12. Appendix E – Multiple malware analyses



From version 1.56 Buster Sandbox Analyzer allows running multiple malware analyses at the same time.


There are several conditions and limitations for this feature that you must know:


A registered version of Sandboxie is required.


"Take Screen Video" feature should be disabled or only enabled in one instance of BSA.


Other limitations may exist but at the moment remain unknown.


A certain preparation to get this feature working is required. An example about how to configure Sandboxie/BSA to run 3 malware analysis instances follows:




C:\BSA1

C:\BSA2

C:\BSA3




Sandboxie Control > Sandbox > Create New Sandbox


Names for the sandboxes: "BSA1", "BSA2", "BSA3".


We will copy settings from a sandbox already configured to simplify.




It should look like:


[BSA1]


...

InjectDLL=C:\BSA1\LOG_API.DLL

...


[BSA2]


...

InjectDLL=C:\BSA2\LOG_API.DLL

...


[BSA3]


...

InjectDLL=C:\BSA3\LOG_API.DLL

...






Options > Program Options > Change Title


First instance will be titled as "BSA1", second as "BSA2" and third as "BSA3".




Search for "Buster Sandbox Analyzer" and replace "Bust" for "BSA1", "BSA2" or "BSA3" depending of the BSA instance.


Finish the string adding a 00 at the end.


It should look like:


42 53 41 31 00 (BSA1)

42 53 41 32 00 (BSA2)

42 53 41 33 00 (BSA3)



With these modifications we will allow the communication between the libraries and each BSA instance.


Note: From version 1.62 BSA has a feature to automatically make this modification. You will find it at “Utilities > LOG_API > LOG_API Patcher”.



And that´s all the necessary preparation to get Buster Sandbox Analyzer running multiple malware analyses at the same time.


Depending of your hardware setup you may have more BSA instances running in your machine.