows 7 or Windows 8.
Other malware analyzer will analyze the malware only under Windows XP,
Windows Vista or Windows 7. If the malware is version dependant or crashes on a specified operating system this will be a problem.
Buster Sandbox Analyzer can be configured to work in automatic mode, therefore it can process a batch of files.
Other malware analyzers, like online analyzers, don´t analyze batch of files.
Buster Sandbox Analyzer can run on-demand in automatic mode from command line. That means it can be incorporated to batch processes.
Other malware analyzer can not work in this way.
Buster Sandbox Analyzer can automate the execution of most setups when running in automatic mode.
Other malware analyzers will be unable to analyze properly setups because they stop when the setup requests the user to press “Next” or other button.
Buster Sandbox Analyzer is a Windows native software, therefore it´s the right solution for analyzing Windows programs.
Other malware analyzers are Linux based applications, therefore Windows support must be emulated. In that cases Windows compatilibity can not be garanteeed to 100%, so certain files may fail to be analyzed properly.
Buster Sandbox Analyzer can analyze multiple samples at the same time.
Other malware analyzers can only process one sample at a time.
Buster Sandbox Analyzer can be translated to your language and you can do it yourself.
Other malware analyzers only support one language.
Buster Sandbox Analyze can analyze a single URL or a list of them loaded from a file in automatic mode.
Other malware analyzer does not support analyzing URLs.
With Buster Sandbox Analyzer the required time between an analysis and the next one is near to none.
Other malware analyzers must shutdown the virtual machine, restore the snapshot, etc., which are time and resource consuming tasks.
Sandboxie, the framework used by Buster Sandbox Analyzer to perform malware analysis, is very fast and light, so it almost does not take system resources.
Other malware analyzers use as framework for malware analysis a virtual machine like VirtualBox, VMWare, …, which take many system resources and it is slow.
Buster Sandbox Analyzer is able to analyze 64-bit applications.
Other malware analyzers only analyze 32-bit applications.
Cons of Buster Sandbox Analyzer / Pros of other malware analyzers:
Buster Sandbox Analyzer will not be able to watch all system changes performed by programs which install a driver. This is due Sandboxie´s limitation: installation of drivers is not allowed for security reasons.
Buster Sandbox Analyzer will be unable to watch code injection in certain system processes because they are running out of the sandbox and Sandboxie will not allow it.
On automatic analysis mode Buster Sandbox Analyzer will fail to analyze properly some samples requiring human intervention to be installed.
A common problem to all malware analyzers is that malwares can detect they are running under a malware analyzer environment or virtual machine and abort execution. The only way to solve this problem would be using a private malware analyzer so malware coders ignore it exists and are unable to add checkings to detect it.
Note: Buster Sandbox Analyzer package includes countermeasures against malwares detecting Sandboxie´s presence.
Warnings:
Sandboxie, the environment used by Buster Sandbox Analyzer, has been designed specifically to avoid changes to disk. Sandboxie has not been designed to avoid information leaks, like programs sending information from your computer to Internet. Sandboxie´s author added several features to avoid this, but they are not enabled by default. If you pretend using Buster Sandbox Analyzer with a default Sandboxie´s installation you must realize that information could go out from your computer to other computer in Internet: mail account login details e.g.
As any other security software Sandboxie is not 100% bullet proof. Take the measures you consider necessary to avoid OS corruption/infection. I suggest a disk image solution like CloneZilla.
I suggest you only have installed Sandboxie as security solution in the computer you use to run Buster Sandbox Analyzer. Sandboxie stores sandboxed contents inside a folder defined by the user on real disk. If you have installed other security solutions they may interfere with Sandboxie´s operations, like Norton´s Sonar Protection (thanks to Guest10 for reporting this) or Keyscrambler (thanks to bleiburg for reporting this).
Note: Some antivirus report false positive detections in BSA´s package files.
Note: From time to time Sandboxie´s RegHive file may get locked and then Buster Sandbox Analyzer will be unable to perform malware analysis correctly. The only solution to fix this issue is to reboot the computer.
Limitations:
Buster Sandbox Analyzer´s limitations are imposed by Sandboxie´s limitations, and of course, by my own limitations as malware analyzer and programming coder.
Sandboxie has next limitations:
For security reasons Sandboxie does not allow driver installation and system hooks.
Code injection will fail with certain system processes.
Sandboxie fails to sandbox certain executable files, usually compressed files.
You can get more information about such files here:
http://www.sandboxie.com/phpbb/viewtopic.php?t=4367