Sandbox Malware Analyzer

Home

Products

Technology

Case studies and News

About Norman

Buy or Try

Microsites » SandBox Malware Analyzer » Technology » Norman SandBox in brief

Norman SandBox in brief

Add to My Norman Bookmarks

Many operating system settings may have to be altered before e.g. a potential virus will spread (dependencies as date, time, build number, security settings, system-directory, etc). Using a real system would require many adjustments and, most likely, several reboots.
In short: It would be very time-consuming and very inefficient.

To be able to do this within an acceptable time frame and with efficient system resources, a separate module (Norman SandBox) with its own operating system is needed. Norman SandBox is compatible with Windows functions such as Winsock, Kernel and MPR. It also supports network and Internet functions like HTTP, FTP, SMTP, DNS, IRC, and P2P.

In other words: We are talking about a fully simulated computer, isolated within the real computer there is no need for any extra hardware to accomplish this!

The simulator uses full ROM BIOS capacities, simulated hardware, simulated hard drives, etc. This simulator emulates the entire bootstrap of a regular system at boot-time, starting by loading the operating system files and the command shell from the simulated drive. This drive will contain directories and files that are necessary parts of the system, conforming to system files on physical hard drives.

The suspicious file is placed on the simulated hard disk and will be started in the simulated environment. The suspicious file is unaware of the fact that it is operating in a simulated world...

Inside the simulated environment the file may do whatever it wants. It can infect files. It can delete files. It can copy itself over networks. It can connect to an IRC server. It can send e-mails. It can set up listening ports. Every action it takes is being registered by the antivirus program, because it is effectively the emulator that does the actions based on the code in the file. No code is executed on the real CPU except for the antivirus emulator engine; even the hardware in the simulated PC is emulated.

The issue is not to monitor and stop potentially harmful actions at runtime, the issue is to figure out what the program would have done if it had been allowed to run wild on an unprotected machine, in an unprotected network, even if it is running on a Netware server, on Linux, OS/2 or DOS.

When Norman SandBox detects a file that it finds suspicious, it attempts to place in into one of the following categories based on what the malware intends to do.

The list includes the following categories of malware:

W32/Malware
W32/EMailWorm
W32/NetworkWorm
W32/BackDoor
W32/P2PWorm
W32/FileInfector
W32/Dialler
W32/Downloader
W32/Spyware

Supports for various program functionality

Some of the program actions that Norman SandBox supports include

Support for more than 3500 different APIs
Norman SandBox emulates more than 3500 APIs. This means that the SandBox now emulates more than 3500 ways to connect to your operating system or other software in your computer.
Multithread support
A malicious program may have several threads that enable it to perform several independent actions in parallel. Each thread can help the malware to survive and to resist possible antivirus attacks. SandBox can emulate several threads simultaneously.
Support for thread injection to remote processes
SandBox has the ability to detect thread injection to remote processes. When some malicious programs take control of a system, they will inject their own threads into other running processes. Thereby, they can perform their actions by camouflaging themselves by hiding in other processes. This is not possible in SandBox.
Detection of email harvesting
Many crimnals are creating malicious programs that are harvesting email addresses either for their own use or in order to sell them to other criminals. This form of email-harvesting attempts will be detected by Norman SandBox.
Network support
In addition to normal network support and complex local area networks, SandBox has also support for Peer-to-Peer (P2P) networks - thus creating better protection for file-sharing services. Many worms are aware of P2P networks, and try to spread using these mechanisms. The simplest form is just dropping themselves as “interesting file names" into the upload/download directory. Because of the emulation inside SandBox, this will be detected.
SandBox has also support for Internet network services, such as Newsgroups, which are one of the most popular means for Internet communication and often used by malicious software to spread.
SandBox also has support for other Internet network services such as POP3, DNS, IRC, Web and others.
Support for Instant Messaging communication
The use of Instant Messaging (IM) communication, such as ICQ, is growing rapidly and Norman SandBox supports IM protocols.

Norman is one of the world’s leading companies within the field of data security. With products for antivirus (virus control), personal firewall, antispam, and encryption, the company plays an important role in the data industry.