Published: 01 Sep 2007
Norman SandBox Analyzer Pro
REVIEWED BY TOM LISTON
Price: Starts at $5,000 for 100 users
Relying solely on antivirus to protect you from malware is no longer an option. Antivirus software is reactive; vendors only release signatures for malware they've seen. With the growing prevalence of more targeted viruses, the bigger your company, the more likely you are to be hit by something that no one, not even an antivirus vendor, has seen before. In response, many companies are developing in-house malware analysis capabilities.
Norman SandBox Analyzer Pro is a unique malware analysis tool that allows potentially malicious code to execute within a simulated environment that effectively mimics a generic Windows installation. All actions taken by the code under analysis are monitored. Any permanent changes that the test code attempts to make are trapped by the sandbox (files don't get written to the file system, keys don't get changed in the registry) but everything appears normal from the point of view of the code under test.
Analyzer Pro provides analysts with an almost overwhelming amount of information about the inner workings of the code under test. From the files it attempts to create, to the registry entries it adds or changes, to the network connections it attempts to make, Analyzer Pro sees and logs all.
One incredibly useful feature is the ability to allow mediated access to the Internet using powerful filtering tools. Access to the Internet can be controlled in many ways--remote connections can be "faked" by Analyzer Pro, access to the real Internet can be allowed, or the analyst can alter packets being sent or received from the Internet on-the-fly.
Recent malware often has a networking component that can only be fully investigated using this feature. For example, the behavioral aspects of a bot program can be fully understood if it is allowed to contact its command and control server.
Analyzer Pro is a powerful tool for combining code-level analysis with extensive behavioral monitoring and logging, but it has a steep learning curve. The main analysis tool is a specialized debugger that allows the analyst full control over the execution of the program at a granular level.
This is not a tool for neophytes. Even with years of experience using debuggers and code analysis tools, we found Analyzer Pro to be very confusing at times. We had to analyze several dozen pieces of code before we felt reasonably comfortable with the tool's quirks.
If your organization is looking to start analyzing malicious code, we would suggest staying away from Analyzer Pro until you hire experienced malware analysts or develop internal expertise.
Perhaps the greatest problem is documentation. Analyzer Pro was obviously originally developed by Norman as an internal analysis tool, and that heritage is evident in its documentation. It is poorly written, confusing and assumes a level of expertise that makes Analyzer Pro unsuitable for anyone but a seasoned malware analyst.
Although it lacks polish in its user interface and its documentation, SandBox Analyzer Pro's powerful and flexible feature set makes it a desirable tool for seasoned malware analysts. Beginners will find it frustrating and confusing, but mature code analysts will find it a welcome addition to their toolkit.
Testing methodology: Analyzer Pro was tested on a Windows XP Professional machine with a 1.8 GHz processor and 1MB of RAM. Testing was done by analyzing a variety of sample code (from the reviewer's malware "zoo") using the tools provided. Tests were performed using known benign code and previously analyzed malware samples.