While antivirus scanners and online tools like VirusTotal can give you assessment is file a known malware, they do nothing for unknown one. Running software in sandboxed environment is best way to get details on actions program performs. Still setting up properly secured sandbox with relevant tools is not something common.
CWSandbox is online service that runs file you submit through automated sandbox analysis.
What it does
CWSandbox allows to submit files (up to 16MB) and ZIP archives (with up to 50 files) through simple browser upload. After that it queues submission and later runs it through series of tests.
After analysis is done you can proceed to results page on site or wait until link is mailed to you. Analysis runs for two minutes and during that time all file, registry and network activity that comes from app is logged.
Strong features
- much safer than own sandbox;
- thorough analysis;
- report in multiply formats.
Overall
While report is nothing that can’t be achieved with right tools (like Process Monitor) CWSandbox has great advantage of remote system that takes away risk of executing dangerous stuff.
It may be not as definitive in determining malware but provides invaluable details on what software actually tries to do when run.
Dia – portable and easy to use diagram software
EjectUSB – customizable unmount helper
ThreatExpert.com – behavioral file analysis
PostRank.com – new face of AideRSS feed analysis
NiceTranslator.com – convenient online dictionary
VirusTotal.com – thorough online antivirus scanner
Passmark’s online collection of benchmark data
iConvert – online image to all-platforms icons converter
meebo.com – online multi-IM client
Now this is most interesting because indeed, the logical brain path of thoughts is that, if tools like Virustotal are great they do deal with installed files, when it seems so obvious that analyzing an install application before actually installing anything is the recommendation!
Thanks Rarst, because your article brings an answer to what have been my thoughts since yesterday, this is odd :)
@Transcontinental
You are welcome. And with amount of anti-malware stuff I post about it had to click with your thoughts sooner or later. ;)
This seems to have a lot of potential. I couldnt access it yesterday, but it’s working now.
I have a pretty extensive A/V software and test library with a couple thousand examples, that are great for detection rate testing. I’ve kind of wondered what some of them do, but never really felt like booting them in a naked VM and monitoring the changes. This looks to be a good lazy mans alternative. In the past Ive always had to bring up a test machine and run last 100, reg snapshot, hijack this and what changed. A lot of text to go through, and less than interesting. It will be interesting to do it once or twice and compare results with theirs.
It also seems like if I had a buddy who has problem (and I always do) with an app that keeps crashing on install, that wasn’t necessarily malware, it would be easier to push him the link and have him push me the results, than to have him upload it to me and messing with it myself.
Another good find. Thanks!
@Rush
Isn’t it nice when some tool does the work for you? Some tasks like setting up proper sandbox are so troublesome that it lose lose – either you don’t start or you spend stupid amount of time building and maintaining it.
It’s good there are people who aren’t afraid of latter. :) I’ll go spend some more insane time on my Google Charts plugin.
The CWSandbox service has moved to http://www.mwanalysis.org/
@Anonymous
Thanks for heads up, hadn’t visited site in a while.