ThreatExpert.com – behavioral file analysis

threatexpert_icon I had posted about CWSandbox service that analyses behavior of files uploaded to it. ThreatExpert is essentially same type of service – feed it a file, get what file tries to do when launched.

It turned out to offer some different and unique features, comparing to other sandboxes I tried so far.

What it does

Site accepts files up to 5MB in size, uploaded through generic web form or using provided app. It urges you to register an account, but that is optional and providing email address is enough to run a scan.

threatexpert_report

There is no progress status on site, global server load or your request either. When it’s done you get email with archived copy of the report and link to online version. When I tried it took bit over six minutes to process file.

Strong features

Aside from generic file and memory information ThreatExpert provides two features I hadn’t seen in online sandboxes so far:

  • screenshot of submitted app’s interface;
  • probable country of origin.

Downsides

While report is neat and easy to understand I feel like there is not much info in it. Network activity (or lack of one) is not mentioned at all, memory information amounts to the fact of process created.

Aside from two abovementioned unique features there is not much to see in results.

Overall

Report by ThreatExpert is not too extensive, but it does cover core activity and offers some unique features on top. It won’t become single sandbox you need, but it does complement nicely other similar services.

Link http://www.threatexpert.com/

Related Posts

2 Comments

  • Looks nice, i’ve been using CWSandbox a little after your post on it and it is excellent. Has saved me messing around and running the risk of infecting myself.

    Next time i have a false positive to play with or get a dodgy file from somewhere i’ll give this one a go…

  • @Jonny

    Nice indeed – this one feels less thorough than CWSandbox but more polished. Usual difference between research product and business product I guess. :)

Comments are closed.