[Buster_BSA]

Ok. Consider that my reply is done from a hobbyist point of view.

1. I only have Windows installed on my system. A big % of people is in the same situation.
I don´t want to install another operating system just to be able to analyze malware samples.

2. In order to analyze executables from a specified platform, the best platform is their own.
So the best OS to analyze Windows malware samples is Windows.
Some malwares may have a different behaviour because they run on an emulated environment so the analysis will be viased.

3. Nowadays many malwares have emulation detection.
That means the analysis of these malwares will be viased due the environment used to perform the analysis.

For me that´s more than enough to dislike Linux based malware analyzers.

[nex]

I reply to you, point by point.

1. Well, you have to consider that Cuckoo is not meant to be used as a mainstream desktop product. It is meant for analysts, better if it is deployed in a production environment (as it was designed to be automated, concurrent and eventually in the future distributed). From my point of view, analyzing malwares from a Linux host with Windows VMs is the best setup. I feel it safer.

2. Agree with you. That's why I don't like solutions like ZeroWine. And I even see your point on virtualization and emulation detection, but that's a risk that needs to be taken. In future releases I already planned to make it available to run on physical machines, using imaging softwares like FOG.

3. Same as point 2.

I personally don't know anything about Sandboxie, but I expect it to make use of emulation too, isn't it?

[Buster_BSA]

1. Well, you have to consider that Cuckoo is not meant to be used as a mainstream desktop product. It is meant for analysts, better if it is deployed in a production environment (as it was designed to be automated, concurrent and eventually in the future distributed). From my point of view, analyzing malwares from a Linux host with Windows VMs is the best setup. I feel it safer.

I understand you feel safer running malwares under a Linux host with Windows VMs but analyzing malwares, the accuracy must be always over the security. This point is even more important and relevant considering that Cuckoo is meant for analysts, not for hobbyists. If results are not reliable, they are not worth for professionals.

2. Agree with you. That's why I don't like solutions like ZeroWine. And I even see your point on virtualization and emulation detection, but that's a risk that needs to be taken. In future releases I already planned to make it available to run on physical machines, using imaging softwares like FOG.

3. Same as point 2.

I personally don't know anything about Sandboxie, but I expect it to make use of emulation too, isn't it?

No, it´s not, that´s why it´s excellent to analyze malwares.

Sandboxie hooks the calls pretending to write to disk and redirect the writings to an isolated place.

[nex]

Different point of views. In my opinion security is above everything.
And (forgetting that it can also be adapted for physical machines) there are conditions in which the capability to process high volumes of malwares is more important than failing on few of them. And still since Cuckoo makes you able to post process analysis results, you can set triggers to identify malwares that successfully detects your virtualization environment.
We could discuss about this forever, they simply are two different point of views and two different approaches.

What kind of approach is Sandboxie using then to isolate executions?

[Buster_BSA]

I don´t consider that the security of a machine dedicated to analyze malware is important. If the security is compromised you restore an image of the disc and 5 mins later you have it working again.

Considering that nowadays tons of malwares detect virtual machines, it´s very important to hide the emulation from them. I suggest you work in that direction because if, let´s say, 25% of malwares abort execution because they detect the VM, how worth are the results?

We have different points of views and that´s fine because many improvements come from constructive critics.

Sandboxie uses a driver to take control of executions. It redirects writings (file/registry) to its own isolated space (sandbox).

[nex]

Yes, virtualization detection is one of my main concerns. That's the main reason why I didn't want Cuckoo to be VirtualBox-dependent, nor dependent to any other product.
I'm still wondering if it is better to work on finding a proper solution to safely virtualize analysis or just go straight on working on physical machines analysis with network reimaging support.

Thanks for sharing your views, I'm always open to discussion and comparison.

edit: I think we are going off-topic too much here ;)

[Tesk]

Hello,

Are any of you aware of this software? Seems pretty interesting.

http://malwareanalyser.blogspot.com/