CWSandbox – automated online malware analysis

cwsandbox_icon While antivirus scanners and online tools like VirusTotal can give you assessment is file a known malware, they do nothing for unknown one. Running software in sandboxed environment is best way to get details on actions program performs. Still setting up properly secured sandbox with relevant tools is not something common.

CWSandbox is online service that runs file you submit through automated sandbox analysis.

What it does

CWSandbox allows to submit files (up to 16MB) and ZIP archives (with up to 50 files) through simple browser upload. After that it queues submission and later runs it through series of tests.


After analysis is done you can proceed to results page on site or wait until link is mailed to you. Analysis runs for two minutes and during that time all file, registry and network activity that comes from app is logged.

Strong features

  • much safer than own sandbox;
  • thorough analysis;
  • report in multiply formats.


While report is nothing that can’t be achieved with right tools (like Process Monitor) CWSandbox has great advantage of remote system that takes away risk of executing dangerous stuff.

It may be not as definitive in determining malware but provides invaluable details on what software actually tries to do when run.

Link http://www.cwsandbox.org/

Related Posts


  • Transcontinental #

    Now this is most interesting because indeed, the logical brain path of thoughts is that, if tools like Virustotal are great they do deal with installed files, when it seems so obvious that analyzing an install application before actually installing anything is the recommendation! Thanks Rarst, because your article brings an answer to what have been my thoughts since yesterday, this is odd :)
  • Rarst #

    @Transcontinental You are welcome. And with amount of anti-malware stuff I post about it had to click with your thoughts sooner or later. ;)
  • Rush #

    This seems to have a lot of potential. I couldnt access it yesterday, but it's working now. I have a pretty extensive A/V software and test library with a couple thousand examples, that are great for detection rate testing. I've kind of wondered what some of them do, but never really felt like booting them in a naked VM and monitoring the changes. This looks to be a good lazy mans alternative. In the past Ive always had to bring up a test machine and run last 100, reg snapshot, hijack this and what changed. A lot of text to go through, and less than interesting. It will be interesting to do it once or twice and compare results with theirs. It also seems like if I had a buddy who has problem (and I always do) with an app that keeps crashing on install, that wasn't necessarily malware, it would be easier to push him the link and have him push me the results, than to have him upload it to me and messing with it myself. Another good find. Thanks!
  • Rarst #

    @Rush Isn't it nice when some tool does the work for you? Some tasks like setting up proper sandbox are so troublesome that it lose lose - either you don't start or you spend stupid amount of time building and maintaining it. It's good there are people who aren't afraid of latter. :) I'll go spend some more insane time on my Google Charts plugin.
  • Anonymous #

    The CWSandbox service has moved to http://www.mwanalysis.org/
  • Rarst #

    @Anonymous Thanks for heads up, hadn't visited site in a while.