SANS ISC: Are you looking to setup your own Malware Sandbox?

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Most of you are familiar with the Cuckoo sandbox but there is another open source sandbox out there called IRMA (Incident Response Malware Analysis) with a different twist, it supports multiple antivirus engines. If your sandbox isn't separated by airgap, it can also query Virustotal by adding your own API key.

The recommended hardware requirements are listed here but you can also download a pre-package appliance here. A list of all available scanning engines is listed here. However, in order to get some of the additional engines installed (ClamAV is pre-installed) on the appliance, I needed to add the following packages:

apt-get install libqt4-xml
apt-get install libqtgui4
apt-get install libqt4-network
apt-get install libqt4-sql

Here is an example of a malware file scanned using multiple AV engines:

The final report looks like this:

I was able to add the AVG scanning engine not listed in the master probe list using the following:

apt-get install gdebi
wget http://download.avgfree.com/filedir/inst/avg2013flx-r3118-a6926.i386.deb
gdebi avg2013flx-r3118-a6926.i386.deb

[1] http://www.cuckoosandbox.org
[2] http://irma.quarkslab.com/index.html
[3] http://irma.quarkslab.com/install.html
[4] https://irma.readthedocs.org/en/latest/
[5] http://irma.quarkslab.com/download/1.2.1/irma-1.2.1.ova
[6] https://github.com/quarkslab/irma/blob/master/probes/analyzers.rst

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu