Saferwall is an open source malware analysis platform.
It aims at the following objectives:
- Sample sharing between malware researchers.
- He works as a system expert to help researchers create an automated malware analysis report.
- Hunting platform for finding new malware.
- Quality assurance for signature before release.
Specifications
- Static Analysis:
- Crypto hashes, packer identification
- Strings extraction
- Multiple AV scanners with built-in antivirus vendors:
Installation
- git clone https://github.com/saferwall/saferwall
- sudo apt-get install build-essential.
- Rename example.env to .env
- make saferwall.
- We process deployments / values.yaml according to our needs.
- The logs are in elasticsearch as we will see below:
Current architecture / Workflow:
Here is a basic workflow that occurs when scanning a file:
- The frontend communicates to the backend via REST APIs.
- Backend uploads samples to the objects storage.
- Backend sends messages to the scan queue.
- The consumer takes the file and copies it to the shared nfs, avoiding sampling it in any container.
- Consumers call scanning services asynchronously (such as AV scanners) via gRPC calls and wait for the results.
Application snapshots
You can find the program here.