Two Things:
Monitor its behavior
Verify its Suspicious Action
-------------------------------目录-----------------------------------------------------
0. 调研 2
0.1由SandBoxie+BSA切入 3
0.2 SandBox as Part of Security Solution 3
0.3 Malware Analysi 3
0.4 案例——Toward Automated Dynamic Malware Behaviors Using CWSandbox 3
1. 概述 4
2. 整体框架 4
2.1现有框架 4
2.2框架改进 5
2.3 案例参考——CWSandbox 7
3. 基础模块 7
3.1 DLL Implementation 7
3.2 Inject 9
3.3 Hook 11
3.4 API 13
3.5 Log Module——规范、统一 13
3.6 通信机制 14
3.7 PE 20
4. 可疑行为检测 23
4.1分割——功能专注 24
4.2 配置文件——灵活加载 24
4.3 可疑行为收集——原材料 24
4.4可疑行为分析 27
5. SandBox样本检测 27
6. 技术兴奋点 28
6.1 Inject,Hook——永恒的主题 28
6.2 Windows——Forensic Research 28
6.3 Secure Programming 29
6.4 Windows Data Type 29
6.5规范、设计——软实力 29
6.6环境、工具 29
6.7 来源 30
7.调研 31
7.1由SandBoxie+BSA切入 31
7.2 SandBox as Part of Security Solution 31
7.3 Malware Analysis 35
7.4 案例——Toward Automated Dynamic Malware Analysis Using CWSandbox 37
-----------------------------摘选------------------------------------------------------
7.2 SandBox as Part of Security Solution
上面更多是以单软件、服务、产品的形式出现的,这里我们来关注一下SandBox 与安全厂商的关系。
“Antivirus vendors have long used sandboxes—benign computing environments—as a way to study captured malware and write signatures, which they push out to their customers’ antivirus scanning engines, to arrest further copies of the malware. But with their own malware sandbox, security managers could craft bespoke virtual patches to block emerging malware without waiting for a signature update.”
Fully Integrated Threat Prevention
It only represents part of the threat prevention puzzle. The control of unknown malware must be integrated into an overall security strategy that incorporates application controls, known exploits and malware dangerous URLs and websites, and even dangerous file types or restricted content.
