TNotification_ProtectedStorage

■
TNotification_SystemInfo
Used for API calls that query system
information, such as querying the current user
■
TNotification_Thread
Used for API calls that perform actions on
threads, such as creating or terminating
■
TNotification_User
Used for API calls that use the Windows built-in
user management functions, such as creating or deleting a user
■
TNotification_VirtualMemory
Used for API calls that access another
process’s virtual memory
■
TNotification_Window
Used for API calls that access the currently
existing windows, such as to find a window with a given title or class
name
■
TNotification_WinSock
Used for API calls that perform WinSock
operations
There is a focus on analyzing the network connections and the traffic
data. For that reason the transferred data is inspected and an attempt is made
to determine the underlying Web protocol. At the moment, the following
protocols are understood: Hypertext Transport Protocol (HTTP), File Transfer
Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Internet Relay Chat
Protocol (IRC), and the Ident Protocol (IDENT). Connections that use
RFC-conform messages and slightly modified versions of them are automati-
cally detected, and all the protocol-dependent data, such as the login informa-
tion, downloaded Web sites, or performed FTP commands, is extracted. If an
SMTP connection is detected, the CWSandbox can be instructed to trick the
malware such that only informational requests are sent to the remote SMTP
server instead of real mail delivery.That way, the malware thinks it is working
with a proper SMTP server. All the information about outgoing e-mail can
be monitored, whereas no actual e-mail is sent at all.
Cwsandbox.exe
The 
cwsandbox.exe
is a noninteractive console application; it expects, and
needs, no user input during its execution.The only possible input is 

Download 6,98 Mb.

Do'stlaringiz bilan baham: