Norman Data Defense Systems, a specialist in the field of data security has released a new version of its ground-breaking Norman SandBox Analyzer. The Analyzer PRO v.1.3 is now upgraded with a new enhanced module, Live Internet Communicator (LIC). LIC enables the Analyzer PRO to let any connection and/or any application tested inside the Analyzer PRO to access the Internet live, and monitor and analyze the activity.
Analyzer PRO is used for deep file analysis for reverse engineering and debugging malware. Like Analyzer, its core component is the Norman SandBox Technology. Analyzer PRO performs the function of a complete virus analysis lab. In addition to traditional debugging capabilities, Analyzer PRO includes the ability to monitor and manipulate the emulated SandBox environment in real time. This includes the CPU and its registers, memory, registry, threads, network sockets, and disassembled code.
Performing forensics analyses on malware today is challenging in many cases due to the risk of inadvertently downloading additional harmful elements from the Internet. Most of today’s dirty lab solutions (environment where malware is analyzed) are protected in an isolated environment because of the fear of malware dispersion. In such isolated environments there are limitations to examining the full behaviour and consequences of the malware’s activity.
“For the first time, forensic experts can investigate the activity of malicious files on the fly. By understanding the malware’s behaviour, IT security personnel may quickly and efficiently get detailed information to close down any hostile activity,” stated Arvid Gomez, VP OEM and Technology Sales for Norman Data Defense Systems.
The new LIC functionality in Analyzer PRO v.1.3 enables the operator to examine the application when it downloads active content like spyware, URL addresses, authentication information, etc. The Analyzer can even analyze Internet communication between bots in a bot network and analyze the instructions from the command and control (C&C) bot. When the C&C is talking to the slave bot, the Analyzer PRO will intercept this communication and report the true connection, what it does, what commands it receives from the C&C, etc.
The configuration and operation of the LIC functionality are done through a new network rule editor, which instructs the LIC what to do with a specific node(s) (address), an application or a protocol. The rule can be added, edited or removed. In this way, it acts as a filter giving the information required.
“The Analyzer PRO with LIC functionality puts Norman even further ahead of our competitors. The feedback from the marketplace is that this is an important and very useful functionality and a valuable upgrade to the Analyzer PRO,” added Gomez.
Norman’s Sandbox Analyzer product line is a powerful security malware analyzer designed to help corporate and government IT security specialists analyze destructive files in-house in mere seconds in order to identify, reverse engineer and debug malware without risk of infecting internal systems.
All Analyzer products have as their core component the Norman SandBox Technology — a fully simulated computer and network environment within the application. Any file loaded into this simulated environment is deceived into behaving normally (e.g., infecting and deleting files, sending e-mails, setting up listening ports, copying itself over networks or connecting to an IRC server). As the file does this, each action is being recorded. Unlike other virtual environments, all simulation is securely contained within the emulator. No code is ever executed on the real CPU, and no other real system hardware components are accessed.
The Sandbox Analyzer Series: Norman’s SandBox Analyzer is comprised of three products and one reporter.
Norman SandBox Analyzer: This utility provides a comprehensive analysis
of any executable file action. After the file has been processed, a report
is generated with an in-depth description of files in an API log view and
a summary report.
Norman SandBox Online Analyzer: SandBox Online Analyzer is a web-based
analysis service which offers the same options and outputs as the standard SandBox Analyzer product. The service allows the customer to upload
suspicious executable files to Norman’s dedicated servers which then
quickly supply a comprehensive analysis of the file action. This service
is targeted to customers who do not require the unlimited analysis
capabilities of the Analyzer or who do not have a dedicated virus analysis lab and wish to let Norman supply the processing power.
Norman SandBox Analyzer PRO: Analyzer PRO is used for deep file analysis
for reverse engineering and debugging malware. Like Analyzer, its core
component is the Norman SandBox Technology. Analyzer PRO performs the
function of a complete virus analysis lab. In addition to traditional
debugging capabilities, Analyzer PRO includes the ability to monitor and
manipulate the emulated SandBox environment in real time. This includes
the CPU and its registers, memory, registry, threads, network sockets, and disassembled code.
Norman SandBox Reporter:
SandBox Reporter is a subscription service that helps IT security
departments be one step ahead of malware. Through Norman’s SandBox
Information Center, subscribers submit files for analysis and receive an
in-depth analysis on the file’s behavior, including a list of URLs that
might contain malicious code that can be easily imported into a URL
blocklist filter.