Most of you are familiar with the Cuckoo sandbox but there is another open source sandbox out there called IRMA (Incident Response Malware Analysis) with a different twist, it supports multiple antivirus engines. If your sandbox isn't separated by airgap, it can also query Virustotal by adding your own API key. The recommended hardware requirements are listed here but you can also download a pre-package appliance here. A list of all available scanning engines is listed here. However, in order to get some of the additional engines installed (ClamAV is pre-installed) on the appliance, I needed to add the following packages: apt-get install libqt4-xml Here is an example of a malware file scanned using multiple AV engines:
The final report looks like this: I was able to add the AVG scanning engine not listed in the master probe list using the following: apt-get install gdebi [1] http://www.cuckoosandbox.org ----------- |
Guy 522 Posts ISC Handler Dec 5th 2015 |
Thread locked Subscribe |
Dec 5th 2015 6 years ago |
Does this also do statistical analysis for you or only AV processing?
|
Anonymous |
Quote |
Dec 5th 2015 6 years ago |
Can you expand by what you mean with statistical analysis? It does mainly AV analysis, you can also query past analysis. It is still in early stages but I'm sure you can make request for additional functionality to the developpers
|
Guy 522 Posts ISC Handler |
Quote |
Dec 5th 2015 6 years ago |
Sorry. I meant to say behavioral analysis. You mentioned cuckoo on your article, which does this type of analysis. It actually runs the file and records its behavior, whereas it sounds like this other product just uses multiple AV engines to conduct scanning of the file against signatures.
|
Anonymous |
Quote |
Dec 7th 2015 6 years ago |
It does basic behavioral analysis using the Static Analyzer. However, the report produced is still very basic but helpful.
|
Guy 522 Posts ISC Handler |
Quote |
Dec 7th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!