Saturday, October 27, 2007

Online Virus scanners & Sandbox

When doing investigations, I commonly come across files that I either suspect are viruses/malware or that I am not sure what they do, and I am looking for some help determining what a specific file does before I invest the time to sandbox it on my own and do a dynamic analysis.

The two sites I use most often for AV detection are:


Both of these sites use multiple AV detection engines to scan the file that you upload and then present the results, usually within 60 seconds or so. This can give you a headstart and indication if you are in fact dealing with a virus or some type of malware. As always, the fact that nothing is detected is not a guarantee that it is not malware, in fact, I have found many executables that come back clean and then when I do the dynamic analysis, it is in fact malware that the AV companies have not included a signature for.

The third site I use has a large database of hash values for know good and know bad files. You can paste the hash value of a file into their web interface and it will tell you if that hash is in their database and come back with a green or red indication. Green being an application they recognize by hash as not harmful (i.e. calc.exe, or cmd.exe). Red indicated they recognize the hash value as some type of malware or hacking tool. The site is free and no registration or information is required to input the hash value of any file to see what their database has on that file. If you register with them (free), you can download a win32 app that adds a right-click (shell extension) option that you can use to right-click on any file and select fileadvisor and it will hash the file and send it to the database and then display the results. The URL for this service is:


The last site I will mention is a virtual sandbox. You can upload a file and then the service will run it and provide all sorts of interesting information about the file, such as what dlls it loaded, what files it opened, modified or created, any network connections it may make and or any DNS name resolutions it requested and any registry access. It certainly provides the initial basic information of a dynamic analysis and quite frankly has saved me a lot of time in the past. The site is free, although you have to provide an email address where the link to the report will be sent. If the file is known to the database, it will tell you it has already been submitted in the past and immediately allow you to view the report. If it hasn't been submitted before then it sandboxes the file and then you will receive an email in a few minutes with a link to the full report. This is where mailinator comes in handy.. ;) The URL for this service is:

Sunbelt Sandbox

As usual, use at your own risk and take the results with a grain of salt.

If anyone has any other sites they find useful, please feel free to comment and post them.


Paul Wednesday, 14 November, 2007  

We're evaluating CWSandbox at work at the moment:

bearded one Wednesday, 30 April, 2008  

I am currently using the Norman SandBox:

cheap computers Monday, 24 August, 2009  

It provides initial basic information of a dynamic analysis and quite frankly has saved me.

Anonymous Monday, 14 September, 2009  


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles