Analysis Modules

The analysis modules currently available in MultiScanner are listed by catagory below.

AV Scans  
AVG 2014 Scans sample with AVG 2014 anti-virus
ClamAVScan Scans sample with ClamAV
McAfeeScan Scans sample with McAfee AntiVirus Command Line
Microsoft Security Essentials Scans sample with Microsoft Security Essentials
Metadefender Interacts with OPSWAT Metadefender Core 4 Version 3.x, polling Metadefender for scan results.
vtsearch Searches VirusTotal for sample’s hash and downloads the report if available
VFind Runs the CyberSoft VFind anti-malware scanner, part of the VFind Security Toolkit.
Database  
NSRL Looks up a hash in the National Software Reference Library.
Sandbox Detonation  
Cuckoo Sandbox Submits a sample to Cuckoo Sandbox cluster for analysis.
FireEye API Detonates the sample in FireEye AX via FireEye’s API.
VxStream Submits a file to a VxStream Sandbox cluster for analysis.
Machine Learning  
MaliciousMacroBot Triage office files with MaliciousMacroBot.
Metadata  
entropy Calculates the Shannon entropy of a file.
ExifToolsScan Scans sample with Exif tools and returns the results.
fileextensions Determines possible file extensions for a file.
floss FireEye Labs Obfuscated String Solver uses static analysis techniques to deobfuscate strings from malware binaries.
impfuzzy Calculates a fuzzy hash using ssdeep on Windows PE imports.
libmagic Runs libmagic against the files to identify filetype.
MD5 Generates the MD5 hash of the sample.
officemeta Extracts metadata from Microsoft Office documents.
pdfinfo Extracts feature information from PDF files using pdf-parser.
PEFile Extracts features from EXE files.
pehasher Computes pehash values using a variety of algorithms: totalhase, anymaster, anymaster_v1_0_1, endgame, crits, and pehashng.
SHA1 Generates the SHA1 hash of the sample.
SHA256 Generates the SHA256 hash of the sample.
ssdeep Generates context triggered piecewise hashes (CTPH) for files. More information can be found on the ssdeep website.
Tika Extracts metadata from the sample using Tika.
TrID Runs TrID against a file.
UAD Runs the CyberSoft Universal Atomic Disintegrator (UAD) tool, part of the VFind Security Toolkit.
Signatures  
YaraScan Scans the sample with Yara and returns the results.

Configuration Options

Parameters common to all modules are listed in the next section, followed by notes and module-specific parameters for those that have them.

Common Parameters

The parameters below may be used by all modules.

Parameter Description
path Location of the executable.
cmdline An array of command line options to be passed to the executable.
host The hostname, port, and username of the machine that will be SSH’d into to run the analytic if the executable is not present on the local machine.
key The SSH key to be used to SSH into the host.
replacement path If the main config is set to copy the scanned files this will be what it replaces the path with. It should be where the network share is mounted.
ENABLED When set to false, the module will not run.

[Cuckoo]

This module submits a file to a Cuckoo Sandbox cluster for analysis.

Parameter Description
API URL The URL to the API server.
WEB URL The URL to the Web server.
timeout The maximum time a sample will run.
running timeout An additional timeout, if a task is in the running state this many seconds past timeout, the task is considered failed.
delete tasks When set to True, tasks will be deleted from Cuckoo after detonation. This is to prevent filling up the Cuckoo machine’s disk with reports.
maec When set to True, a MAEC JSON-based report is added to Cuckoo JSON report. NOTE: Cuckoo needs MAEC reporting enabled to produce results.

[ExifToolsScan]

This module scans the file with Exif tools and returns the results.

Parameter Description
remove-entry A Python list of ExifTool results that should not be included in the report. File system level attributes are not useful and stripped out.

[FireEyeAPI]

This module detonates the sample in FireEye AX via FireEye’s API. This “API” version replaces the “FireEye Scan” module.

Parameter Description
API URL The URL to the API server.
fireeye images A Python list of the VMs in fireeye. These are used to generate where to copy the files.
username Username on the FireEye AX.
password Password for the FireEye AX.
info level Options are concise, normal, and extended.
timeout The maximum time a sample will run.
force If set to True, will rescan if the sample matches a previous scan.
analysis type 0 = sandbox, 1 = live.
application id For AX Series appliances (7.7 and higher) and CM Series appliances that manage AX Series appliances (7.7 and higher), setting the application value to -1 allows the AX Series appliance to choose the application. For other appliances, setting the application value to 0 allows the AX Series appliance to choose the application.

[floss]

This module extracts ASCII, UTF-8, stack and obfuscated strings from executable files. More information about module configuration can be found at the flare-floss documentation.

[impfuzzy]

This module calculates a fuzzy hash using ssdeep where Windows PE imports is the input. This strategy was originally described in a blog post from JPCERT/CC.

[libmagic]

This module runs libmagic against the files.

Parameter Description
magicfile The path to the compiled magic file you wish to use. If None it will use the default one.

[Metadefender]

This module runs Metadefender against the files.

Parameter Description
timeout The maximum time a sample will run.
running timeout An additional timeout, if a task is in the running state this many seconds past timeout, the task is considered failed.
fetch delay seconds The number of seconds for the module to wait between submitting all samples and polling for scan results. Increase this value if Metadefender is taking a long time to store the samples.
poll interval The number of seconds between successive queries to Metadefender for scan results. Default is 5 seconds.
user agent Metadefender user agent string, refer to your Metadefender server configuration for this value. Default is “user agent”.

[NSRL]

This module looks up hashes in the NSRL database. These two parameters are automatically generated. Users must run nsrl_parse.py tool in the utils/ directory before using this module.

Parameter Description
hash_list The path to the NSRL database on the local filesystem, containing the MD5 hash, SHA1 hash, and original file name.
offsets A file that contains the pointers into hash_list file. This is necessary to speed up searching of the NSRL database file.

[officemeta]

This module extracts metadata from Microsoft Office documents.

Note: This module does not support OOXML documents (e.g., docx, pptx, xlsx).

[pdfinfo]

This module extracts out feature information from PDF files. It uses pdf-parser.

[PEFile]

This module extracts out feature information from EXE files. It uses pefile which is currently not available for python 3.

[ssdeeper]

This module generates context triggered piecewise hashes (CTPH) for the files. More information can be found on the ssdeep website.

[Tika]

This module extracts metadata from the file using Tika. For configuration of the module see the tika-python documentation.

Parameter Description
remove-entry A Python list of Tika results that should not be included in the report.

[TrID]

This module runs TrID against the files. The definition file should be in the same folder as the executable.

[vtsearch]

This module searches virustotal for the files hash and download the report if available.

Parameter Description
apikey Public/private api key. Can optionally make it a list and the requests will be distributed across them. This is useful when two groups with private api keys want to share the load and reports.

[VxStream]

This module submits a file to a VxStream Sandbox cluster for analysis.

Parameter Description
BASE URL The base URL of the VxStream server.
API URL The URL to the API server (include the /api/ in this URL).
API Key The user’s API key to the API server.
API Secret The user’s secret to the API server.
Environment ID The environment in which to execute the sample (if you have different sandboxes configured).
Verify Set to false to ignore TLS certificate errors when querying the VxStream server.
timeout The maximum time a sample will run
running timeout An additional timeout, if a task is in the running state this many seconds past timeout, the task is considered failed.

[YaraScan]

This module scans the files with yara and returns the results. You will need yara-python installed for this module.

Parameter Description
ruledir The directory to look for rule files in.
fileextensions A Python array of all valid rule file extensions. Files not ending in one of these will be ignored.
ignore-tags A Python array of yara rule tags that will not be included in the report.