h-Online: The developers of the VirusTotal online virus scanner service are currently testing a new sandbox feature to provide users with more meaningful scan results. In a post on the company’s blog, software architect and developer Emiliano Martinez says that, for this purpose, samples uploaded to the service are executed in a controlled sandbox environment where their actions can be “recorded in order to give the analyst a high level overview of what the sample is doing”.
An analysis of the uploaded file’s behavior is then displayed in a new “Behavioral information” tab as part of the scan results. VirusTotal logs file and registry activities as well as new processes and code injections. The scanner also issues a notification when a file directly sends commands to certain device drivers.
With the free online service, users can submit URLs and files to be analyzed by various antivirus engines and scanners for malicious content such as viruses, worms and Trojans. However, it is often only the heuristics that flag up issues – which can be identified by result descriptions that contain keywords such as “Heur”, “Suspicious” or “Generic”. Occasionally, this causes legitimate files to be regarded as suspected viruses without giving users the option to establish whether there is an actual threat.
Even a sandbox analysis carries a residual risk as some Trojans quietly check whether they are being executed in a virtual environment when they’re launching. If this is the case, they will act inconspicuously, only launching their malicious payload on a real Windows system.
The behavior analysis is currently being carried out by the scan engines at a different time than the virus analysis. It only scans executable files that are less than 8 MB in size and were previously unknown to VirusTotal. Therefore, it makes sense to keep the results page open and reload it occasionally to check whether a new data has been added.
Martinez notes that the behavior analysis is still in its early days, and that there is no guarantee that uploaded files will undergo the added analysis. The company uses Claudio Guarnieri’s open source Cuckoo sandbox. Incidentally, VirusTotal is far from being the only online tool to use a sandbox: Anubis, MWAnalysis CWSandbox and ThreatExpert have offered similar services for quite some time.