Skip to main content

SandboxScanner

The goal of the SandboxScanner module is to search for unknown malicious PHP files on the system by running on a simulated local sandbox environment. The virtual sandbox is able to simulate the execution of PHP scripts and analyze the various behavioral characteristics of the PHP files, and automatically recognize obfuscation and many different kinds of malicious behavior.

This module is a PHP emulator. Runs the PHP files in a safe environment and analyzes the behavior of the files. It will check every PHP file that is scanned by the Malware detection module. The SandboxScanner module allows us to find zero-day malware even if it is obfuscated.

tip

The SandboxScanner will make a validating malware signature of the files it detects as possible malware. You can validate these signatures from the Dashboard or from the BitNinjaCLI.

warning

In order to use the SandboxScanner module, make sure you have at least a 2.25.0 version of BitNinja or newer installed on the server.

Enable the SandboxScanner

The behavior-based malware detection module checks the file cache made by the Malware Detection module. This feature is enabled by default

tip

As the SandboxScanner uses the file cache generated by the Malware Detection module, the SandboxScanner will be only operational if the file cache is present on the server. The file cache will be only generated if there was at least one full scan on the server since BitNinja was installed on it.

To make sure that the SandboxScanner is operational, it is recommmended to run a full malware scan on the server so the file cache is surely generated.

You can enable the Sandbox Scanner module using this command:

bitninjacli --module=SandboxScanner --enable

SandboxScanner will add files to a queue and emulate them running, checking if they behave suspiciously. The first time it is enabled it will detect all PHP files included in the file cache and add them to its own queue. After the initial scan catches up the module will monitor every file in almost real-time.

The SandboxScanner will log to: /var/log/bitninja/mod.sandbox_scanner.log

Analyze

Check if a file behaves suspiciously.

bitninjacli --module=sandboxscanner --analyze-file=/home/path/toFile.php

bitninjacli --analyze-file=/home/path/toFile.php

These commands will analyze a given file and show you a summary of the file's behavior. In the summary, you can see if the file made any eval requests or generated any outputs, or is it obfuscated. It will also add a score to each aspect and an indication if it is malicious.

SandBox analyze

tip

The specified file will be at the end of the queue of the SandboxScanner. So it will be scanned as soon as the queue is empty. The file scan might take place later if the SandboxScanner was recently started as it has to process all files indexed by the file cache.

Disable the SandboxScanner

You can do that with this command:

bitninjacli --module=SandboxScanner --disable

This command will disable and stop the SandboxScanner.