Norman SandBox Information Center

Home

Concept and Technology

Statistics

Submit file

About Norman

Microsites » Norman SandBox Information Center » Concept and Technology » The structure and terms used in the SandBox analysis

The structure and terms used in the SandBox analysis

Add to My Norman Bookmarks

The malware analysis performed by Norman SandBox often displays complex results. One should be aware of the fact that this information may seem obscure for non-technical personnel. Unfortunately this is unavoidable and to some extent intentional. The Norman SandBox analysis is meant to tell what the malicious software actually does in a manner as correct and precise as possible. It is not intended to be a malware description using popular terms.

This page will go through the different sections of the analysis and describe in short some of the sections' potential contents.

[DetectionInfo]

Sandbox name:
The name assigned by Norman SandBox. This is a generic name which tells what type of malware that is involved. Some examples of different types of malware that are classified by Norman SandBox can be found here.
Signature name:
The name assigned to the malicious software by Norman's virus signature files. When a malicious file is first sent for analysis (and no virus signature exists) the signature name will be NO_VIRUS. This may be changed later when detection for the malware is added to the signature files.

[General information]

Aggregated information about what the particular malware does.

The unique MD5 identificator of a particular malware. (Note that two files with different names may have the same MD5 identificator if it is the same file content.

[Changes to system settings]

E.g. changes the dialler settings.

[Network]

Network operations that are performed. E.g. looking for network shares, performing operations on remote files etc.

[Network services]

Network activity that the malware performs. E.g. opening web pages, conntecting to IRC channels, setting up a local web server, etc.

[Changes to filesystem]

Information about files and directories that are created and/or deleted etc.

[Security issues]

General potentially dangerous and unusual activity not relevant in any other category. E.g. downloading files, sending emails, reading passwords from cache, etc.

[Process/window information]

Program files that are executed, processes that are stopped (e.g. antivirus software), etc.

[Registry]

Changes that are made in Windows Registry, e.g. creation of new values in Registry keys, deletion of existing values, change of existing values, etc.

[Spread email]

Information about email spreading. Recipient, sender of subject of emails attempted sent. Information about newsgroup posting.

[Spreading by infecting files]

File infection. Modifying existing executable files.

[Spread p2p]

Information about peer-to-peer worms.

[Signature Scanning]

Scanning for malware signatures in files that any particular malware creates (and leaves) on the disk.

Norman is one of the world’s leading companies within the field of data security. With products for antivirus (virus control), personal firewall, antispam, and encryption, the company plays an important role in the data industry.