[Buster_BSA]

Yes, I can agree with you concerning 64.12.96.129 - actually it is icq.com, but 198.78.212.126:80, 213.248.111.235:80 and 195.12.231.10:80....
Possibly these hosts belongs to icq.com, possibly it is just banners or ads, but anyway thay have no index page.

Thanks for quick reply.

Anubis is missing information for sure because if you send a GET to http://www.icq.com, icq will reply sending the page I told you.

About the other connections... no idea. As I commented you can view the packets and try to figure what information was received.

[Buster_BSA]

I was investigating the other IPs and all them seem to belong to Akamai Technologies. Wikipedia says:

Akamai Technologies, Inc. (NASDAQ: AKAM), pronounced /ˈɑːkəmaɪ/ addresses problems associated with the Internet such as performance, security and scalability. The company created a globally distributed network of servers which is controlled by proprietary software.

They seem to do global cache of internet contents. They duplicate and store contents from server X in their own servers. When a client wants to access contents, part of stuff is downloaded from Akamai, not from server X.

That would explain why with 1 OUT packet you receive several IN packets.

[r2nwcnydc]

Adobe uses Akamai for updates. So if you have reader or flash installed it's probably traffic from those updaters.

As for Anubis not showing the traffic. If Buster is using PCAP to monitor network activity, it is getting network activity for the entire system, not just the processes involved in the monitored process' execution. Anubis is an emulation based analyzer, which is able to monitor traffic per process. So Anubis will not report the traffic as it is coming from an unrelated process.

[gjf]

r2nwcnydc, according to logs and BSA manual tcp traffic is well recognized among the processes. So the above mentioned inbound traffic is caused by malware, not update process. And if update is causing inbound traffic - where is outbound request? So I believe Buster_BSA explanation is more correct.

[gjf]

BTW - why don't you download my sample and test it by yourself? If the behaviour will differ we can discuss the situation in more detailed manner.

[Buster_BSA]

Adobe uses Akamai for updates. So if you have reader or flash installed it's probably traffic from those updaters.

As for Anubis not showing the traffic. If Buster is using PCAP to monitor network activity, it is getting network activity for the entire system, not just the processes involved in the monitored process' execution. Anubis is an emulation based analyzer, which is able to monitor traffic per process. So Anubis will not report the traffic as it is coming from an unrelated process.

You are wrong because BSA is able to filter TCP packets (UDP packets not, because they can not be associated to applications) and show only those ones that belong to sandboxed applications.

Don´t you see logic that if you send a GET packet to http://www.icq.com, icq.com will reply you?

[r2nwcnydc]

gjf, I ran the sample and only see traffic from the 64.12.96.129 address (both inbound and outbound), as I would expect. Also, I am basing my conclusion on Buster on the fact that if you use PCAP to monitor network traffic, you do not get a process associated with the traffic (look up the manual for winpcap).

Buster_BSA, you claim you use PCAP to monitor network traffic, which (as I said above) means you do not have a direct association of the traffic to the process that initiated that traffic. You can try to use other methods to guess which process caused the traffic, but it is just that a guess. Unless you use some other method to monitor traffic, which would contradict what you claim in a previous post.

Warning the following is my opinion:
I have tried your analysis tool, and I find it far behind other free and commercial options. Anubis is not a great benchmark by any means, but your tool has many flaws aswell. Using other tools, like Anubis, can help make your tool better. So, until you are willing to take a nonobjective look at your tool's abilities, it will always behind your competition.

[Buster_BSA]

Buster_BSA, you claim you use PCAP to monitor network traffic, which (as I said above) means you do not have a direct association of the traffic to the process that initiated that traffic. You can try to use other methods to guess which process caused the traffic, but it is just that a guess. Unless you use some other method to monitor traffic, which would contradict what you claim in a previous post.

Warning the following is my opinion:
I have tried your analysis tool, and I find it far behind other free and commercial options. Anubis is not a great benchmark by any means, but your tool has many flaws aswell. Using other tools, like Anubis, can help make your tool better. So, until you are willing to take a nonobjective look at your tool's abilities, it will always behind your competition.

Yes, I use WinPCap to monitor network traffic. When a packet is captured then I find out what program belongs to it.

Could you make a list of the flaws in my tool? I´m always open to improve it.

About the nonobjective question:

I didn´t say Anubis is better or worst than BSA, therefore your attempt of attack is pointless. I just told that in this case Anubis is missing information because inbound traffic is missing as yourself already wrote: "I ran the sample and only see traffic from the 64.12.96.129 address (both inbound and outbound)"

So what I said is correct: Anubis misses information in the report.

I also would like to hear your explanation about this: "So, until you are willing to take a nonobjective look at your tool's abilities..."

When did I say or did something that lead you to think I´m not willing to take an objective look at BSA´s abilities?

I feel like you are just annoyed because I gave a negative review to one of your comments. I hope you can probe I´m wrong. If you do it, then I´ll be glad to apologize.

[gjf]

gjf, I ran the sample and only see traffic from the 64.12.96.129 address (both inbound and outbound), as I would expect. Also, I am basing my conclusion on Buster on the fact that if you use PCAP to monitor network traffic, you do not get a process associated with the traffic (look up the manual for winpcap).

I agree with you - inbound connections from other than 64.12.96.129 appears not always, but on some systems. I don't know why. And agree with you that winpcap (that is just Windows implementation of libpcap) cannot find processes.

Anyway - in such conditions when I will try any sandboxed process with unsandboxed network activity I will receive fake alerts. But it's not true, I have tried to reproduce it with sandboxed standard Notepad with a lot of background network activity (torrents, browser etc) - and I did not receive any alerts with exception of UDP packets, but it is pretty normal and documented in manuals. I don't know how the author made such feature but anyway - it works even using winpcap.

[r2nwcnydc]

When a packet is captured then I find out what program belongs to it.

This implies some amount of guessing, as PCAP is none blocking, so it is possible the traffic has originated from different process.

So what I said is correct: Anubis misses information in the report.

Not quite. If you look at the anubis report, the network traffic has both a request (outbound) and a response (inbound) from a 64.12.164.247 (which is most likely an alternate address for 64.12.96.129) address. It is reported slightly different then your report, but it is there:

From ANUBIS:1038 to 64.12.164.247:80 - [ http://www.icq.com ]
Request: [ GET /people/566539612 ], Response: [ 200 "OK" ]

This implies that the http request got back a response, and some unknown amount of data. Unknown because the details about network traffic are not reported by anubis.