本帖最后由 coolcfan 于 2014-9-22 10:00 编辑
http://www.wilderssecurity.com/t ... -2200.368367/page-2 #34
It absolutely does that. It's a full virtual machine, instantiated from your live system. If you run malware in it, it can freely do whatever it wants - load kernel drivers, exploit kernel vulnerabilities, rewrite the MBR, format your hard drive etc... it doesn't matter as it's all running in a full hardware-assisted VM.
大意:
NG是一个完整的虚拟机,由实际运行的系统实例化而来;如果你在其中运行恶意软件,这个恶意软件可以做任何事——加载内核驱动,攻击内核漏洞,重写MBR,格式化硬盘等等……但是,没关系,因为它运行在一个完全由硬件虚拟化支持的虚拟机中。
https://forum.avast.com/index.ph ... g1125734#msg1125734
Some information about new avast! NG component: our classic sandbox technology (used for DeepScreen, Sandbox and SafeZone components) restricts a sandboxed application to modify your system. As Windows OS is quite rich for various APIs and frameworks, we need to monitor more and more OS functions invoked from the unknown applications. This works perfect for Sandbox/SafeZone, but it's not enough for DeepScreen analysis. When a malware is analyzed in DeepScreen, we'd like to allow it to behave freely without any restrictions and monitor only its activities. Unfortunately, we might end up very soon if it tries e.g. to load a kernel-mode driver (you can't monitor kernel-mode, and if it gets there, it can control your entire OS, hide itself, connect to internet, ...), or use some undocumented system calls on 64-bit OSes (we use own hypervisor driver to fully protect 64-bit OSes, but this doesn't work on older PCs or with disabled VT-X/AMD-V feature in BIOS).
Avast! NG helps us to analyze malware real-time totally without any restrictions - it can load a kernel driver, it can delete any Windows files, format your volume, everything it wishes. The malware is executed on your OS using VirtualBox engine and the entire OS with malware is monitored. NG was heavily tested for a few months by our user base and we have fixed various HW/SW conflicts and tuned performance. After avast installation, it takes a couple of minutes to prepare NG (this is executed in the background with normal priority in this Beta, it'll be on idle priority in final release).
大意:
avast! 以前用的沙盘技术(在DS、沙盘和SafeZone里应用)限制沙盘中运行的程序修改系统。Windows的API和框架非常多,要监视的也越来越多;对DS来说,这是不够的。DS分析一个恶意软件的时候,我们希望这个恶意软件可以无限制地运行,以便监控其行为;但是如果这个恶意软件成功加载内核模式驱动(无法监视),或者在64位系统上使用非公开系统调用(我们的64位保护驱动无法在老机器或者没开启硬件虚拟化的机器上用),那就悲剧了。
NG可以让我们无限制地运行恶意软件,并分析其行为。恶意软件可以加载内核驱动,删除Windows文件,格式化硬盘,做它想做的任何事——所有这些都在VirtualBox引擎中执行,于是恶意软件的任何行为都会被监视。
https://forum.avast.com/index.ph ... g1125767#msg1125767
Our internal tests says, NG improves DeepScreen greatly (nearly 30 percents improvement).
NG对DS的改善(应该指防护能力)有30%之多。
总结下NG的限制和需求:
- NG用了VirtualBox引擎,所以不能跑在虚拟机里。
- 在配置很低、很老的机器上不会启用;机器资源紧张时,也可能回退使用以前的沙盒技术。
- 在32位Win8、8.1和所有64位系统上,必须在BIOS里开启硬件虚拟化才能用;在其他系统上,不需要硬件虚拟化也可以使用NG(VBox立功了?)
|
发表于 2014-9-22 00:20:08
发表于 2014-9-22 08:27:05
楼主
都用VirtualBox引擎了,沙箱应该能好使了吧……
机子老,用不了啊
