saferwall v0.4 releases: Collaborative and Streamlined Threat Analysis at Scale

by do son · Published July 11, 2020 · Updated March 6, 2023

Saferwall allows you to analyze, triage, and classify threats in just minutes.

⭐ Collaborative – Built for security teams and researchers to streamline analysis, identification, and sharing of malware samples.

☁️ Fast & cloud-native – Scalable and cloud-native by design, deploy in minutes to bare metal or in the cloud.

⚡ Save time – Automate cumbersome tasks, generate IoC’s and reports with zero friction.

📦 Batteries included – All your favorite tools included, build intelligence feeds for hunting threats or generating signatures.

❤️ Open source first – We are open-source, developer-friendly, and user driven.

Static Analysis:
- File metadata, packer identification and crypto hashes.
- String (ASCII/Unicode and ASM) extraction.
- PE (Portable Executable) file parser.
- ELF (Executable Linkable Format) file parser.
Dynamic Analysis:
- Automated Malware Analysis using a Hypervisor based VM.
- Intercepting OS System Calls to build an exeuction trace of executable files.
- Generate detailed reports and gain insight into malware behavior.
- Choose which API’s to trace, grab screenshots and file changes aswell as memory dumps.

Multiple AV scanner supporting major vendors:

Vendors	status	Vendors	status
Avast	✔️	FSecure	✔️
Avira	✔️	Kaspersky	✔️
Bitdefender	✔️	McAfee	✔️
ClamAV	✔️	Sophos	✔️
Comodo	✔️	Symantec	✔️
ESET	✔️	Windows Defender	✔️
TrendMicro	✔️	DrWeb	✔️

Here is a basic workflow which happens during a file scan:

Frontend talks to the backend via REST APIs.
Backend uploads samples to the object storage.
Backend pushes a message into the scanning queue.
Consumer fetches the file and copy it into to the nfs share avoiding to pull the sample on every container.
Consumer calls asynchronously scanning services (like AV scanners) via gRPC calls and waits for results.

Upload sandbox memdumps and screenshots thumbnails to obj storage #398.
Upload sandbox desktop screenshots to obj storage #397.
Sandbox agent health check + basic sysinfo and env data collection #395.
Push sandbox payload results to the aggregator #391.
MultiAV McAfee enable scan for potentially unwanted program #387.
Numerous updates to support different types of messages for the aggregator #383.
- Add methods for the storage internal pkg to support bucket creation.
- Generate thumbnails for the sandbox screenshots and add health checks for VMs.
- Remove cluster-autoscaler form helm chart.
- Add documentation with the communication format used between services.
Agent: collect screenshots and memdumps #380.
Guess file extension and include PE signature #379.
Curate PE scan results #378.
Add inlets-operator and metallb charts #376. inlets-operator has been deleted later, and metallb is installed separately from the chart dependencies.
Add kube-prometheus-stack CRDs and experiment with k3s for local dev.
Add workflow_dispatch for helm-release and release services job.

[helm] Remove elastic stack that was used for logging #404.
[helm] Do not include kube-prometheus-stack in main chart & remove elastic stack for logging #403.
Hosting documentation/blog website in cloudflare #402.
Set k8s version to the same as prod k8s version and update default user/password values in minio helm chart #392.
Change protobuf message scheme to support uploading object to s3 #383.
Bind k8s port forwarding services to 0.0.0.0.
Bump wait-for and golang docker images.
Bump yara, helm, kuberneters, exiftool, kind, kubens/kubectx and kube-capacity.
Bump aws-efs-csi-driver, ingress-nginx, couchbase-operator and minio helm chart dependencies.

Use wine + loadlibrary to make windows defender works again thanks to prsyahmi #386.
MultiAV McAfee doesn’t report other kind of malware besides trojan thanks to prsyahmi #387.
Do not set the file extension/format when it is now known #381.
MultiAV upgrade Avast to a newer major release.