Cuckoo Sandbox

[Baldape]

Hi I just found out about this awesome new open-source sandbox app called Cuckoo Sandbox and it looks pretty good but from the little i read it's mostly being used to test & scan apps/files in a virtualized environment. I also noticed that the Virus Total team is using Cuckoo to enhance there services so I have a few questions if you don't mind answering first is it optimized to run common apps like browsers,email programs or media players? If so is it fairly simple to configure it save certain process out the SB like history,bookmarks etc? How deep does it integrate with the Windows 64bit kernel?And lastly does it deny admin rights by default in the Windows version.

[Emiliano Martinez]

Hello,

This question is probably best suited for the Cuckoo team, they are an awesome set of guys and they will be happy to address your questions...

http://www.cuckoosandbox.org/index.html

As to your questions with regards to our setup...

is it optimized to run common apps like browsers,email programs or media players?

Cuckoo will effectively run any kind of program, be it a legit piece of software or some malware. Having said this, if you submit a browser installer to our service, our setup will not know how to run through the setup process (will not click on the next buttons and will not simulate human interaction with the program). If you had installed the browser and different progams before taking the snapshot of your virtual machine, then you can use them via scripting, launch them against specific websites, etc.

If so is it fairly simple to configure it save certain process out the SB like history,bookmarks etc? 

The cuckoo code is open source, you can tweak it at your own will to perform more fine grained tasks. It allows you to run scripts in addition to the malware that you will be running, these scripts could have access to the history, bookmarks, etc.

How deep does it integrate with the Windows 64bit kernel?

It does not integrate with the kernel at all. The system modifications are recorded through DLL injection+API hooking, this is a user-land type of monitoring.

And lastly does it deny admin rights by default in the Windows version.

I am unaware of how the latest versions of cuckoo work, our setup runs on Windows XP machines, so this is not something we have had to fight with.

Regards.

On Fri, Jan 3, 2014 at 5:53 AM, Baldape <csba...@charter.net> wrote:

Hi I just found out about this awesome new open-source sandbox app called Cuckoo Sandbox and it looks pretty good but from the little i read it's mostly being used to test & scan apps/files in a virtualized environment. I also noticed that the Virus Total team is using Cuckoo to enhance there services so I have a few questions if you don't mind answering first is it optimized to run common apps like browsers,email programs or media players? If so is it fairly simple to configure it save certain process out the SB like history,bookmarks etc? How deep does it integrate with the Windows 64bit kernel?And lastly does it deny admin rights by default in the Windows version.

--
--
Choose a file, check it with more than 40 antivirus, fast and easy: http://www.virustotal.com
 
---
You received this message because you are subscribed to the Google Groups "VirusTotal" group.
To unsubscribe from this group and stop receiving emails from it, send an email to virustotal+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Baldape]

Thanks, and if its able to block malware from loading on an old XP machine then I'm pretty sure it will protect a Windows 7 64 bit system just fine, either way I plan to ask the Cuckoo team personally about how deeply it protects 64bit systems. By the way would these happen to be 64bit XP machines or 32bit? I guessing 32 because 64bit XP systems  where more commonly used for gaming.

[Emiliano Martinez]

Hello,

I believe you are confused here. Cuckoo is not a tool to protect from infections, it is a system monitor that will record the actions taken by a given malware specimen, the machine gets indeed infected in order to be able to make the recordings.

Regards.

[Baldape]

Oh my mistake, but that's why I thought would ask here first since our team has experience using it, cause when I first read the description I noticed they mention this but I wasn't quite sure if this was referring one it features or not. But Cuckoo is still a sandbox right? I mean read on there site that apparently the had used the source code for Virtual Box for its SB function if so the there's little reason why the Cuckoo source code couldn't be retooled to work as a enhanced sandbox protection app with the bonus of a behavioral detection system.