Question 1

How to set up Noriben with Procmon on Windows?

Accepted Answer

Download Procmon from Microsoft, place it in the same directory as Noriben.py, and run the script with arguments like --cmd for malware execution. The README provides a usage guide, but step-by-step setup instructions are limited.

Question 2

Can Noriben analyze malware on Linux or macOS?

Accepted Answer

Noriben itself is Python-based and can run on any platform, but it requires Procmon for event logging, which is Windows-only. The automation script NoribenSandbox.py is designed for OSX, but full cross-platform analysis isn't natively supported.

Question 3

Noriben or Cuckoo Sandbox: which is better for a small security lab?

Accepted Answer

Noriben is lighter and more portable, ideal for manual or scripted analysis with flexibility, while Cuckoo offers more comprehensive automation but is complex to set up. Choose Noriben for hands-on control, Cuckoo for scalable, automated pipelines.

Question 4

How to automate malware execution with Noriben in a VM?

Accepted Answer

Use the NoribenSandbox.py script to manage VM snapshots, copy malware, run Noriben with timeouts, and retrieve reports. It's optimized for OSX but can be adapted with modifications for other systems.

Question 5

Does Noriben support real-time monitoring of malware activities?

Accepted Answer

Noriben uses Procmon to capture events during execution, but it's not designed for continuous real-time monitoring; it logs activities for a specified duration or until manually stopped, then generates reports.

Question 6

How do I add custom whitelists for known benign files in Noriben?

Accepted Answer

Use the --hash option with a file containing MD5, SHA1, or SHA256 hashes of benign files, as mentioned in the key features. This helps reduce noise in reports by ignoring trusted system activity.

Noriben

What is Noriben?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions