Saferwall is an open-source malware analysis platform.
It aims for the following goals:
- Provide a collaborative platform to share samples among malware researchers.
- Acts as a system expert, to help researchers generate an automated malware analysis report.
- Hunting platform to find new malwares.
- Quality ensurance for signature before releasing.
- Static analysis:
- Crypto hashes, packer identification
- Strings extraction
- Multiple AV scanner which includes major antivirus vendors:
Vendors status Vendors status Avast ✔️ FSecure ✔️ Avira ✔️ Kaspersky ✔️ Bitdefender ✔️ McAfee ✔️ ClamAV ✔️ Sophos ✔️ Comodo ✔️ Symantec ✔️ ESET ✔️ Windows Defender ✔️
Current architecture / Workflow:
Here is a basic workflow which happens during a file scan:
- Frontend talks to the backend via REST APIs.
- Backend uploads samples to the object storage.
- Backend pushes a message into the scanning queue.
- Consumer fetches the file and copy it into to the nfs share avoiding to pull the sample on every container.
- Consumer calls asynchronously scanning services (like AV scanners) via gRPC calls and waits for results.
- ML PE classifier(private) and string ranker.
- docker-compose and .devcontainer to ease development.
- A portable executable (PE) file parser.
- A UI for displaying PE parsing results.
gib: a package to detect gibberish strings.
bytestats: a package that implements byte and entropy statistics for binary files.
- cli utility to interact with saferwall web apis.
sdk2json: a package to convert Win32 API definitions to JSON format.
- Consumer docker image is separated to a base image and an app image.
- Refactor consumer and make it a go module.
- [Helm] reduce minio MEM request, ES and Kibana CPU request to half a core.
- [Helm] bump chart dependency modules.
- [pkg/consumer] add context timeout to multiav scan gRPC API.
- Move the website, the dashboard and the web apis projects to a separate git repos.
- Improvement in CI/CD pipeline: include code coverage, test only changed modules & running custom github action runners.
Copyright (C) 2018 saferwall