Norman SandBox - Your Proactive IT Security Tool 0100111010010111010

0100001010100001111101001001010111101010010010

0100111010010111010101000010101000011111010010010101111010001

0010 0100111010010111010010000101010000111110100100101011110100010010 0100111100010010 0100111010010111010010000101010000111110100100101011001000100010010 0100111010010111010010000101010000111110100100101011110100010010 0100111010010111010010000101010000111110100100101011110100010010

0100111010010111010010000101010000111110100100101011110100

010010101001010111101000100101010010101111

010001001

Norman SandBox AnalyzerAnalyzing malware can be a cumbersome and time consuming task, involving multiple applications for code analysis as well as a network of computers. Each one of the applications is meant to perform its specific task and most of the time you need to combine the result of several of these to find the true actions and intent of the malware.

With Norman’s new SandBox Malware Analyzer product line, the complexity, speed and infrastructure needed to analyze files have been dramatically reduced. This will give you a quick return on investment.

Product descriptionThe Norman SandBox Analyzer is a utility meant to automate, simplify, and speed up the informa-tion gathering process when analyzing malware. The SandBox Analyzer enables users to analyze file behavior, actual actions performed by the file and even extracts files created on the “SandBox HD” by the analyzed file in a much faster and more effective way than ever before, thus reducing the need for manpower and actual time needed to analyze the suspicious files.Norman SandBox Analyzer can be used as a command line application making it easier to be built into existing solutions, or with a regular user interface giving a fast and efficient view and manage-ment of files being analyzed.

How does it work?Norman SandBox Analyzer (NSA) provides a comprehensive analysis of any executable file action. After the file has been processed it generates reports with in-depth description of file actions in an API log view and summary report.

The summary report includes the following information blocks:• File/Malware categories, i.e. W32/Back-

door, W32/Worm, W32/Downloader, etc.

• Changes to the computer's file system• Changes in the registry and system set-

tings• Network Services details• Processor and window information

OperationTo operate NSA is quite easy, just install the SandBox Analyzer on the computer you want to use for analysis. Tell the NSA the path of the file(s) you want to analyze and press enter. Depending on the options you have chosen, the output is available in just a few seconds. Options include downloading URLs requested by the file from the real internet, creating raw unpacked file to disk, extraction of all files created by the file analyzed from the SandBox “hard drive,” as well as other emulation options.

The SandBox Analyzer can handle a large number of files, generating the requested information with-out the need of user intervention. As the virus unfolds, the proactive solution will monitor and assess the behavior of the suspicious file.

Norman SandBox is the core component of the NSA. This module is compatible with Windows functions such as Winsock, Kernel and MPR and also supports network and Internet functions like HTTP, FTP, SMTP, DNS, IRC, and P2P. In other words it is a fully simulated computer, isolated within the NSA application.

Norman SandBox is a fully simulated

computer network, isolated within the

NSA application.

How can Norman SandBox

Malware Analyzers help?

Save time

• The average response time to a new

threat is normally 6 – 24 hours.

• Get a head start with knowledge of

what the sample is trying to do.

Save money

• A growing number of viruses to

analyze require a high number of

analyst efforts.

• Finding the right people to analyze

malware is a difficult, time-consuming,

and costly task.

Save the day

• You have been in the situation where

something needed to be analyzed

yesterday and now you have access

to the tools to make it happen.

pNorman SandBox Analyzer.

uStatistics based on the samples submitted to Norman Sandbox Information Center on web.

www.malwareanalyzer.com • www.virusanalyzer.com

Norman ASA is a world leading company within the field of data security, internet protection and analysis tools. Through its SandBox technology Norman offers a unique and proactive protection unlike any other competitor. While focusing on its proactive antivirus technology, the company has formed alliances which enable Norman to offer a complete range of data security services. Norman was established in 1984 and is headquartered in Norway with continental Europe, UK and US as its main markets.

www.norman.com

The simulator uses full ROM BIOS capacities, simulated hardware, simulated hard drives, etc. The simulator emulates the entire bootstrap of a regular system at boottime, starting by loading the operat-ing system files and the command shell from the simulated drive. This drive will contain directories and files that are necessary parts of the system, conforming to system files on physical hard drives.

The file to be analyzed is loaded into the simulated hard disk and is started in the simulated environ-ment. Inside the simulated environment the file may do whatever it wants. It can infect files. It can de-lete files. It can copy itself over networks. It can connect to an IRC server. It can send e-mails. It can set up listening ports. Every action it takes is being registered by the SandBox, because it is effectively the emulator that does the actions based on the code in the file. No code is executed on the real CPU except for the antivirus emulator engine; even the hardware in the simulated PC is emulated.

The issue is to figure out what the program would have done if it had been allowed to run wild on an unprotected machine. After the file has done its acts, an API log and a summary rapport is generated to give in clear text information about the file’s action. Other views provide statistics, URL connection list, IRC connection list, and dropped files list, as well as the SandBox summary in XML format.The output report The Norman SandBox Analyzer summary is a description of the file's behavior and action performed in the target victim’s object and elements setup to enable for external communication. This report is a sub set of the API log that generates a detailed overview of the files action command by command.

pSummary report pAPI log

If you look closely you will see that the API log is from the same file as the SandBox summary.

System requirementsPentium PIII, with 512 MB RAM and 50 MB HDOperating System: Windows 2000/2003 or XP, (FreeBSD Linux running on Intel for Pro version only).

For more information contact Norman at

sandbox@norman.com, or visit

www.norman.com

Info Security

Products Guide

names Norman

SandBox Analyzer winner of the 2006

Tomorrow’s Technology Today Award.

www.infosecurityproductsguide.com

Related products

Norman SandBox Online Analyzer:SandBox Online Analyzer is a web-based analysis service which offers the same options and outputs as the standard SandBox Analyzer product. The service allows the customer to upload suspicious executable files to Norman’s dedicated servers which then quickly supply a comprehensive analysis of the file action. This service is targeted to customers who do not require the unlimited analysis capabilities of the Analyzer or who do not have a dedicated virus analysis lab and wish to let Norman supply the processing power.

Norman SandBox Analyzer PRO:Analyzer PRO is used for deep file analysis for reverse engineering and debugging malware. Like Analyzer, its core component is the Norman SandBox Technology. Analyzer PRO performs the function of a complete virus analysis lab. In addition to traditional debugging capabilities, Analyzer PRO includes the ability to monitor and manipulate the emulated SandBox environment in real time. This includes the CPU and its registers, memory, registry, threads, network sockets, and disassembled code.

Norman SandBox Reporter:SandBox Reporter is a subscription service that helps IT security departments be one step ahead of malware. Through Norman’s SandBox Information Center, subscribers submit files for analysis and receive an in-depth analysis on the file’s behavior, including a list of URLs that might contain malicious code that can be easily imported into a URL blocklist filter.

www.malwareanalyzer.com • www.virusanalyzer.com