saferwall: Collaborative and Streamlined Threat Analysis at Scale

by Nam Phong · December 13, 2024

Saferwall allows you to analyze, triage, and classify threats in just minutes.

⭐ Collaborative – Built for security teams and researchers to streamline analysis, identification, and sharing of malware samples.

☁️ Fast & cloud-native – Scalable and cloud-native by design, deploy in minutes to bare metal or in the cloud.

⚡ Save time – Automate cumbersome tasks, generate IoC’s and reports with zero friction.

? Batteries included – All your favorite tools included, build intelligence feeds for hunting threats or generating signatures.

❤️ Open source first – We are open-source, developer-friendly, and user driven.

Static Analysis:
- File metadata, packer identification and crypto hashes.
- String (ASCII/Unicode and ASM) extraction.
- PE (Portable Executable) file parser.
- ELF (Executable Linkable Format) file parser.
Dynamic Analysis:
- Automated Malware Analysis using a Hypervisor based VM.
- Intercepting OS System Calls to build an exeuction trace of executable files.
- Generate detailed reports and gain insight into malware behavior.
- Choose which API’s to trace, grab screenshots and file changes aswell as memory dumps.

Multiple AV scanner supporting major vendors:

Vendors	status	Vendors	status
Avast	✔️	FSecure	✔️
Avira	✔️	Kaspersky	✔️
Bitdefender	✔️	McAfee	✔️
ClamAV	✔️	Sophos	✔️
Comodo	✔️	Symantec	✔️
ESET	✔️	Windows Defender	✔️
TrendMicro	✔️	DrWeb	✔️

Here is a basic workflow which happens during a file scan:

Frontend talks to the backend via REST APIs.
Backend uploads samples to the object storage.
Backend pushes a message into the scanning queue.
Consumer fetches the file and copy it into to the nfs share avoiding to pull the sample on every container.
Consumer calls asynchronously scanning services (like AV scanners) via gRPC calls and waits for results.

If you find our technology report and cybersecurity news helpful, consider supporting our work.