The SandBox line of products from Norman provide the ability to analyze the actual action of potential malware files by executing them in an isolated, simulated environment. The SandBox applications are targeted to security administrators and/or professionals who need to analyze the actual results of potential malware.

At the core of the products is the vendor's SandBox technology itself, which is able to simulate both the hardware and software environment of the host machine without actually directly using the host gear. Instead, the software creates its own isolated "SandBox" environment, within which to execute the applications, noting actions taken by the application including files removed, added, or altered; network communications; or registry changes. The vendor notes that this environment contains full simulation capabilities, including the ability to emulate the bootstrap process of the PC, using ROM BIOS capacities and loading the operating system files and command shell from a simulated drive (which contains directories and files that are necessary for the system operation).

In addition to typical file or registry changes that may be attempted by the target application, other actions--such as network communications (HTTP, FTP, SMTP, DNS, IRC, and P2P)--are also monitored. Throughout the process, the vendor emphasizes that the real hardware of the host machine is not actually used; i.e., none of the target application's code is actually executed on the host machine's CPU.

When completed, the product can provide a summary report of actions taken by the application; a full API log of kernel interactions; and an extraction of all files created by the target application on the simulated drive.

Four applications are offered in the Norman SandBox suite:

- SandBox Analyzer, with capabilities as described above. SandBox Analyzer can be used from the command line or through a user interface.

- SandBox Analyzer Pro, with extended capabilities including the ability to view loaded libraries, running threads, and created sockets; debugging-like tools including the ability to set breakpoints and enter commands; and various additional views including a disassembly view, register view, memory dump, API log view, command input view, and more.

- SandBox Reporter, which provides daily reports from the information collected at the vendor's Norman SandBox Information Center, an online service that allows users to submit individual, potentially malicious files for analysis and receive (via E-mail) a report of the file's potential actions based on the vendor's SandBox technology. The SandBox Reporter report includes a list of URLs that might contain malicious code; a list of IRC network servers that malware tries to connect to; and a SandBox summary of most of the files analyzed within the reporting period. The list is provided in both text and XML formats.

- SandBox Online Analyzer, an online service that allows users to upload potential malware files and see the results of the SandBox analysis (performed by the vendor's servers) via a Web-based interface. Also available through the Web interface is access to previous analyses and statistics.

New features in the SandBox product line include support for the analysis of compressed malware (including Themida and Slovak Protectors), and support for the detection of malware that uses rootkit technology.

Visit the vendor's Web site for further information.

product submission by EITPlanet Staff

E-Mail this page to a colleague
send info about SandBox

Suggest a link
for the SandBox fact sheet