3. Installation and usage

Installation:

Buster Sandbox Analyzer, or BSA to short it, is a portable application. This means that you just need to copy package contents to any folder of any drive and run it from there.

Edit Sandboxie´s configuration (open Sandboxie Control -> Configure -> Edit Configuration) and add next three lines to every sandbox you will be using with Buster Sandbox Analyzer:

InjectDll=C:\BSA\LOG_API\LOG_API32.DLL

OpenWinClass=TFormBSA

NotifyDirectDiskAccess=y

It should look like:

[DefaultBox]

ConfigLevel=6

Template=LingerPrograms

Template=Firefox_Phishing_DirectAccess

Template=AutoRecoverIgnore

Enabled=y

InjectDll=C:\BSA\LOG_API\LOG_API32.DLL

OpenWinClass=TFormBSA

NotifyDirectDiskAccess=y

...

[UserSettings_00000000]

Note: "DefaultBox" and/or any other sandbox name you will use with BSA.

Without that settings the API logger function will not work and important information will not be available for analysis purposes.

Note: It´s recommended to create a dedicated sandbox for BSA.

Note: It´s also recommended to include next two lines to every sandbox being used with Buster Sandbox Analyzer:

ProcessLimit1=20

ProcessLimit2=30

Note: It´s recommended to include in the “UserSettings” section next line:

SbieCtrl_HideMessage=*

Note: C:\BSA is just an example. Any other drive\folder may be used.

Note: The drive\folder\file name on disk of LOG_API.DLL must be identical to the drive\folder\file name at Sandboxie´s configuration. If you define:

InjectDll=C:\BSA\LOG_API\LOG_API32.DLL

then LOG_API32.DLL must be located at C:\BSA\LOG_API folder.

Note: The user has a choice of where to locate BSA's working directory and the user should be aware of the restrictions Window Vista, 7 and 8 impose on \Program Files. If BSA is to be run from \Program Files, then it must be given admin privileges or set the required access rights. In other situations BSA may require admin privileges too.

Note: If you want to inject multiple DLLs in Sandboxie it´s recommended LOG_API library is the last one of the list.

Note: BSA includes four versions of LOG_API library: two for 32-bit processes and two for 64.-bit processes. The DLL files containing “VERBOSE” in the filename will show file/registry operations. BSA may run more slowly when using the verbose version.

Note: When running Sandboxie and Buster Sandbox Analyzer in a 64-bit OS you must include in Sandboxie.ini one extra line:

InjectDll64=C:\BSA\LOG_API\LOG_API64.DLL

This line tells Sandboxie to inject LOG_API64.DLL to 64-bit applications. Without that line, API information from 64-bit applications will not be available.

Usage:

Sandboxie version 3.70.0 (last official version prefered if available) must be installed in the computer, configured as you consider right, and working correctly before using Buster Sandbox Analyzer.

Note: "Automatically delete contents of sandbox" must be disabled.

Note: It´s possible to use BSA from command line in automatic mode. You must define two parameters: the amount of time and the folder to process. The parameters to use are:

“-m” or “-s” to define the time. “-m” is for minutes and “-s” for seconds. The min amount for minutes is 1 and the max 60. For seconds the min is 1 and the max 3600.

“-f” to define the folder to process.

Example: BSA.EXE -s 30 -f C:\TEST

In this example BSA will process for 30 seconds the files stored in “C:\TEST” folder.

Note: It´s possible to analyze URLs from command line. You must define two parameters: the amount of time and the URL or file with URLs to process. The parameters to use are:

“-m” or “-s” to define the time. “-m” is for minutes and “-s” for seconds. The min amount for minutes is 1 and the max 60. For seconds the min is 1 and the max 3600.

“-url” to define the URL or file with URLs to process.

Examples:

BSA.EXE -s 30 – url http://bsa.isoftware.nl

In this example BSA will process for 30 seconds the URL.

BSA.EXE -s 30 -url C:\TEST\URLS.TXT

In this example BSA will process for 30 seconds the URLs contained in C:\TEST\URLS.TXT.

Note: BSA can run multiple instances, but there are next limitations:

• Only one instance is allowed to run from the same folder.

• Only one instance is allowed to run from a specified sandbox.

To start working with BSA you must specify with what sandbox folder you will work. Sandbox folder must be defined at "Sandbox folder to check". If you are not sure of the folder you must specify, follow next steps:

1.- Sandbox NOTEPAD.EXE (any other application will be fine also).

2.- Right click Sandboxie´s tray icon.

3.- Select "DefaultBox" or whatever sandbox you want to use.

4.- Click "Explore Contents". A Windows Explorer window will be opened.

5.- Copy the path from Windows Explorer and paste it in "Sandbox folder to check".

BSA will verify if the “Sandbox folder to check” includes a valid sandbox name. If a valid name is not found BSA will display an image containing “?” symbol. Click the image and you will get instructions about how to define a valid “Sandbox folder to check” .

Note: You will have to specify sandbox folders only one time. When you close BSA, used sandbox folders will be saved automatically and will be available next time BSA is executed under "Last used sandbox folders".

Note: Next instructions are related to the manual analysis mode.

When you are ready press "Start Analysis" button.

Buster Sandbox Analyzer will check if sandbox folder is empty. If it´s not it will present two options: delete sandbox contents or ignore them and continue.

Note: Buster Sandbox Analyzer drops files to disk, makes calls to other

executables and access the registry. This may represent a problem if other security

software is installed on system.

After clicking "Start Analysis", "Finish Analysis" button will be enabled. Also you will see a window with the API calls.

Now it´s the moment to run under Sandboxie whatever you want.

When you consider you finished with sandboxed processes you must terminate all processes in Sandboxie: e.g. Right clicking Sandboxie´s tray icon and selecting "Terminate All Programs.". Then click "Finish Analysis".

Note: If when you click "Finish Analysis" Sandboxie is still sandboxing processes you will receive a warning. Just wait until all processes are finished under Sandboxie and then click "Finish Analysis" again.

You will find, when available, inside "Reports" directory in BSA´s folder next files: Analysis.TXT, FileDiff.TXT, RegDiff.TXT, LOG_API.TXT, Connections.TXT, Sandboxie.TXT and Report.TXT. These files are in plain text and they can be opened with any text editor.

Note: Other files may be present depending of configuration settings.

If “Options > Manual Analysis Options > View Malware Analysis On Finish” is enabled, Buster Sandbox Analyzer will present a list of suspicious behaviours and will indicate if they were performed or not. Considering the amount of performed suspicious actions the risk evaluation can be low, medium or high according to the used ratings.

Buster Sandbox Analyzer can exclude from checkings user specified files,

registry keys, ports, APIs and hooks. For this task it was included the “Exclusion Lists” feature.

You can edit exclusion list files using "Editor -> Edit".

The exclusion list is a set of strings that user wants to be excluded from results. All lines containing a string that appears in the exclusion list will be removed from reports.

In “HooksExclude.TXT”, the hook exclusion list file, you must specify hook modules you want to exclude, like:

C:\Windows\System32\shdocvw.dll

File exclusion strings are not sandbox path relative. This means you must specify the path or file to exclude as it will appear in the real disk. e.g.:

C:\pagefile.sys would be ok

C:\SandBox\ExampleUser\DefaultBox\drive\C\pagefile.sys would be wrong

Registry exclusion list uses relative strings. Sandboxie will "translate" HKEY_CURRENT_USER to user\current\ and HKEY_LOCAL_MACHINE to machine\.

Note: To avoid mistakes with registry exclusions I suggest you take strings directly from RegDiff.TXT and include them into exclusion list.

Don´t forget to remove value key contents as they may change. E.g. if you want to exclude:

HKEY_LOCAL_MACHINE\software\Classes\idid\url0

you should add to exclusion list:

machine\software\Classes\idid\url0 would be ok

hkey_local_machine\software\Classes\idid\url0 would be wrong

machine\software \Classes\idid\url0 = 1E9B6DD8 would not be wrong but only will be excluded if the value key content is exactly that one.

Note: Exclusion list is case insensitive.

Note: Some registry and value keys are modified by Sandboxie, not by sandboxed processes. I suggest running CALC.EXE, or any other program that does not modify the registry, and add strings from resulting RegDiff.TXT to exclusion list.

Note: Registry exclusion list admits wildcards. Example:

machine\system\CurrentControlSet\Services\*\SBIE_

FileDiff, RegDiff, PortDiff and LOG_API text files are like raw data and are used by Buster Sandbox Analyzer to perform several checks. If you want to check what are the real changes made to system you must open Report.TXT.

Buster Sandbox Analyzer can be configured up to a certain point. This can be achieved editing BSA.DAT and other data files.

Note: BSA.DAT is case insensitive.

Next follows an explanation of the different sections in BSA.DAT:

[File_Types_Copied_Windows]

In this section the user defines what file types that get copied into Windows folder (root or subfolders) must raise an alert.

By default a certain number of file types (extensions) are watched.

Why this? Many malwares copy their components into Windows folder:

\Windows

\Windows\System32

etc.

[File_Types_Created_Modified]

In this section the user defines what file types which are created or

modified must be watched.

By default a certain number of file types are watched for creation or modification.

Why this? Create or modify an .EXE is a typical action of viruses.

[File_Types_Copied_AutoStart]

In this section the user defines what file types must be watched when copied to AutoStart locations. AutoStart location is e.g. startup folder.

By default a certain number of file types are watched.

Why this? It´s typical of malwares to get their components included in autostart locations so they run when Windows loads.

[AutoStart_Files_Added_or_Modified]

In this section the user defines what autostart files must be watched when added to disk or modified.

By default the list of autostart files is:

autoexec.bat
autoexec.nt
autorun.inf

boot.ini
config.nt
config.sys
dosstart.bat
system.ini
win.ini
wininit.ini
winstart.bat

Why this? Other method used by malwares to get running when Windows loads is adding theirself to one of those files.

[AutoStart_Registry_Created_or_Modified]

In this section the user defines what registry autostart locations to watch.

The list of autostart locations is a bit large so I will not list it here. Just as

example:\software\microsoft\windows\currentversion\run

Why this? It´s very typical of malwares to add theirself into a registry autostart location so they get loaded when Windows boots.

[Custom_File_Entries]

In this section the user defines his own file entries to watch.

The format of the entry must be: {c,m,d}file_name<->reason to add it

“c” means created file, “m” means modified file and “d” means deleted file.

You can use “c”, “m”, “d” or a combination of them.

Examples:

{c}\tor\geoip<->Installs Tor

{d}\tor\geoip<->Uninstalls Tor

{c,m}\tor\geoip<->Installs Tor

Why this? This function allows the user to define those file entries considered as used for malicious purposes.

[Custom_Registry_Entries]

In this section the user defines his own registry entries to watch.

The format of the entry must be: registry_name<->reason to add it

Example:

software\microsoft\windows\whatever<->Disables Windows firewall

Why this? This function allows the user to define those registry entries considered as used for malicious purposes.

[Custom_Folders_Entries]

In this section the user defines those folders that must rise an alert when a there is a file operation on them.

Why this? This function allows the user to define those folders with suspicious activity like "Program files" or "Documents and settings".

[Process_Code_Injection]

In this section the user defines those process file names that must rise an alert when a program tries to inject code to them.

Why this? Many malware inject code into system or popular processes like svchost.exe, explorer.exe or iexplorer.exe.

[File_Strings]

In this section the user defines strings that, when found inside analyzed file, must rise an alert.

Strings will be searched first in ANSI format and if not found then in UNICODE format.

Strings will be searched inside analyzed malware and, when available and selected, inside all dumped binaries and sandbox folder files.

Why this? This feature is useful to detect banking malware i.e. For this you must include strings related to bank URLs.

You can assign a description to the strings. Like this:

www.bankofamerica.com<->Traces of a banking trojan

You can edit BSA.DAT with any text editor as it´s in plain text and include new file types to watch or registry autostart locations. You can also remove or edit

default values.

[Custom_LogAPI_Entries]

In this section the user defines strings that may be found in LOG_API.TXT.

Why this? Some malwares use specific names for mutex, event, … creation that can be used to identify the analyzed application as malware.

Note: Every entry in this section must contain a description that will be used in the analysis report.

Example:

CreateEvent(Global\killllllllllll)<->Traces of a trojan password

If you want to specify two or more strings that must appear in the same line use “\,”.

Example:

lstricmp\,RAVMOND.EXE<->Checks for security software presence

If you want to specify two or more strings that must appear in LOG_API.TXT you must use “\&”.

Example: LdrFindEntryForAddress\&QuerySystemInformation\&OpenProcess(smss.exe)<-> Traces of Max++

[AutoStart_Registry_Created_or_Modified], [Custom_Registry_Entries], [Custom_File_Entries] and [File_Strings] sections allow the use of wildcards. You can use them to match several registry keys at the same time instead adding one entry for each one.

Example:

\SYSTEM\ControlSet001\Control\Lsa

\SYSTEM\ControlSet002\Control\Lsa

could be exchanged for:

\SYSTEM\ControlSet*\Control\Lsa

Note: BSA.DAT admits comments. Comments must have a “;” as first character.

Note: After a section "[Whatever]", you must include all the values and there can not be an empty space between them. To separate sections you must include a space between lines.

This is correct:

[File_Types_Copied_AutoStart]
.exe
.dll
.sys

[AutoStart_Files_Added_or_Modified]

...

This is wrong:

[File_Types_Copied_AutoStart]

.exe
.dll
.sys

[AutoStart_Files_Added_or_Modified]

...

This is wrong too:

[File_Types_Copied_AutoStart]

.exe
.dll
.sys

[AutoStart_Files_Added_or_Modified]

…

From version 1.71 Buster Sandbox Analyzer includes the use of BSA_USER.DAT. This file uses the same structure than BSA.DAT. The purpose of this file is to allow the user to keep own definitions separated from BSA.DAT, so when BSA.DAT is updated there is no need to include again your own definitions.

There are other configurations files:

CHECKIP.DAT: It contains a list of domain names that can be used to look up the external IP address (internet IP address).

GEOLOCATION.DAT: It contains a list of web pages that can be used to do geo location using the IP address.

MALICIOUS-DOMAINS.DAT: It contains a list of malicious domain names. This list was initially retrieved from www.malwaredomains.com.

Buster Sandbox Analyzer has a few options. An explanation of them follows:

Cancel Analysis: Used to cancel current analysis.

Analysis Mode: Used to select analysis mode between automatic, automatic in watch mode and manual.

In “Manual” mode you choose when to start and finish the analysis. You must sandbox the files you want to analyze yourself.

In “Automatic” mode you just need to specify the amount of time for each analysis and the folder to process. If all sandboxed processes get terminated before the analysis time expires, BSA will conclude the analysis inmediately and it will not wait until reaching specified time.

“Automatic in Watch Mode” mode is the same than “Automatic” mode, with the difference that you will be asked for the amount of time to wait before folder with files to analyse is checked for new files.

Note: In all modes you can stop the analysis clicking on "Cancel Analysis".

Note: In “Automatic in Watch Mode” analysis mode you must enable the feature that moves processed file to report folder (“Automatic Analysis Options > Manage Processed File”). If you do not do this, BSA will be processing the same files again and again.

Automatic Analysis Options > Aggressive Window Closer: When sandboxed processes are terminated, sometimes certain windows will not be closed. By default, Buster Sandbox Analyzer closes most of that kind of windows but not all. If you want to close that windows you can use this feature.

Note: When this feature is enabled you probably will be unable to do anything else on the computer as BSA will close windows.

Note: If you run multiple malware analyses, you may have problems because other instance closes BSA´s windows. To avoid this problem set the time for analysis in each instance and do not start processing until you have opened the window to select the folder to process in all instances.

Note: It is recommended you enable this feature on every BSA instance when running in automatic mode and the amount of samples to analyze is big (+100 i.e.).

Automatic Analysis Options > Do Not Process Unknown File Types: Used to only process known file types for BSA.

Automatic Analysis Options > Dump > Extract APIs From Dumps: Used to extract a list of used APIs from dumped processes using Hexacorn´s HAPI tool.

Automatic Analysis Options > Dump > Extract Strings From Dumps Using HexDive: Used to extract strings from dumped processes using Hexacorn´s HexDive tool.

Automatic Analysis Options > Dump > Keep Dumped Executable Processes: Used to keep dumped executable processes in report folder.

Automatic Analysis Options > Dump > Keep Extracted Strings From Dumps: Used to keep extracted strings (using “Strings” by Mark Russinovich) from dumped processes. The minimum length of strings is 5. It is possible to create a list of strings that should not appear on results. You can edit that list from “Editor > Exclusion Lists > Edit String Exclusion List”.

Automatic Analysis Options > Dump > Use Deep Dump Method: Used to dump executable processes from all memory regions belonging to dumped process.

Note: This option can slow down BSA when dumping certain processes.

Automatic Analysis Options > Extract Contents From PCap File: Used to extract files from PCap captured files.

Automatic Analysis Options > FakeNet Mode: “FakeNet is Windows network simulation tool designed for malware analysis. It redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by an analyst.”

If you do not want to use your real internet connection while you analyze malware but you still want to get network information anyway, then FakeNet is a good solution.

Download: Get FakeNet from http://sourceforge.net/projects/fakenet/

Installation: FakeNet is a portable application so just decompress archive contents to a folder.

Configuration: Edit FakeNet.cfg and change the line containing the string "OutputOptions DumpHTTPPosts:No DumpOutput:No Fileprefix:output" to "OutputOptions DumpHTTPPosts:No DumpOutput:Yes Fileprefix:output".

Note: It is very important you edit FakeNet.cfg as explained above, if not BSA will freeze when “FakeNet Mode” is enabled.

Note: In “FakeNet Mode”, BSA´s packet sniffer will not work. Anyway you can save captured packets to file: enable “Options > Common Analysis Options > Packet Sniffer > Save Capture To File”.

Note: “FakeNet Mode” must not be used when running multiple malware analyses.

Note: The first time you use “FakeNet Mode” feature you will be asked for the folder containing the tool. If you have configured BSA to save settings, you will not be asked again.

Note: If “FakeNet Mode” is enabled, “Options > Common Analysis Options > Packet Sniffer > Do Not Capture Packets” will be ignored.

Automatic Analysis Options > Generate Additional Information File: Used to generate a report named “Additional Information.TXT” containing additional information about the procesesed file when it is an EXEcutatable.

This file will contain information about the PE structure (sections and imports, version information), icon´s MD5 and signatures from Signsrch utility.

You can select individually from what files you want to get additional information. You can select next sources: analyzed file, dumped files, sandbox folder files.

Automatic Analysis Options > Keep Sandbox Files: Used to copy sandbox folder contents to report analysis folder. Contents can be copied “Compressed” (inside a ZIP archive) or “Uncompressed”.

Automatic Analysis Options > Launch Custom Applications: Used to launch the applications the user wants before the analysis begins. This can be useful because some malwares inject code into processes like iexplore.exe, explorer.exe, jqs.exe, firefox.exe, etc. to do malicious actions. Such actions are not possible if the applications are not running sandboxed.

List of applications to launch must be stored at “\Config\LaunchList.TXT”.

Note: You can specify parameters for the application to launch.

Note: Do not forget to use double quotes in the application to launch path.

Automatic Analysis Options > Manage Processed File: Used to take an action over the analyzed file. This action can be copy or move analyzed file to report folder or delete it.

Note: This feature must be enabled (with the option of “Move to Reports Folder” or “Delete”) when you run BSA in “Automatic in Watch Mode” to avoid file recursivity.

Automatic Analysis Options > Process Selected Folder Recursively: Used to select between processing files only from selected root folder or from subfolders too.

Automatic Analysis Options > Resume Process When Available: Used to resume the analysis of a set of files that got stopped.

Automatic Analysis Options > Run Custom Command On Finish: Used to execute programs when the automatic analysis finishes. The programs can be executed in the real system (not sandboxed) using “Run On Real System” or sandboxed using “Run Sandboxed”.

Note: You must realize that if you run a program sandboxed it may have effect over analysis results.

The tools can run after all files have been analyzed using “After Last Analyzed File” or they can run after a file has been analyzed using “After Every Analyzed File”.

The list of programs to execute must be inside next files names:

Run On Real System>After Every Analyzed File = PROCESSRSEVERY.BAT

Run On Real System>After Last Analyzed File = PROCESSRSFINAL.BAT

Run Sandboxed>After Every Analyzed File = PROCESSSEVERY.BAT

Run Sandboxed>After Last Analyzed File = PROCESSSFINAL.BAT

Note: Programs will be executed sequentially.

Automatic Analysis Options > Setups > Automate Setups: Used to automate setup installations. BSA will click on “Next”, “Install”, “Finish”, etc. buttons, so the sample will be analyzed properly.

Automatic Analysis Options > Setups > Run Silently If Possible: Used to run installation setups in silent mode (no user intervention required) when possible.

Note: BSA uses Exeinfo to identify installation setups.

Note: Inside “\DATA\SETUPS.DAT” there is a list of installer identifications and the associated command line to run the installer in silent mode. The list can be modified in order to add, modify or remove installers. The format of SETUPS.DAT is: string_to_identify_installer||arguments_to_include

Automatic Analysis Options > Setups > Send a Return Every 10 Seconds: Used to simulate a “return” keypress every 10 seconds.

Automatic Analysis Options > Skip Files: Used to do not analyze certain files. This feature has next two options:

• “Skip Already Analyzed Files”: When enabled if a file is included in SQL database of analyzed files, the file will not be processed.

• “Skip Files in Whitelist”: When enabled if a file is included in SQL database of whitelist files, the file will not be processed.

Automatic Analysis Options > Specify Report Folder: Used to specify the folder where report files will be stored.

Automatic Analysis Options > Take screenshots: Used to take screenshots of the sandboxed windows.

Automatic Analysis Options > Take Screen Video: Used to capture a video of the screen. VLC installation is required.

Common Analysis Options > Adjust Time Limit In: Used to select time limit in minutes or seconds.

Common Analysis Options > Exclusion Lists: By default exclusion lists are enabled. If you want to disable one or all exclusion lists, you can do it with this feature.

Common Analysis Options > Packet Sniffer: Inside this menu we can find the options to configure the packet sniffer. This will be discussed in the appendix dedicated to capturing packets.

Manual Analysis Options > Delete Sandbox Folder If Is Not Empty: BSA will remove sandbox folder contents when this option is enabled.

Manual Analysis Options > Ignore If Sandbox Folder Is Not Empty: If for whatever reason you want to keep files inside sandbox folder and you don´t want to be annoyed by the message warning that the sandbox folder is not empty, you can enable this option and Buster Sandbox Analyzer will not show the warning message.

Manual Analysis Options > Set A Time Limit For Analysis: Used to define a maximum time for manual analysis.

Manual Analysis Options > View Malware Analysis On Finish: Used to see malware analysis results after analysis is finished.

Report Options > Information > Additional Options > Do not resolve URLs: By default this option is enabled. When disabled Buster Sandbox Analyzer will try to resolve the IP addresses of the connections to Internet.

Report Options > Information > Additional Options > Include Information for Modified Files: When enabled this feature enables the information report of modified files. If this feature is not enabled, the information related to modified files will not be included in reports.

Report Options > Information > Additional Options > Include Risk Evaluation: When this feature is enabled BSA will include in analysis reports the evaluation risk.

Report Options > Information > File Digital Signature: Used to perform a digital signature verification on analyzed files.

Report Options > Information > File Entropy: This feature will include file entropy (byte distribution) of Win32 files. This information is valuable in order to know if a file is compressed or encrypted.

Report Options > Information > File Hash: This option will make Buster Sandbox Analyzer to include the MD5, SHA1 and SHA256 hashes of every newly created file in the Report.TXT and/or analyzed file.

Report Options > Information > File Length: This option will make Buster Sandbox Analyzer to include file length information in reports.

Report Options > Information > File Signature: This option will make Buster Sandbox Analyzer to include PEiD and/or Exeinfo information in reports.

Report Options > Information > File Type: This feature will include the file type (executable, library, batch, RAR, ZIP, etc) of files in reports.

Report Options > Information > Malware Classifier: This feature will include the verdict about the maliciousness of an EXE or DLL given by Adobe Malware Classifier.

As Buster Sandbox Analyzer makes use of a code port of Adobe Malware Classifier I must include next license agreement:

The BSD License

Copyright (c) 2012, Adobe Systems Incorporated

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

-Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

-Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

-Neither the name of the Adobe Systems Incorporated nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Adobe Systems Incorporated OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Report Options > Information > ssdeep: This feature will include the ssdeep signature in reports.

Report Options > Information > VirusTotal: Used to include antivirus information from VirusTotal in reports.

Note: All the above features can be selected both for analyzed file, dropper/modified files, one of them or none.

Report Options > Generate Reports in HTML format: BSA will produce reports in HTML format.

Report Options > Generate Reports in JSON format: BSA will produce reports in JSON format.

Report Options > Generate Reports in PDF format: BSA will produce reports in PDF format.

Report Options > Generate Reports in XML format: BSA will produce reports in XML format.

SQL Options > Add Information from Report File to SQL Database: Used to include information from report file into a SQL database. This feature only works when BSA runs in automatic mode.

Note: It´s mandatory that SHA256 information is included in the report if you want to include report information into SQL database. This rule applies to analyzed files, dropped files and modified files.

Note: Only the first 100 dropped, modified and deleted files will be included in the SQL database for each analyzed file.

SQL Options > Include Analysis Report to SQL Database: Used to include in SQL database also the information from analysis report.

Program Options > Change Title: Used to change the title of BSA´s window.

Note: This feature is intended to be used when BSA runs multiple analyses. If you change the title you must modify LOG_API.DLL in order to keep the communication between the library and the program. (See appendix E)

Program Options > Check for Updates: Checks if a new version of Buster Sandbox Analyzer is available. If a new version is available it will be downloaded to "Updates" directory of BSA folder.

Program Options > Hide Sandboxie: Used to hide Sandboxie´s processes.

Program Options > Language: Used to select in what language you want to use the program.

Program Options > Minimize BSA when Take Screen Video Option is Enabled: Used to minimize BSA when video is captured, that way BSA window will not appear in video.

Program Options > Number of Retries for VirusTotal: Used to set a number of retries if VirusTotal can not be reached. You can select from none up to five attempts.

Program Options > Number of Retries for VirusTotal: Used to set a number of retries if VirusTotal can not be reached. You can select from none up to five attempts.

Program Options > Show All APIs: This feature will make Buster Sandbox Analyzer to show all logged APIs by LOG_API. When disabled only unique API entries will be shown.

Program Options > Window Position > Remember Window Position: This feature will save the position on screen.

Program Options > Windows Shell Integration: This feature allows the user to include an option to call BSA or analyze a file automatically from shell menu.

Note: By default the feature allowing to analyze a file automatically from shell menu is set to analyze for 60 seconds. If you want to change this setting you must follow next instructions:

Run “Regedit.exe” and go to:

\HKEY_CLASSES_ROOT\*\shell\BSAverb2\command

Edit the value and change the time modifying “-s 60” for the the amount of time you prefer. You can use “-s” for seconds and “-m” for minutes, just like running from command line.

Program Settings > Load Settings from File: Used to load a BSA configuration from a file.

Program Settings > Save Settings as...: Used to save current BSA configuration.

Note: Using “Load Settings from File” and “Save Settings as...” you can easily switch between different configurations without having to select features individually.

Editor: This menu allows the user to easily edit BSA.DAT, WindowMessages.TXT, exclusion lists and other files.

Note: When running in automatic mode, certain message windows will not be closed when sandboxed processes finish. In WindowMessages.TXT you can include a list of strings to search. When one of them is found, BSA will close the window containing the string. A typical case of this behaviour are the “FILENAME.EXE – Application Error” window messages.

Viewer: This menu allows the user to view from BSA the different report files when available, and also connections and internet traffic packets when BSA runs in manual mode.

Utilities: This menu contains malware analyzer related tools. They will be explained in other section.

Analysis: This menu contains features to analyze specific file types.

Updates > Check for Updates: Used to check if there is a new version of BSA.

Help > Help Topics: This manual can be accessed from BSA with this feature.

Help > Contact Author: Used to send me a mail. If you want to comment a bug, please include BSA version and other relevant information required to reproduce the problem.

Help > Support: This option opens a link to Sandboxie´s forum in a browser. The opened page will be inside the “Contributed Utilities” section, where BSA has a thread to comment about the tool.

Help > About Buster Sandbox Analyzer: Program credits.

Additional notes:

When running in automatic mode, BSA will keep window position.

When processing certain applications it may be possible that BSA window goes invisible. In this case try right-clicking BSA at taskbar and clicking in “Refresh”.