[Buster_BSA]

+ Included two versions of LOG_API.DLL: One of them will not show file/registry operations so BSA will run faster

Which one? Old or new?

LOG_API_OLD.DLL shows file/registry operations. From BSA 1.28 LOG_API.DLL will not show them.

It would be more exact to say that sandboxed applications will run faster, not BSA.

[gjf]

Please clarify: new log_api won't show file/registry operations but log them? It is not clear for me: if it doesn't log such activity - how is it possible to analyze malware at all?

[Buster_BSA]

Please clarify: new log_api won't show file/registry operations but log them? It is not clear for me: if it doesn't log such activity - how is it possible to analyze malware at all?

File/registry operations are not extracted from LOG_API.TXT. They come directly from sandbox folder.

So don´t worry, you can use new LOG_API and you just will not get file/registry operations at LOG_API.TXT but they will be present at FileDiff.TXT, RegDiff.TXT, REPORT.TXT, etc.

[Buster_BSA]

Re-released version 1.28 to fix a bug.

[Buster_BSA]

Released Buster Sandox Analyzer 1.29.

Changes:

+ Added a feature to resume automatic mode analysis
+ Added a feature to close certain window messages when running in automatic mode

[Buster_BSA]

Released Buster Sandox Analyzer 1.30.

Changes:

+ Added a feature to automate setups when running in automatic mode
+ Added a feature to run a custom command after an automatic analysis finishes
+ BSA will report the creation of hidden folders
+ Fixed a cosmetic bug

[Buster_BSA]

Released Buster Sandox Analyzer 1.31.

Changes:

+ Improved malware behaviour detections.
+ Updated LOG_API library (normal and verbose).
+ Added a feature to delete sandbox folder contents.
+ Fixed some bugs.

[Buster_BSA]

gjf: I guess this BSA review is yours, isn´t it?

http://habrahabr.ru/blogs/virus/114450/

[Buster_BSA]

Buster Sandbox Analyzer 1.32 beta 2:

http://bsa.isoftware.nl/bsa132b2.rar

(only BSA.EXE included)

I have added a new feature: Options > Common Analysis Options > Reports > Include VirusTotal Malware Information.

When enabled, BSA will include in the report the antivirus detections (if any) for the processed file available at www.virustotal.com

Could anyone try it and let me know if it works fine or not, please?

Question: Should I keep the feature as it´s now or I should include an option to include av detections for every executable created?

[gjf]

Could anyone try it and let me know if it works fine or not, please?

Question: Should I keep the feature as it´s now or I should include an option to include av detections for every executable created?

There good feature, but

1. It is well known VT spreads out all analyzed files through AV vendors. It is not very good if someone wnat to investigate some private samples. Is it possible to add a list of online scanners with possibility to choose one in settings? AFAIK:

Code: Select all

virustotal.com
filterbit.com 
virscan.org
scanner.novirusthanks.org
virusscan.jotti.org 

- all spread out samples through vendors

Code: Select all

scanner.virus.org
viruschief.com
virus-trap.org
killv.com

- possibly distibute samples, but not clear yet

Code: Select all

virtest.com 
avcheck.ru
avcheck.biz
scan4you.net
avhide.com
nicescan.net
vscan.novirusthanks.org (option "do not sistribute sample)

- never spread out the samples (one of the reason why they are popular along virmakers).

2. Surely it would be better to have an ability to scan not only original file, but all newly created. It is very common to use installers/packers to hide malware. I can present some examples (well-known "crack" for BlueSoleil 8) where malware was pretty hidden and only start in Sandbox reveled it.

Thanks once again for upgrading your great program!