4. Dynamic analysis

In contrast to multiscanning, which is only doing static analysis, MetaDefender Cloud offers the option to dynamically analyze files. Dynamic analysis is the process by which a file is executed (or "detonated") on an isolated virtual environment, often referred to as a sandbox. After detonation, the host operating system is monitored and all interactions are recorded. Things like file operations on disk, registry key changes on windows machines, or network traffic. With this information, an activity report is created, and based on the behavior of the file a diagnostic is assigned in terms of maliciousness.

The 2 operating systems supported by OPSWAT sandbox on MetaDefender Cloud are:

  • Windows 7 x64

  • Windows 10 x64

The Windows machines come preconfigured with: Office 2016, Java 8 Update 191, Acrobat Reader DC 19, Flash ActiveX 29 and Internet Explorer 11 .

Here is the list of files that the windows sandbox is capable of analyzing:

  • windows executables: exe and msi

  • office documents: docm, ppt, xls, dot, docx, doc, pptx, pptm, xlsx, xlsm, docx, docm

  • PDF documents

  • HTML

  • JAR

At this time, we do not support dynamic analysis for files inside archives.

Web Interface

When a file is one of the types listed above, but no dynamic analysis was performed, the dynamic analysis tab will be displayed to give the user the option of running dynamic analysis for the file:

images/download/attachments/1061882/image2019-2-20_16-34-52.png

This will only be displayed for the file types listed above. Clicking one of the buttons will initiate the analysis, which usually takes somewhere between 5 to 10 minutes.

Once the process is finished the dynamic analysis page is displayed:

images/download/attachments/1061882/image2019-2-20_16-58-54.png

The page is broken down in 4 main sections:

  • a general section displaying operating system details, scan result, the start time and most importantly, the infection score

  • a section for each process detected during execution

  • a global network section where all traffic is logged

  • a signatures section where the behavior is ranked from 1 to 20

For more details on the data displayed please see our API documentation.

At this point, the functionality is still in beta. Data structures, as well as API calls, might change in the future. We hope you find the data useful, so please make sure to leave feedback using the button on the page!

Roadmap

A few of the items we are working on:

  • adding support for Android sandbox

  • adding support for more windows file types

  • improving the data format by eliminating excess or irrelevant information

  • behavior summaries

  • release analysis for URLs