4. Dynamic analysis

In contrast to multiscanning, which is only doing static analysis, MetaDefender Cloud offers the option to dynamically analyze files. Dynamic analysis is the process by which a file is executed (or "detonated") on an isolated virtual environment, often referred to as a sandbox. After detonation, the host operating system is monitored and a full report of the behavior is recorded. Operations like file activity on disk, registry key changes on windows machines or network traffic. With this information, an activity report is created, and based on the behavior of the file a diagnostic is assigned in terms of maliciousness.

The two operating systems supported by OPSWAT Sandbox on MetaDefender Cloud are:

  • Windows 7 x64

  • Windows 10 x64

The Windows machines come preconfigured with: Office 2019, Java, Acrobat Reader, Flash, Mozila and Chrome.

Here is the list of files that the windows sandbox is capable of analyzing:

  • Windows executables: exe, msi, bat, vbs, vbe, wsf, wsc, js, jse, ps1, dll, chm, dll, ocx

  • office documents: doc, docx, docm, dot, dotx, dotm, msg, ppt, pptx, pptm, pot, potx, xls, xlsx, xlsm, xlm, xlw, rtf, iqy,

  • PDF documents

  • HTML

  • JAR

At this time, we do not support dynamic analysis for archives or files inside archives.

Web Interface

When a file is one of the types listed above, but no dynamic analysis was performed, the dynamic analysis card will be displayed to give the user the option of running dynamic analysis for the file:

images/download/attachments/6422691/image2020-7-28_17-12-21.png

This will only be displayed for the file types listed above. Clicking one of the buttons will initiate the analysis, which usually takes somewhere between 5 to 10 minutes.

Once the process is finished the dynamic analysis page is displayed:

images/download/attachments/6422691/image2020-7-28_17-3-28.png

The page is broken down in 4 tabs:

  • a general section displaying scan result, the start time, the infection score and signatures where the behavior is ranked from 1 to 10 (1 - No threat detected, 10 - Malicious)

  • a section for each process detected during execution

  • a global network section where all traffic is logged

  • registry key activity

  • mutex activity

  • filesystem activity

images/download/attachments/6422691/image2020-7-28_17-10-29.png

For more details on the data displayed please see our API documentation.

Roadmap

A few of the items we are working on:

  • adding support for Android sandbox

  • adding support for more windows file types

  • improving the data format by eliminating excess or irrelevant information

  • behavior summaries

  • release analysis for URLs