These are tools used to automatically gather information by running the program in an enclosed sandbox.
- Cuckoo: This is a piece of Python-coded software deployed in Debian-based operating systems. Usually, Cuckoo is installed in the hosting Ubuntu system, and sends files to be analyzed in the VMWare or VirtualBox sandbox clients. Its development is community-driven, and as such, a lot of open source plugins are available for download.
- ThreatAnalyzer: Sold commercially, ThreatAnalyzer, previously known as CWSandbox, has been popular in the anti-virus community for its ability to analyze malware and return very useful information. And because users are able to develop their own rules, ThreatAnalyzer, as a backend system, can be used to determine if a submitted file contains malicious behaviors or not.
- Joe Sandbox: This is another commercial tool that shows meaningful information about the activities that a submitted program carries out when executed.
- Buster Sandbox Analyzer (BSA): The setup of BSA is different from the first three tools. This one does not require a client sandbox. It is installed in the sandbox environment. The concept of this tool is to allocate disk space where a program can run. After running, everything that happened in the space is logged and restored back afterwards. It is still recommended to use BSA in an enclosed environment.
- Regshot: this is a tool used to capture a snapshot of the disk and registry. After running a program, the user can take a second snapshot. The difference of the snapshots can be compared, thereby showing what changes were made in the system. Regshot should be run in an enclosed environment.