4. Dynamic analysis

In contrast to multiscanning, which is only doing static analysis, MetaDefender Cloud offers the option to dynamically analyze files. Dynamic analysis is the process by which a file is executed (or "detonated") on an isolated virtual environment, often referred to as a sandbox. After detonation, the host operating system is monitored and a full report of the behavior is recorded. Operations like file activity on disk, registry key changes on windows machines or network traffic. With this information, an activity report is created, and based on the behavior of the file a diagnostic is assigned in terms of maliciousness.

The two operating systems supported by OPSWAT Sandbox on MetaDefender Cloud are:

  • Windows 7 x64

  • Windows 10 x64

The Windows machines come preconfigured with: Office 2019, Java, Acrobat Reader, Flash, Mozila and Chrome.

Here is the list of files that the windows sandbox is capable of analyzing:

  • Windows executables: exe, msi, bat, vbs, vbe, wsf, wsc, js, jse, ps1, dll, chm, dll, ocx

  • office documents: doc, docx, docm, dot, dotx, dotm, msg, ppt, pptx, pptm, pot, potx, xls, xlsx, xlsm, xlm, xlw, rtf, iqy,

  • PDF documents

  • HTML

  • JAR

At this time, we do not support dynamic analysis for archives or files inside archives.

Web Interface

When uploading a file, the advanced settings section allow users different configuration options:


  • Operating system: Microsoft Windows 7 and Windows 10

  • Duration: short (150s) and long (300s). This is exactly how long the analysis will last once the file is picked up from the scan queue and uploaded on the sandbox

  • Browser: OS_default (internet explorer), Chrome or Firefox. This controls what browser to use for opening html/JavaScript files

When a file is one of the types listed above, but no dynamic analysis was performed, the dynamic analysis card will be displayed to give the user the option of running dynamic analysis for the file:


This will only be displayed for the file types listed above. Clicking one of the buttons will initiate the analysis, which usually takes somewhere between 5 to 10 minutes.

Once the process is finished the dynamic analysis page is displayed:


The page is broken down in 4 tabs:

  • a general section displaying scan result, the start time, the infection score and signatures where the behavior is ranked from 1 to 10 (1 - No threat detected, 10 - Malicious)

  • a section for each process detected during execution

  • a global network section where all traffic is logged

  • registry key activity

  • mutex activity

  • filesystem activity


For more details on the data displayed please see our API documentation.


A few of the items we are working on:

  • adding support for Android sandbox

  • adding support for more windows file types

  • improving the data format by eliminating excess or irrelevant information

  • behavior summaries

  • release analysis for URLs