Unreliable times in result if agent updates time

[jimmythegreat]

If the time in the agent gets updated, it could lead to unreliable times in the results.

Scenario:
9:19: Malware starts at 4:48 (agent time).
The API calls and enhanced data will have a time of 4:48
9:19: Windows updates time to 9:19
9:21: Malware creates a new process
The API calls and enhanced data will have a new time of 9:21

Real example:

"info": {
"category": "file", 
"started": "2015-06-15 09:19:31",
"ended": "2015-06-15 09:20:58",
"duration": 87,

As you can see the Cuckoo's time was 9:19 when the malware started and the analysis was 87 seconds long.

{
"category": "process", 
"timestamp": "2015-06-15 04:58:50,980",
"thread_id": "2648", 
"api": "ExitProcess", 
"id": 254
}

{
"parent_id": 2644, 
"process_name": "50ea956ee0cd6.exe", 
"process_id": 2880, 
"first_seen": "2015-06-15 09:19:28,732",
"calls": [
{
"category": "threading", 
"timestamp": "2015-06-15 09:19:28,748",
"thread_id": "3060", 
"api": "ExitThread", 
"id": 0
},

The first call is from the parent process at 4:48. The second is from a new process that started at 9:19.

I can provide the full json if needed.

[botherder]

This is actually something we are aware of, but it is a bit tricky to fix. Normally, the VM clock should be adjusted before the processes are started.
What virtualization software do you use?

[jimmythegreat]

We are using VMware workstation 11. We are also using INetSim (which has NTP). I guess the simple solution is to disable NTP within INetSim.

[Tpedu]

It also occurs on 2.0-rc1.
The timestamp in .json report seems incorrect.
However, the timestamp in .html report is correct.

[KillerInstinct]

Disable NTP on the guest -- what point is there in using it?