 |
Product description
Overview
The Norman SandBox Analyzer Pro is an application designed to perform deep analysis of any Win 32 PE executable file more effectively than possible with any other analyzing tool. The SandBox Analyzer Pro is unique in letting the users analyze malicious code such as viruses, worms, trojans, keyloggers, etc. When performing in-depth analysis of files and their behavior and actions, you can look at loaded libraries, running threads, created sockets etc. You can even set breakpoints and enter commands. There is disassembly view, register view, memory dump, API log view, command input view and more.
How does it work?
Norman SandBox Analyzer Pro is a console GUI application designed to analyze WIN 32 PE executables. When working with Norman SandBox Analyzer Pro you can use an extensive list of parameters enabling you to analyze and manipulate the emulation, extend emulation cycles, etc. You will also be able to explore files and changes made to the simulated SandBox OS to get the full view of the impact executing the respective file would have had if it was run on a “real computer".
Norman SandBox is the core component of Norman SandBox Analyzer Pro. This module is compatible with Windows functions such as Winsock, Kernel and MPR and also supports network and Internet functions like HTTP, FTP, SMTP, DNS, IRC, and P2P. In other words it’s a fully simulated computer, isolated within the Norman SandBox Analyzer Pro application.
The simulator uses full ROM BIOS capacities, simulated hardware, simulated hard drives, etc. The simulator emulates the entire bootstrap of a regular system at boot-time, starting by loading the operating system files and the command shell from the simulated drive. This drive will contain directories and files that are necessary parts of the system, conforming to system files on physical hard drives.
The file to be analyzed is placed on the simulated hard disk and is started in the simulated environment. Inside the simulated environment the file may do whatever it wants. It can infect files. It can delete files. It can copy itself over networks. It can connect to an IRC server. It can send emails. It can set up listening ports. Every action it takes is being registered by Norman's program, because it is effectively the emulator that does the actions based on the code in the file. No code is executed on the real CPU except for the antivirus emulator engine; even the hardware in the simulated PC is emulated.
The issue is to figure out what the program would have done if it had been allowed to run wild on an unprotected machine, in an unprotected network.
To ease the analyzing a SandBox summary and an API log from the analyzed file can be created.
Norman SandBox Analyzer Pro in more detail
Norman SandBox Analyzer Pro allows the user to do a comprehensive analysis of files. The functions available to the user when doing the analysis include;
Disassembler View
This view will disassemble the instruction at CS:EIP, or any given memory address. When this view is activated you can use the arrow keys to move up and down. Page down and page up can also be used.
 |
View created threads
This view lists all created threads. You see the thread ID (first column), and the thread status. Selecting one of these threads will provide the information to the right regarding this thread. The thread listed in “red" is the thread currently running.
 |
Memory Dump View
The Memory Dump View can show any memory area. The user may browse to any memory address, set breakpoints on memory, and view memory as text, dwords, bytes, or shorts. As with all views, the information from this view may be searched, copied, and saved to logs.
 |
Other functions included:
- Setting breakpoints and enter new commands
- Viewing registry and memory dump
- API log view
- Command input view in addition to fast right-click functionality
- More
Live Internet Communicator
The Analyzer PRO v.1.3 is upgraded with a new enhanced module, Live Internet Communicator (LIC). LIC enables the Analyzer PRO to let any connection and/or any application tested inside the NSAP to access the Internet live, and monitor and analyze the activity.
The LIC functionality enables the operator to examine the application when it downloads active content like spyware, url addresses, authentication information, etc. The Analyzer PRO can even analyze Internet communication between bots in a bot network and analyze the instructions from the command and control (C&C) bot. When the C&C is talking to the slave bot - the NSAP will intercept this communication and report the true connection, what it does, when and what commands it gets from the C&C etc.
The configuration and operation of the LIC functionality are done through a new network rule editor. This instructs the LIC what to do with a specific node(s) (address), an application or a protocol. The rules can be added, edited or removed. In this way it acts as a filter giving the information required.
System requirements
- Pentium III or higher
- 512 Mb Ram or more
- At least 50 Mb free hard drive space
- Operating System: Windows 2000/2003 or XP.
More information - testing or purchasing the product
Click here and fill in the form to purchase or test the product, or to request more information.
