Malware-analysis

saferwall v0.1.1 releases: an open source malware analysis platform

saferwall

Saferwall is an open-source malware analysis platform.

It aims for the following goals:

  • Provide a collaborative platform to share samples among malware researchers.
  • Acts as a system expert, to help researchers generate an automated malware analysis report.
  • Hunting platform to find new malwares.
  • Quality ensurance for signature before releasing.

Features

  • Static analysis:
    • Crypto hashes, packer identification
    • Strings extraction
  • Multiple AV scanner which includes major antivirus vendors:
    Vendors status Vendors status
    Avast ✔️ FSecure ✔️
    Avira ✔️ Kaspersky ✔️
    Bitdefender ✔️ McAfee ✔️
    ClamAV ✔️ Sophos ✔️
    Comodo ✔️ Symantec ✔️
    ESET ✔️ Windows Defender ✔️

Current architecture / Workflow:

Here is a basic workflow which happens during a file scan:

  • Frontend talks to the backend via REST APIs.
  • Backend uploads samples to the object storage.
  • Backend pushes a message into the scanning queue.
  • Consumer fetches the file and copy it into to the nfs share avoiding to pull the sample on every container.
  • Consumer calls asynchronously scanning services (like AV scanners) via gRPC calls and waits for results.

Changelog v0.1

Added

  • ML PE classifier(private) and string ranker.
  • docker-compose and .devcontainer to ease development.
  • A portable executable (PE) file parser.
  • A UI for displaying PE parsing results.
  • gib: a package to detect gibberish strings.
  • bytestats: a package that implements byte and entropy statistics for binary files.
  • cli utility to interact with saferwall web apis.
  • sdk2json: a package to convert Win32 API definitions to JSON format.

Changed

  • Consumer docker image is separated to a base image and an app image.
  • Refactor consumer and make it a go module.
  • [Helm] reduce minio MEM request, ES and Kibana CPU request to half a core.
  • [Helm] bump chart dependency modules.
  • [pkg/consumer] add context timeout to multiav scan gRPC API.
  • Move the website, the dashboard and the web apis projects to a separate git repos.
  • Improvement in CI/CD pipeline: include code coverage, test only changed modules & running custom github action runners.

Installation

Copyright (C) 2018 saferwall

Related Articles

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *

Back to top button