saferwall v0.4 releases: Collaborative and Streamlined Threat Analysis at Scale
saferwall – Collaborative and Streamlined Threat Analysis at Scale
Saferwall allows you to analyze, triage, and classify threats in just minutes.
⭐ Collaborative – Built for security teams and researchers to streamline analysis, identification, and sharing of malware samples.
☁️ Fast & cloud-native – Scalable and cloud-native by design, deploy in minutes to bare metal or in the cloud.
⚡ Save time – Automate cumbersome tasks, generate IoC’s and reports with zero friction.
📦 Batteries included – All your favorite tools included, build intelligence feeds for hunting threats or generating signatures.
❤️ Open source first – We are open-source, developer-friendly, and user driven.
- File metadata, packer identification and crypto hashes.
- String (ASCII/Unicode and ASM) extraction.
- PE (Portable Executable) file parser.
- ELF (Executable Linkable Format) file parser.
- Automated Malware Analysis using a Hypervisor based VM.
- Intercepting OS System Calls to build an exeuction trace of executable files.
- Generate detailed reports and gain insight into malware behavior.
- Choose which API’s to trace, grab screenshots and file changes aswell as memory dumps.
Multiple AV scanner supporting major vendors:
Vendors status Vendors status Avast ✔️ FSecure ✔️ Avira ✔️ Kaspersky ✔️ Bitdefender ✔️ McAfee ✔️ ClamAV ✔️ Sophos ✔️ Comodo ✔️ Symantec ✔️ ESET ✔️ Windows Defender ✔️ TrendMicro ✔️ DrWeb ✔️
Integrations with your own data processing pipeline.
Current architecture / Workflow:
Here is a basic workflow which happens during a file scan:
- Frontend talks to the backend via REST APIs.
- Backend uploads samples to the object storage.
- Backend pushes a message into the scanning queue.
- Consumer fetches the file and copy it into to the nfs share avoiding to pull the sample on every container.
- Consumer calls asynchronously scanning services (like AV scanners) via gRPC calls and waits for results.
- Upload sandbox memdumps and screenshots thumbnails to obj storage #398.
- Upload sandbox desktop screenshots to obj storage #397.
- Sandbox agent health check + basic sysinfo and env data collection #395.
- Push sandbox payload results to the aggregator #391.
- MultiAV McAfee enable scan for potentially unwanted program #387.
- Numerous updates to support different types of messages for the aggregator #383.
- Add methods for the
storageinternal pkg to support bucket creation.
- Generate thumbnails for the sandbox screenshots and add health checks for VMs.
cluster-autoscalerform helm chart.
- Add documentation with the communication format used between services.
- Add methods for the
- Agent: collect screenshots and memdumps #380.
- Guess file extension and include PE signature #379.
- Curate PE scan results #378.
inlets-operatorhas been deleted later, and
metallbis installed separately from the chart dependencies.
kube-prometheus-stackCRDs and experiment with k3s for local dev.
- [helm] Remove elastic stack that was used for logging #404.
- [helm] Do not include
kube-prometheus-stackin main chart & remove elastic stack for logging #403.
- Hosting documentation/blog website in cloudflare #402.
- Set k8s version to the same as prod k8s version and update default user/password values in minio helm chart #392.
- Change protobuf message scheme to support uploading object to s3 #383.
- Bind k8s port forwarding services to
- Bump wait-for and golang docker images.
miniohelm chart dependencies.
- Use wine + loadlibrary to make windows defender works again thanks to prsyahmi #386.
- MultiAV McAfee doesn’t report other kind of malware besides trojan thanks to prsyahmi #387.
- Do not set the file extension/format when it is now known #381.
- MultiAV upgrade Avast to a newer major release.
Copyright (C) 2018 saferwall