Buster Sandbox Analyzer will be discontinued

[jamescv7]

After a few tests with Sandboxie version 4 and due the major changes to underlying architecture I have considered Sandboxie is not suitable for malware analysis anymore, therefore Buster Sandbox Analyzer development will be discontinued.

I pretend releasing a last BSA version including a fix to support new VirusTotal information and hopefully MAEC report format.

I want to thank Ronen for all the support he has bringed all these years.

Ronen: I know Sandboxie 3.x line will be discontinued but I would like to request a last release in consideration for BSA users including next fixes:

+ Bug related to the malware I reported which disables logoff
+ WMI not working on Windows 8
+ API information being truncated

It would be nice if additionally you hook NtQueryInformationProcess (ProcessImageFileName) as you do with NtQueryObject in order to return faked path instead real one.

I would make of this Sandboxie 3.76 bugfixed version the official release to be used with BSA on last release.

Also as I mentioned by mail, if you consider updating 3.x from time to time I would reconsider my decission of stopping BSA development.

Source

 

[jelson]

Update: progress on BSA didn't completely halt...

1.88 was released in April 2013
Since then, there have been 4 updates to BSA.exe (the last being Update 4 released April 2014)

Back in Sept. 2013, Buster posted that "Sandboxie 3.76 and BSA 1.88 should work fine."

In March 2014, Buster said

BSA had been discontinued after version 1.88 release because with the changes to Sandboxie´s internal architecture it stopped working correctly in 4.x releases.
....
Invincea´s people announced they had found a bug in the mechanism which injects DLLs to sandboxed applications. They released a bugfix within version 4.09.01 and this fix seems like resolved lots of issues.

I did not make much tests but there is a chance that Sandboxie 4.09.01+ versions are compatible with BSA again.

Anyway BSA development will continue stopped because TO-DO list is empty so I do not have anything else to incorporate to the program.

If someone sends a feature request and I consider worth adding it, I may take care of it.

On May 02, 2014, Buster posted:

After the fix made by Invincea team to injection mechanism I reconsidered my decission of discontinuing Buster Sandbox Analyzer development and decided to continue with the project, but I have been just fixing bugs because the TO-DO list was empty... until now.

Reviewing Joe Security´s blog (http://joe4security.blogspot.com) I found two interesting articles: ....

Later in May 2014, Buster clarified the problem HERE:

I can say now that Sandboxie 4.09.01 - 4.10 are not compatible with LOG_API 64 bit. Something fails in their API hooking engine.

and HERE:

I have news about LOG_API64 problems.

After talking with the guy coding the dll and doing some tests we found Sandboxie version 4 (even version 4.10 RC) still has bugs in the dll injection mechanism. Injection mechanism works fine until version 3.76, but since version 4, even after the bug fixes done by Invincea team, is buggy.

When LOG_API64 hooks NTDLL/Kernel32 dlls in version 4 the problems appears. These problems are not present in Sandboxie 3.76. ....

And in the latter forum thread, one can read further discussions of this and other issues well as posts between Buster and Curt from Invincea during the summer.

 

[Coldblackice]

I know this is an old thread, I just thought it would be the best place to ask this: does anyone know if Buster has any intention of possibly updating his analyzer to work with the current Sandboxie?

His tool was priceless, extremely useful in analyzing any program that ran within a sandbox, reporting on all of its actions. I really wish he was willing to continue supporting it. But I'm hoping that maybe it could be revived. Or at least possibly made open source so others could continue developing it.

If not, does anyone know of an alternative tool that can do what buster's sandbox analyzer could do?

 

[ForgottenSeer 823865]

I know this is an old thread, I just thought it would be the best place to ask this: does anyone know if Buster has any intention of possibly updating his analyzer to work with the current Sandboxie?

His tool was priceless, extremely useful in analyzing any program that ran within a sandbox, reporting on all of its actions. I really wish he was willing to continue supporting it. But I'm hoping that maybe it could be revived. Or at least possibly made open source so others could continue developing it.

The thing was abandoned, and Sandboxie is abandonware (being opensource doesn't guarantee further development), so i wont put any hope in this at all.

If not, does anyone know of an alternative tool that can do what buster's sandbox analyzer could do?

no, the closest thing is ReHIPS who is a sandbox with Application Control component (means, based on settings, it will ask you (or not) to allow or deny a process to run). However to use it, you have to unlearn you sandboxie's habits, their mechanism and use are different.

 

[DavidXanatos]

The thing was abandoned, and Sandboxie is abandonware (being opensource doesn't guarantee further development), so i wont put any hope in this at all.

There are at least people working on maintaining sandboxie me and Tom (a kernel dev from sophos) so be optimistic we love the tool and will do our best to keep it alive.

And I would love BSA being updated to work again with the new open source releases. Or may be even made open source as well?

 

[DavidXanatos]

Its alive! Muhahahahahaha......

Buster Sandbox Analyzer

David changed injection mechanism and now LOG_API works much better. So I decided to release a new version: 1.89 (Beta 3). You can download it from...

www.wilderssecurity.com