The products are all based on Norman SandBox. This is a component used in all Norman's antivirus products.  However, the three new Malware Analyzer products have a potential far beyond that of detecting and removing viruses. They are tools for investigating program behaviour, and for protecting environments from threats.

All three products are useful for organizations involved in security, whether this is its own security, consulatancy, Internet providers, police, and national security organizations.

SandBox Reporter

This product is somewhat different from the other two products, as it is a subscription service and not a program that is licensed to the users.

SandBox Reporter is the result from the malicious files that are sent to Norman SandBox Information Center - NSIC - (link opens new browser window) as well as other malicious files that Norman gets through various channels. The number of files received for analysis are well above thousand each day in average. These files are analyzed by Norman SandBox technology.

Those who submit a file for for analysis receive the result on email. All results from analysed files are available on NSIC, however, suspicious URLs and computer names/addresses are obfuscated.

Those who subscribe to SandBox Reporter will receive daily reports from all these analyses.  You will receive

• A report with URLs that malicious software is attempting to access (e.g. to download new malicious components)
• A report with lists of IRC network servers that malicious software tries to connect to. This list includes additional information like server names, user names passwords, etc.
• A SandBox summary of most of the files that have been analyzed. This list includes information about file behavior and what it attempts to accomplish.

You may see examples of log files for one day from NSIC here.

Contrary to the reports available to the public on Norman SandBox Information Center, these reports do not have any obfusication of URLs, email addresses, IP addresses, domain names etc., thus enabling the subscriber to act upon this information by performing different actions.

A few examples of useful areas of application

Security analysts and organizations that want to keep an eye of the techniques currently in use by producers of malicious software

• Those who want to restrict access to mailicions web sites and IRC servers on their firewalls
• Analysts of viruses and other malicious software
• Internet providers that need to monitor their infrastructure for malicious content
• Those responsible for larger environments' infrastructure (e.g. national security bodies)

SandBox Analyzer

The SandBox Analyzer is a tool that enables users to analyze a file's behavior and the actions performed by the file. The SandBox Analyzer may and even extract additional files created in the virtual SandBox environment by the file being analyzed. After the analysis is finished, two reports are created - an in-dept API log of the file's actions and behavior, and a summary (e.g. information about registry changes, changes to file system).

This information is more comprehensive than analyses available from Norman SandBox Information Center - NSIC. The user is even allowed to customized the number of emulation cycles that shall be run, thus malware which might not be discovered in normal circumstances can be analyzed in fuller extent.

Examples of file analyses by SandBox Analyzer is available here.

The SandBox Analyzer can also operate on a large number of files sequentially, generating the requested information without the need of any user intervention.

Customers who purchase Norman SandBox Analyzer will receive updated signature files and other updates continously during the license period.

A few examples of useful areas of application

• Analysts of viruses and other malicious software
• Security analysts and organizations that want to bulk-analyse automatically lots of potentially malicious files
• Technical staff in organizations that work with highly sensitive material that may be subject to industrial espionage.

SandBox Analyzer Pro

SandBox Analyzer Pro is used in another way than SandBox Analyzer. Which of the two products (or both) that is needed is therefore dependant on the user's requirements. The Pro version is designed to perform deep analysis using a GUI interface of any Win 32 PE executable file.

The user may look at loaded libraries, running threads, created sockets etc. Even set breakpoints can be set and commands entered. The Analyzer Pro tool has a disassembly view, register view, memory dump, API log view, command input view and more. That way the user of SandBox Analyzer Pro may perform extremely detailed analysis of a files different behavior and attempted actions.

Similar to the SandBox Analyzer product, the Pro version offers analysis information that is more comprehensive than analyses available from Norman SandBox Information Center - NSIC. The user is even allowed to customized the number of emulation cycles that shall be run, thus malware which might not be discovered in normal circumstances can be analyzed in fuller extent.

Examples of file analyses by SandBox Analyzer Pro is available here.

Customers who purchase Norman SandBox Analyzer will receive updated signature files and other updates continously during the license period.

A few examples of useful areas of application

• Analysts of viruses and other malicious software who need to do in-dept analyses
• Police forces and other forensic organizastions specializing in criminal activity related to software
• Technical staff in organizations that work with highly sensitive material that may be subject to industrial espionage.