4. Dynamic analysis

In contrast to multiscanning, which is only doing static analysis, MetaDefender Cloud offers the option to dynamically analyze files. Dynamic analysis is the process by which a file is executed (or "detonated") on an isolated virtual environment, often referred to as a sandbox. After detonation, the host operating system is monitored and a full report of the behavior is recorded. Operations like file activity on disk, registry key changes on windows machines or network traffic. With this information, an activity report is created, and based on the behavior of the file a diagnostic is assigned in terms of maliciousness.

The two operating systems supported by OPSWAT Sandbox on MetaDefender Cloud are:

  • Windows 7 x64

  • Windows 10 x64

The Windows machines come preconfigured with: Office 2019, Java, Acrobat Reader, Flash, Mozila and Chrome.

Here is the list of files that the windows sandbox is capable of analyzing:

  • Windows executables: exe, msi, bat, vbs, vbe, wsf, wsc, js, jse, ps1, dll, chm, dll, ocx

  • office documents: doc, docx, docm, dot, dotx, dotm, msg, ppt, pptx, pptm, pot, potx, xls, xlsx, xlsm, xlm, xlw, rtf, iqy,

  • PDF documents

  • HTML

  • JAR

At this time, we do not support dynamic analysis for archives or files inside archives.

Web Interface

When uploading a file, the advanced settings section allow users different configuration options:


  • Operating system: Microsoft Windows 7 and Windows 10

  • Duration: short (150s) and long (300s). This is exactly how long the analysis will last once the file is picked up from the scan queue and uploaded on the sandbox

  • Browser: OS_default (internet explorer), Chrome or Firefox. This controls what browser to use for opening html/JavaScript files

When a file is one of the types listed above, but no dynamic analysis was performed, the dynamic analysis card will be displayed to give the user the option of running dynamic analysis for the file:


This will only be displayed for the file types listed above. Clicking one of the buttons will initiate the analysis, which usually takes somewhere between 5 to 10 minutes.

Once the process is finished the dynamic analysis page is displayed:


The Dynamic Analysis menu is divided into multiple sections:

  • a general section displaying scan result, the start time, the infection score and signatures where the behavior is ranked from 1 to 10 (1 - No threat detected, 10 - Malicious)

  • a global network section where all traffic is logged

  • filesystem activity

  • mutex activity

  • a section for each process detected during execution

  • registry key activity

  • Mitre ATT&CK matrix


Each dynamic analysis section will have separate tabs for all the operating systems that have analyzed the file.

For more details on the data displayed please see our API documentation.