MAPS Cloud Scanner
A research tool for interacting with Windows Defender’s MAPS (Microsoft Active Protection Service) cloud-based file reputation and dynamic signature delivery system.
MAPS is the cloud backend that powers Defender’s real-time protection verdicts, sample submission pipeline, and dynamic signature (SDN/DSS) delivery. This tool speaks the same Bond CompactBinaryV1 protocol that the Defender client uses on the wire, enabling direct interaction with MAPS endpoints for security research purposes.
Features
- File Scanning – Submit files to MAPS and receive cloud verdicts (clean, malware, PUA, unknown)
- Hash Lookups – Query file reputation by SHA-256 without submitting the file
- URL Reputation – Check URLs against Defender’s cloud reputation service
- Heartbeat / Connectivity – Test connectivity to MAPS endpoints
- Local Analysis – Analyze PE metadata, imports, sections, and authenticode signatures offline
- Bond Protocol – Full CompactBinaryV1 serializer/deserializer matching Defender’s wire format
- Payload Inspection – Build, decode, and replay raw Bond payloads for protocol research
- API Fuzzing – Enumerate undocumented endpoints, hidden fields, report types, and server behavior
