查看: 7680|回复: 13
收起左侧

[资讯] 关于2015 Beta 2引入的NG——基于VirtualBox的完整虚拟机!

[复制链接]
coolcfan
发表于 2014-9-22 00:20:08 | 显示全部楼层 |阅读模式
本帖最后由 coolcfan 于 2014-9-22 10:00 编辑

http://www.wilderssecurity.com/t ... -2200.368367/page-2 #34

It absolutely does that. It's a full virtual machine, instantiated from your live system. If you run malware in it, it can freely do whatever it wants - load kernel drivers, exploit kernel vulnerabilities, rewrite the MBR, format your hard drive etc... it doesn't matter as it's all running in a full hardware-assisted VM.


大意:

NG是一个完整的虚拟机,由实际运行的系统实例化而来;如果你在其中运行恶意软件,这个恶意软件可以做任何事——加载内核驱动,攻击内核漏洞,重写MBR,格式化硬盘等等……但是,没关系,因为它运行在一个完全由硬件虚拟化支持的虚拟机中。




https://forum.avast.com/index.ph ... g1125734#msg1125734

Some information about new avast! NG component: our classic sandbox technology (used for DeepScreen, Sandbox and SafeZone components) restricts a sandboxed application to modify your system. As Windows OS is quite rich for various APIs and frameworks, we need to monitor more and more OS functions invoked from the unknown applications. This works perfect for Sandbox/SafeZone, but it's not enough for DeepScreen analysis. When a malware is analyzed in DeepScreen, we'd like to allow it to behave freely without any restrictions and monitor only its activities. Unfortunately, we might end up very soon if it tries e.g. to load a kernel-mode driver (you can't monitor kernel-mode, and if it gets there, it can control your entire OS, hide itself, connect to internet, ...), or use some undocumented system calls on 64-bit OSes (we use own hypervisor driver to fully protect 64-bit OSes, but this doesn't work on older PCs or with disabled VT-X/AMD-V feature in BIOS).

Avast! NG helps us to analyze malware real-time totally without any restrictions - it can load a kernel driver, it can delete any Windows files, format your volume, everything it wishes. The malware is executed on your OS using VirtualBox engine and the entire OS with malware is monitored. NG was heavily tested for a few months by our user base and we have fixed various HW/SW conflicts and tuned performance. After avast installation, it takes a couple of minutes to prepare NG (this is executed in the background with normal priority in this Beta, it'll be on idle priority in final release).


大意:

avast! 以前用的沙盘技术(在DS、沙盘和SafeZone里应用)限制沙盘中运行的程序修改系统。Windows的API和框架非常多,要监视的也越来越多;对DS来说,这是不够的。DS分析一个恶意软件的时候,我们希望这个恶意软件可以无限制地运行,以便监控其行为;但是如果这个恶意软件成功加载内核模式驱动(无法监视),或者在64位系统上使用非公开系统调用(我们的64位保护驱动无法在老机器或者没开启硬件虚拟化的机器上用),那就悲剧了。

NG可以让我们无限制地运行恶意软件,并分析其行为。恶意软件可以加载内核驱动,删除Windows文件,格式化硬盘,做它想做的任何事——所有这些都在VirtualBox引擎中执行,于是恶意软件的任何行为都会被监视。




https://forum.avast.com/index.ph ... g1125767#msg1125767

Our internal tests says, NG improves DeepScreen greatly (nearly 30 percents improvement).


NG对DS的改善(应该指防护能力)有30%之多。

总结下NG的限制和需求:

  • NG用了VirtualBox引擎,所以不能跑在虚拟机里。
  • 在配置很低、很老的机器上不会启用;机器资源紧张时,也可能回退使用以前的沙盒技术。
  • 在32位Win8、8.1和所有64位系统上,必须在BIOS里开启硬件虚拟化才能用;在其他系统上,不需要硬件虚拟化也可以使用NG(VBox立功了?)

评分

参与人数 2经验 +10 人气 +1 收起 理由
风葶云 + 10 版区有你更精彩: )
狴犴睚眦 + 1 版区有你更精彩: )

查看全部评分

jayavira
发表于 2014-9-22 07:47:04 | 显示全部楼层
看来我这种低配置的电脑是无法开启此功能了
ksss5566
发表于 2014-9-22 08:00:17 | 显示全部楼层
改进多少不报希望,最大的希望是,沙箱好使了就行。
狴犴睚眦
发表于 2014-9-22 08:27:05 | 显示全部楼层
VirtualBox,希望沙盒好用
coolcfan
 楼主| 发表于 2014-9-22 10:01:20 | 显示全部楼层
ksss5566 发表于 2014-9-22 08:00
改进多少不报希望,最大的希望是,沙箱好使了就行。

都用VirtualBox引擎了,沙箱应该能好使了吧……
kira130139
发表于 2014-9-22 12:34:38 | 显示全部楼层
机子老,用不了啊
聽莧
发表于 2014-9-22 12:54:20 | 显示全部楼层
沙盒不就更牛掰
好期待
lx02611
发表于 2014-9-22 14:30:25 | 显示全部楼层
这几天的抽风还没解决好,,, 不过真是个好技术 小a每年都有创新
zxcqwe
发表于 2014-9-22 15:13:54 | 显示全部楼层
话说那我实机是不是也可以随便测样本了?
ksss5566
发表于 2014-9-22 17:24:56 | 显示全部楼层
coolcfan 发表于 2014-9-22 10:01
都用VirtualBox引擎了,沙箱应该能好使了吧……

希望吧。
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-3-29 16:26 , Processed in 0.133631 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表