Let's start out by describing the problem, followed by our solution.

We need more than detection

We all know that fast and effective response within the incident response cycle is key. Yes, speed matters, but so does diligence and depth of analysis. Today, dealing with malware and social engineering threats is more than the binary question of a good/bad detection. First of all, there are many shades of grey. Secondly, having full understanding of the impact of a potential threat (why is it bad? what capabilities are present? what underlying network infrastructure is being used?) is vital to a full IT security workflow. At the very minimum, an analysis system needs to be able to extract embedded Indicators of Compromise ("IOCs") for pre-emptive measures and to detect e.g. a potential breach or perform active threat hunting in a post-breach scenario. Thus far, mostly due to heavy obfuscation and encryption, only actual execution of malware (typically within an isolated environment, also known as dynamic analysis) has been able to extract needed key IOCs (e.g. network IPs, URLs, Domains) on a consistent basis. However, standing up a scalable array of virtual machines in order to scan every file (or URL) comes with a lot of overhead. For example, maintaining an array of VM image snapshots, security updates, filtering out white noise, hardware requirements, limited throughput, etc.

Why are IOCs important?

As mentioned, purely detecting malware is not enough. Only by uncovering potential IOCs often hidden behind many layers of obfuscation (e.g. an obfuscated VBA macro calling powershell, which eventually downloads a file), it becomes possible to perform better attribution and understanding of the nature of an attack. Furthermore, IOCs lead to detecting other potentially compromised endpoints and allows preemptive protection of assets e.g. by blocking the underlying network IPs/Domains in your firewall (thereby avoiding data corruption and exfiltration).

Is traditional sandboxing the golden bullet?

No, because IOC extraction is complex: a single execution does not always yield all the possible network behavior, as the second stage download server often depends on a random choice, may not even occur during some host environment mismatch, by going to sleep for a day, using anti-analysis features, et cetera. Some of those problems can be solved with spoofing, carefully crafting the environment and so forth. But the bigger problem remains: traditional sandboxing has an issue with scale. An example: running 100k files a day through a VM cluster quickly becomes a nightmare. If a single VM runs a file every 7-8 minutes, which is about 200 files per day, then at least ~500 VMs would be required to process the example workload. Setting up (and maintaining) a cluster of 500+ virtual machines is expensive at many levels. It requires a sophisticated cloud infrastructure or many, many dedicated servers.

IOC Extraction Today

However, for a low volume of files (and forensic purposes alike), traditional sandboxing becomes a useful add-on in a pipelined approach. So how do we reduce the total input? Using white-/blacklists helps, but only so much, as they are often based on the file hash and a trailing indicator. Modern malware campaigns are performed with thousands of automatically generated malware samples that are fresh and unknown.

Our Solution

Today, sophisticated obfuscation renders static analysis tools useless when measured by their ability to extract IOCs consistently. Similarly, traditional dynamic analysis environments ("sandboxing systems") are expensive and difficult to scale and maintain. This is where our journey started. We asked a simple question: what if we could come up with a technology that closes the gap between static analysis and full-blown VM-based sandboxing systems? Something that can scan thousands of files for malware in a short period of time, but at the same time also beat the obfuscation layers to get to the "malware gold nuggets" (IOCs) that are so invaluable. All of this, but with low resource requirements, easy to maintain and a high efficacy. This is what we came up with:

Rapid IOC Feedback Loop

FileScan.IO is a Next-Gen Sandbox and free malware analysis service. Operating at 10x speed compared to traditional sandboxes with 90% less resource usage, its unique adaptive threat analysis technology also enables zero-day malware detection and more Indicator of Compromise (IOCs) extraction. Key added values:

  • Threat agnostic analysis of files and URLs capable of massive processing due to its scalable architecture
  • Focus on Indicator-of-Compromise (IOC) extraction including actionable context for Incident Response
  • Our proprietary Rapid Dynamic Analysis engine allows targeted attack detection bypassing anti-analysis tricks (e.g. geofencing)
More on our architecture and implementation can be found at the Platform Overview page.

Our Mission

FileScan GmbH is an IT-security company from Germany with a lot of passion for malware analysis. We truly believe that a poor technological foundation will cost you twice in the long run. That is why we carefully picked a technology stack and architecture, which is flexible, but robust at the same time. Microservices, containerization, automated build pipelines and regression tests are just a few pinnacles that surround our agile development approach. At the heart of everything is only a single mission: stopping malware.

UPDATE: FileScan.IO and all of its assets have been acquired by OPSWAT. Read more at our press release.

Want more information?

Please take a look around, try our latest version on the free community webservice or just get in touch at This email address is being protected from spambots. You need JavaScript enabled to view it.