Trust is the key element when it comes to selling security products and services. Solution providers have to trust that vendors have created a product that actually works and customers have to trust that solution providers are offering a product that actually protects. But, as they say, the proof is in the pudding. In other words, no one really knows how well a security solution works until that solution has demonstrated its prowess from an attack. However, attacks are not predictable and waiting around for one is not the best way to see if your security solution works.

For those perplexed by the security paradox, Sunbelt Software has an answer, CWSandbox. Released on Oct. 1, CWSandbox brings a rich tool set to security VARs looking to stress a security solution without creating any of the danger. The product rapidly analyzes the behavior of malware--including infected trojans, Office documents, browser helper objects (BHOs), malicious URLs and more-- by executing the code inside a controlled environment.

CWSandbox uses automated behavior analysis to collect data on the results of an initiated malware attack. Those malware attacks can be large in scale, big in numbers and can be executed concurrently. The product relies on a large database of malware samples to make that happen and that database can be updated with an automated sample malware collection or by using Nepenthes (a tool for automated collection of autonomously-spreading malware). The product uses the malware database to execute analysis and monitoring. When enough information about the malware is collected, the testing terminates and the collected data is analyzed.

Simply put, CWSandbox attacks a system, monitors the activity and then reports on the results. CWSandbox uses code injection to simulate how malware works and avoids detection from existing malware infections by using a hardened API that prevents an existing malware process from tainting the scan results. The monitoring portion consists of watching nearly all accesses to system resources, the file system and the registry. The product also monitors WinSock functions, which are normally used to communicate via TCP/IP-networks. CWSandbox monitors Windows applications with special attention to communication resources and notes any network activity and HTTP, FTP, SMTP and IRC connections and extracts any important data created by an attack, such as file transfers, IRC logins and services initiations.