FileScanIO is a next-gen malware analysis platform with the following purpose:
- Providing rapid and in-depth threat analysis services capable of massive processing
- Focus on Indicator-of-Compromise (IOC) extraction and actionable context
Today, a major problem in threat detection is that static analysis tools do not go deep enough. They often fail to extract relevant Indicator of Compromise ("IOCs") due to sophisticated obfuscation or encryption (often multi-layered). This leads to the requirement of a second stage sandbox, which in general does not scale well and is expensive to maintain, operate and reporting is complex. As a consequence, not every file is properly assessed and overall visibility is impaired. We discuss this in more depth at the Why FileScan? page.
The FileScanIO analysis platform fills the gap and takes traditional static analysis to the next level. Our motto: go deeper, but at speed and scale. This includes proprietary emulators, interpreters and algorithms that can reliably beat heavy obfuscation and identify, extract and evaluate key elements from a wide range of files. This significantly reduces the total number of files that need to be analyzed by a sandbox. In many cases, all relevant IOCs are extracted and then enriched with meta-data from a variety of Open Source Intelligence (OSINT) integrations. Overall, the platform enables threat hunters and incident response teams to react much quicker and improves overall visibility. All of the reporting data is presented in an easy to understand format (see UX Impressions for some examples). Due to the well documented and simple API, integrating the system into your workflow is very easy.
The following diagram outlines where FileScanIO is situated in a typical data processing funnel:
As obfuscated and packed files are becoming more and more common, the FileScanIO deep analysis engine significantly reduces the total number of files that need to be sent to a sandbox system. White- and blacklist reputation checks can be configured to further optimize the processing pipeline.
The following diagram is a very high-level view of the system architecture:
High-Level Architecture of FileScan.IO
Note: the FileScanIO Broker (“fsBroker”) receives and redistributes files for processing by one or multiple underlying application processor nodes (referred to as “fsTransform”). The broker processes files either via the exposed API or from configurable file system pathways / network shares. The processor node is the heart of the analysis system, as it contains all of the in-depth analysis capabilities (e.g. extracting embedded files from OLE containers, decompiling JAR files, deobfuscating VBA, emulating powershell, etc.).