Let's start out by describing the problem, followed by our solution.

We need more than detection

We all know that fast and effective response within the incident response cycle is key. Yes, speed matters, but so does diligence and depth of analysis. Today, dealing with malware is more than the binary question of detecting if a file is good/bad. First of all, there are many shades of grey. Secondly, having full understanding of the impact of a potential threat (why is it bad? what capabilities are present? what underlying network infrastructure is being used?) is vital to a full IT security workflow. At the very minimum, an analysis system needs to be able to extract embedded Indicators of Compromise ("IOCs") for pre-emptive measures and to detect e.g. a potential breach. Thus far, mostly due to heavy obfuscation and encryption, only actual execution of malware (typically within an isolated environment / sandbox, also known as dynamic analysis) has been able to extract needed key IOCs (e.g. network IPs, URLs, Domains) on a consistent basis. However, standing up a scalable array of sandboxes in order to scan every file comes with a lot of overhead. For example, maintaining an array of VM image snapshots, security updates, filtering out white noise, hardware requirements, limited throughput, etc.

Why are IOCs important?

As mentioned, purely detecting malware is not enough. Only by uncovering potential IOCs often hidden behind many layers of obfuscation (e.g. an obfuscated VBA macro calling powershell, which eventually downloads a file), it becomes possible to perform better attribution and understanding of the nature of an attack. Furthermore, IOCs lead to detecting other potentially compromised endpoints and allows preemptive protection of assets e.g. by blocking the underlying network IPs/Domains in your firewall (thereby avoiding data corruption and exfiltration).

Is sandboxing the golden bullet?

No, because there is more: a single execution does not always yield all the possible network behavior, as the second stage download server often depends on a random choice, may not even occur during some host environment mismatch, by going to sleep for a day, using anti-analysis features, et cetera. Some of those problems can be solved with spoofing, carefully crafting the environment and so forth. But the bigger problem remains: sandboxing has an issue with scale. An example: running through 100k files a day using a simple sandbox setup is a nightmare. If a single VM can run a file every 7-8 minutes, which is about 200 files per day, then at least 500 VMs would be required to run in parallel to process the example workload. Setting up (and maintaining) a cluster of 500+ virtual machines is expensive at many levels. It requires a sophisticated cloud infrastructure or many, many dedicated servers.

IOC Extraction Today

However, for a low volume of files (and forensic purposes alike), sandboxing becomes quite useful. So how do we reduce the workload? Using white-/blacklists helps, but only so much, as they are often based on the file hash. Modern malware campaigns are performed with thousands of automatically generated malware samples that are fresh and unknown. So we had to conclude, as is often the case in IT-Security: there is no silver bullet.

Our Solution

Today, sophisticated obfuscation renders static analysis tools useless when measured by their ability to extract IOCs consistently. Similarly, traditional dynamic analysis environments ("sandboxing systems") are expensive and difficult to scale and maintain. This is where our journey started. We asked a simple question: what if we could come up with a technology that closes the gap between static analysis and full-blown sandboxing systems? Something that can scan thousands of files for malware in a short period of time, but at the same time also beat the obfuscation layers to get to the "malware gold nuggets" (IOCs) that are so invaluable. All of this, but with low resource requirements, easy to maintain and a high efficacy. This is what we came up with:

Rapid IOC Feedback Loop

FileScan.IO is a next-gen malware assessment platform with the following emphasis:

  • Providing rapid and in-depth threat analysis services capable of massive processing
  • Focus on Indicator-of-Compromise (IOC) extraction and actionable context
More on our architecture and implementation can be found at the Platform Overview page.

Our Mission

FileScan GmbH is an IT-security company from Germany with a lot of passion for malware analysis. We truly believe that a poor technological foundation will cost you twice in the long run. That is why we carefully picked a technology stack and architecture, which is flexible, but robust at the same time. Microservices, containerization, automated build pipelines and regression tests are just a few pinnacles that surround our agile development approach. At the heart of everything is only a single mission: stopping malware.

Want more information?

Please take a look around, try our latest version on the free community webservice or just get in touch at This email address is being protected from spambots. You need JavaScript enabled to view it.!