[Buster_BSA]

Released Buster Sandbox Analyzer 1.45.

Changes:

+ Added a feature to produce reports in PDF format
+ Added support for new malware behaviours: get volume information, alternate data stream creation
+ Updated LOG_API

[Buster_BSA]

Released Buster Sandbox Analyzer 1.46.

Changes:

+ Added a feature to include information from reports into a SQL database
+ Added a custom manager for BSA´s SQL Database
+ Added a feature to load and save settings from file on demand
+ Added a feature to set a number of retries if connection to VirusTotal fails
+ Added a feature to launch automatically Explorer.exe in automatic mode
+ Added a feature to skip already processed files in automatic mode
+ Fixed several bugs

[Buster_BSA]

There are a lot of things to comment about version 1.46.


Added a feature to include information from reports into a SQL database

With this feature it´s possible to store in a SQL (sqlite 3) database the information from report files and optionally, from analysis reports.

All the information from reports (REPORT.TXT) and optionally from analysis (ANALYSIS.TXT) will be added to database.

It´s mandatory to enable the reporting of SHA256 in order to get this feature working.


Added a custom manager for BSA´s SQL Database

I included a feature to manage the created database in an easy but powerful way.

It has a SQL expression generator with the tables in database, the fields in each table, and five options. (is, is not, is null, is not null and contains)

For people that know SQL, I also included a custom SQL command feature. With this feature you can use your sentences in SQL.

I added a feature to remove entries from database, a predefined query to database and a function to update a record from a report file.

Right-clicking in the table you will get some additional features.


Added a feature to load and save settings from file on demand

With this feature it´s possible to have several different BSA configurations stored in disk and easily switch between them.


Added a feature to set a number of retries if connection to VirusTotal fails

You can configure to don´t make retries if VirusTotal does not respond or choose from 1 to 5 retries.


Added a feature to launch automatically Explorer.exe in automatic mode

Recently I processed a malware that didn´t show the behaviour I expected. First I thought it was due a bug in Sandboxie. The bug existed and tzuk fixed it, but at the end it was not related with the issue.

Ronen analyzed the piece of malware and discovered that the malware was injecting code to explorer.exe. Due the process was not being sandboxed, the malware could not inject the code. When explorer.exe is sandboxed, the malware will behave as it should.

As some trojans may inject code in explorer.exe I decided to include this feature. When enabled BSA will sandbox explorer.exe before the analysis begins.


Added a feature to skip already processed files in automatic mode

When enabled, BSA will check at SQL database if the file was analyzed previously.


Fixed several bugs

As usual, several bugs fixed and other new introduced. :lol:

[Buster_BSA]

Released Buster Sandbox Analyzer 1.47.

Changes:

+ Added a feature to run BSA in automatic mode monitorizing a folder for new files to analyze.
+ Added a feature to avoid processing files from a whitelist.
+ Improved analysis cancel event.
+ Fixed several bugs

[Buster_BSA]

Released Buster Sandbox Analyzer 1.48.

Changes:

+ Added PDF statistics feature
+ Added support for a new malware behaviour: get computer name
+ Updated LOG_API
+ Fixed several bugs

[gjf]

A few remarks concerning the last version and included Exeinfo.
First of all - it's not the last version (last is 0.0.3.0).
Second - with such tool BSA becomes non-portable: Exeinfo stores it's settings at HKEY_CURRENT_USER\Software\ExEi-pe. So it is necessary to virtualize it in BSA.

[Buster_BSA]

Thanks for the info!

I will include last version on next release.

[gjf]

What about registry issue? I've thought about simple backup of registry key and bringing it back from start to start, but it can cause problems if Учуштащ alreday installed on the machine. In other hand - the subkey will change from version to version (HKEY_CURRENT_USER\Software\ExEi-pe\Exeinfo PE - ver.0.0.2.9 ) - so such backup can fail.

[Buster_BSA]

"with such tool BSA becomes non-portable: Exeinfo stores it's settings [...]"

BSA uses Exeinfo with default settings so I don´t know of what settings you are talking about.

[gjf]

Hm. Strange. I have observed "No options - please enter them using Options button" (or something like that) few times when I used Exeinfo option enabled in BSA. I thought it is linked with registry settings.
Will investigate it in future.