 |
 |  |
|
Buster
|
|
Ok, I will add wildcard (*) support for: [AutoStart_Registry_Created_or_Modified] and [Custom_Registry_Entries]
Yes, apart of the "*" which is not supported yet, the rest would be a valid conversion. |
|||||||||||||||
|
|||||||||||||||||
 |
| |
|
nick s
|
|
Thank you  . |
|||||||||||||
|
_________________ Nick
|
|||||||||||||||
|
| |
|
Buster
|
|
Released Buster Sandbox Analyzer 1.04.
Change list: Added support for network shares Added a feature to allow wildcards in BSA.DAT Added a feature to ignore when sandbox folder is not empty Added a feature to check for updates on start Updated LOG_API library |
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
nick s: Try version 1.04 and let me know if the wildcard feature works as expected.
Do you plan sharing Malware Defender's default registry rules? It would be nice! |
|||||||||||
|
|||||||||||||
|
| |
|
nick s
|
|
Working well so far. For example, machine\system\*Control*\Control\Session Manager\* captured the following deletions: machine\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\CriticalSectionTimeout = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\ExcludeFromKnownDlls = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\GlobalFlag = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\HeapDeCommitFreeBlockThreshold = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\HeapDeCommitTotalFreeThreshold = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\HeapSegmentCommit = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\HeapSegmentReserve = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\NumberOfInitialSessions = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\ObjectDirectories = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\ProcessorControl = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\ProtectionMode = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\ResourceTimeoutCount = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\SetupExecute = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\BootExecute = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\CriticalSectionTimeout = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\ExcludeFromKnownDlls = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\GlobalFlag = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\HeapDeCommitFreeBlockThreshold = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\HeapDeCommitTotalFreeThreshold = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\HeapSegmentCommit = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\HeapSegmentReserve = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\NumberOfInitialSessions = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\ObjectDirectories = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\ProcessorControl = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\ProtectionMode = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\ResourceTimeoutCount = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\SetupExecute = deleted value key
Of course . Since there are about 200 rules, it will take me a couple of more days to convert and organize them. |
|||||||||||||||
|
|||||||||||||||||
|
| |
|
Buster
|
|
Glad to hear it works fine!
Nobody asked to use wildcards more than 1 time per line but luckily I added the feature. 
In your example the search string could be optimized from: machine\system\*Control*\Control\Session Manager\* to: machine\system\Control*\Control\Session Manager or at least to: machine\system\*Control*\Control\Session Manager Both would be equivalent as final "*" is ignored. This is done because I do the search to check if the string is contained, not equivalent. Nice to hear you will share the rules!
The problem with MDīs rules is you miss the reason to add them. |
|||||||||||
|
|||||||||||||
|
| |
|
nick s
|
|
Do you mean the description that follows "<->"? What conversion/wildcard recommendations do you have for the following keys/subkeys?
Only the contents of the "Classes" subkey is unique. |
|||||||||||||||
|
|||||||||||||||||
|
| |
|
nick s
|
|
Buster, is it possible to implement a wildcard/switch that permits BSA to log all registry modifications?
|
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
Yes, the description that follows "<->". Does Malware Defenderīs rules give an explanation about why they included that keys? If MD doesnīt include it, you will have to introduce it yourself.
I must check this. HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER are supported right now but others are not. This happens because Sandboxie "translates" the names of the keys to his own format. Anyway, as search is done to check if strings are contained, I suggest you put in BSA.DAT first the longest string: HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes then: HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001 and rest literally: HKEY_USERS\S-1-5-18 HKEY_USERS\S-1-5-19 HKEY_USERS\S-1-5-20 Does it make sense to you? |
|||||||||||||||||||
|
|||||||||||||||||||||
|
| |
|
Buster
|
|
I donīt understand what you mean. BSA already logs all registry modifications.  |
|||||||||||||
|
|||||||||||||||
|
| |
|
nick s
|
|
Makes sense. I will try it out. |
|||||||||||||
|
|||||||||||||||
|
| |
|
nick s
|
|
Sorry for my confusion. BSA logs all registry mods to RegDiff.TXT while Malware Analyzer (Analysis.TXT) filters its output through the registry rules set in BSA.DAT. Is that correct? |
|||||||||||||||
|
|||||||||||||||||
|
| |
|
Buster
|
|
Thatīs correct. Analysis.TXT is built with the matches from BSA.DAT at RegDiff.TXT. |
|||||||||||||
|
|||||||||||||||
|
| |
|
Buster
|
|
Released Buster Sandbox Analyzer 1.05.
Change list: Added "Assorted suspicious actions" Fixed several bugs in Buster Sandbox Analyzer Updated LOG_API library |
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
nick s: You asked about
HKEY_USERS HKEY_USERS\.DEFAULT HKEY_USERS\S-1-5-18 HKEY_USERS\S-1-5-19 HKEY_USERS\S-1-5-20 HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001 HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes Well, I found that if you modify something in HKEY_USERS\S-1-5-18 the change will appear under HKEY_USERS\.DEFAULT. That means that any entry in BSA.DAT must reference HKEY_USERS\.DEFAULT and not HKEY_USERS\S-1-5-18 because that one will never appear in RegDiff.TXT. There are a few other cases like this. e.g. HKEY_CLASSES_ROOT changes will appear under HKEY_CURRENT_USER\software\classes. The same happens with HKEY_CURRENT_CONFIG. In case of doubt itīs better to make a test and check where is done the change. |
|||||||||||
|
|||||||||||||
|
 | Buster Sandbox Analyzer | |
|
||
|
|
|