2. Pros, cons, warnings and limitations


Buster Sandbox Analyzer has pros and cons as any other malware analyzer.


Brief list of pros and cons:



Pros of Buster Sandbox Analyzer / Cons of other malware analyzers:




Web-based malware analyzers require an Internet connection to be able to submit the sample to analyze and retrieve analysis results.




Usually malware analyzers just process PE files (Win32 executables).




Some other malware analyzers just run a program at a time. If a library or anything else is required the analysis will fail and there is nothing you can do about this.




Other malware analyzers are "automatic" (unattended) and can only analyze programs that perform actions directly, without human intervention. The analysis will stop if the program waits for the user to click "Next" or click in "Accept the agreement" checkbox e.g.




Other malware analyzers usually show a big amount of information when the analysis finishes. A neverending list of used APIs can be a scaring thing for non advanced users and probably they will not be able to understand what they are seeing.




Web-based malware analyzers are free of charge but the service can be discontinued at any time. Norman Sandbox, GFI Sandbox or ValidEDGE are really expensive.




Other malware analyzers can not be configured by the user.




In other malware analyzers the analysis can not be improved at all.




Other malware analyzer will analyze the malware only under Windows XP,

Windows Vista or Windows 7. If the malware is version dependant or crashes on a specified operating system this will be a problem.




Other malware analyzers, like online analyzers, don´t analyze batch of files.




Other malware analyzer can not work in this way.




Other malware analyzers will be unable to analyze properly setups because they stop when the setup requests the user to press “Next” or other button.




Other malware analyzers are Linux based applications, therefore Windows support must be emulated. In that cases Windows compatilibity can not be garanteeed to 100%, so certain files may fail to be analyzed properly.




Other malware analyzers can only process one sample at a time.




Other malware analyzers only support one language.




Other malware analyzer does not support analyzing URLs.




Other malware analyzers must shutdown the virtual machine, restore the snapshot, etc., which are time and resource consuming tasks.




Other malware analyzers use as framework for malware analysis a virtual machine like VirtualBox, VMWare, …, which take many system resources and it is slow.




Other malware analyzers only analyze 32-bit applications.




Cons of Buster Sandbox Analyzer / Pros of other malware analyzers:










Note: Buster Sandbox Analyzer package includes countermeasures against malwares detecting Sandboxie´s presence.




Warnings:



Sandboxie, the environment used by Buster Sandbox Analyzer, has been designed specifically to avoid changes to disk. Sandboxie has not been designed to avoid information leaks, like programs sending information from your computer to Internet. Sandboxie´s author added several features to avoid this, but they are not enabled by default. If you pretend using Buster Sandbox Analyzer with a default Sandboxie´s installation you must realize that information could go out from your computer to other computer in Internet: mail account login details e.g.


As any other security software Sandboxie is not 100% bullet proof. Take the measures you consider necessary to avoid OS corruption/infection. I suggest a disk image solution like CloneZilla.


I suggest you only have installed Sandboxie as security solution in the computer you use to run Buster Sandbox Analyzer. Sandboxie stores sandboxed contents inside a folder defined by the user on real disk. If you have installed other security solutions they may interfere with Sandboxie´s operations, like Norton´s Sonar Protection (thanks to Guest10 for reporting this) or Keyscrambler (thanks to bleiburg for reporting this).


Note: Some antivirus report false positive detections in BSA´s package files.


Note: From time to time Sandboxie´s RegHive file may get locked and then Buster Sandbox Analyzer will be unable to perform malware analysis correctly. The only solution to fix this issue is to reboot the computer.




Limitations:



Buster Sandbox Analyzer´s limitations are imposed by Sandboxie´s limitations, and of course, by my own limitations as malware analyzer and programming coder.


Sandboxie has next limitations:





You can get more information about such files here:


http://www.sandboxie.com/phpbb/viewtopic.php?t=4367