427 Botnet fm qxd

W
ARNING
CWSandbox will deliver no 
false positives
, since all contents of a pro-
duced analysis report reflect operations that actually have been per-
formed. In contrast, there always will be the risk of 
false negatives
, since
only the explicitly monitored operations will be reported. For example,
applications are able to perform system calls directly instead of using the
Windows API. Nevertheless, because this process is rather complicated
and laborious, nearly all malware uses API calls. Unfortunately, you
never can be sure that a program is 
clean
, just because you find no mali-
cious operations in the corresponding analysis report.
Examining a Sample Analysis Report
The result of a malware analysis in CWSandbox is an XML analysis report,
which contains information about all participating processes and the actions
performed by them.This document type can be read by humans as well as by
machines, which makes post-processing easier. For better readability by
humans, XSL templates are used to transform the XML report into HTML
or plain-text documents. Nevertheless, in the following the contents of the
raw XML file are described, but we also give an example of a resulting
HTML report at the end of this section. In this section, we use the same
sample malware file seen previously.
The 

Section
Each XML report contains the root element 

and its two child ele-
ment sections,

and 


:
file="82f78a89bde09a71ef99b3cedb991bcc.exe"
logpath="c:\analysis\log\82f78a89bde09a71ef99b3cedb991bcc.exe\run_1\">
…
…

The attributes of the 
 
element reveal several pieces of informa-
tion about the particular analysis run, such as the used CWSandbox version,
the date and time of the analysis, and the name of the analyzed executable.
The 

section covers a call tree of all monitored processes, where a

Download 6,98 Mb.

Do'stlaringiz bilan baham: