What is Norman SandBox?
SandBox is Norman's technology for detecting new unknown viruses and malware, using a safe virtual environment inside your computer, where the viruses are allowed to reveal themselves without damaging your system.
Which viruses does Norman SandBox detect?
Norman SandBox detects most types of viruses.
Since the sample we're testing for viral activity is run on a simulated computer system in a simulated network, they can either spread locally on the system, or try to infect other machines. They can also use services of remote machines, like SMTP, News, IRC, DNS etc.
Does Norman SandBox detect ALL viruses?
No. The intention of Norman SandBox is to detect current threats to your system.
Legacy DOS COM viruses and other non-executable viruses (like macros and scripts) are not detected by Norman SandBox; this is done by ordinary virus definition files.
Norman SandBox focuses on detecting binary email and network worms, as these are the most common and dangerous types of malicious software at the present.
Is Norman SandBox safe?
Yes, since everything is running in an emulated environment, nothing is run on your real system.
If a virus or trojan wants to delete all your system files, they will delete the system files on the simulated hard-drive - not your real one. Since we are using emulation, there is nothing to break free from, so it is perfectly safe.
How much of my computer's resources does Norman SandBox use?
Norman SandBox reuses modules from the scanner engine, the emulator and the virual memory manager.
The software components of Norman SandBox are located in one of the virus definition files (NVCBIN.DEF). The SandBox modules are less than 160KB compressed. The memory requirement is about 4MB pr. scanning thread. Since we're running it through emulation, speed is of greatest importance. On a 700MhZ PIII it emulates over one million instructions per second. We have designed Norman SandBox to reduce the number of emulation cycles, especially on clean files and this will be an ongoing effort.
Tests done early in the development phase showed that using Norman SandBox on all executable files on a regular hard-drive increased the scanning time with about 40%. Compared to the amount of work being done using Norman SandBox and the benefits of detecting unknown advanced worms and viruses, we do not consider speed a problem.
When Norman SandBox detects a virus, what should I do?
When Norman SandBox detects a virus, the name of the virus can be one of the follogin:
W32/EMailWorm: A worm spreading over email
W32/NetworkWorm: A worm spreading over network shares
W32/FileInfector: A virus infecting regular executables
W32/P2PWorm: A worm spreading over P2P networks
W32/Malware:
W32/Backdoor:
W32/Spyware:
W32/Dialer:
W32/Downloader:
If Norman SandBox detects something unknown, you should first make sure that your NVC installation is completely up to date. If your installation is outdated, Norman SandBox may havev detected a virus that has recently been added to the definition files. If the virus that NVC detects still is one in the list above, we have not added regular detection of it. In such cases we would appreciate it if you submit this sample to analysis@norman.no.
Norman SandBox should always give a short analysis why it is a worm or virus. This can be found in the log file or in our message console and may be of a technical character.
Where should I and where can I enable Norman SandBox?
Norman SandBox should be enabled in all mail scanning modules, like NIP (Norman Internet Protection), NVC for Lotus Domino, NVC for Exchange and NVC for Mimesweeper.
You can also enable Norman SandBox for regular on-demand scans, and configure a task file to do a sandbox scan every now and then. if the speed of the scan is important, you should not enable it for on-demand scans.
Norman SandBox is enabled for on-access remote writing of files e.g. writing on servers running Norman Virus Control.
Does Norman SandBox require updates?
Yes.
Norman SandBox consists of numerous software components, like kernel32, wsock32, msvcrt etc. These are located in the binary definition file (NVCBIN.DEF). We constantly work on improving these software modules. When we do changes, most often these changes will be applied in a file called NVDINCR.DEF, meaning that we only distribute a very small incremental instead of shipping a complete build of Norman SandBox software components.
Norman SandBox updates will be available through Norman Internet Update in the same manner as other modules.
