VirusTotal starts sandbox-testing, shares behavioral information
Developer Emiliano Martinez has recently confirmed what many users of VirusTotal have already noticed: that the online file scanning service has added behavioral information in its reports.
“The idea behind this is that the samples submitted to VirusTotal get executed automatically in a controlled (sandboxed) environment and the actions performed are recorded in order to give the analyst a high level overview of what the sample is doing,” Martinez explained in a blog post.
The results of this analysis are displayed in a new “Behavioural information” tag that can be accessed at the bottom of the report.
The report contains information about the actions and events that were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Users are then able to see which files were opened, read, written, copied and/or deleted; which processes were created and/or injected with code; which registry keys were set; which application windows were searched, which services and service managers were opened; what requests were sent; and many other things.
“Currently we are just processing new samples that are Portable Executables and are below 8MB in size,” Martinez notes. “The execution is still a best effort operation and it is completely asynchronous, hence, do not expect the VirusTotal reports to have any fancy Ajax informing about the progress of the behavioral data extraction.”
What he means is that the behavioral information will not appear at the same time as the virus analysis results, and may, for the time being, not appear at all for some files. Users who have submitted files will have to bookmark the results page and return to it at a later time to view the missing information.
The sandbox VirusTotal is using for this new offering is open source automated malware analysis system Cuckoo Sandbox.