Technical Datasheet

The purpose of this page is to provide Question/Responses that may be used as part of a RFP process. It’s basically a more complete version of OPSWAT_FileScan_Datasheet.pdf going into more technical details, where needed.

CategoryFeatureOPSWAT Filescan Compliance
RequirementsHardware Requirements

Minimum requirements (on premise):

  • Ubuntu Server 20.04
  • 8 vCPUs (better: 16)
  • 16GB RAM (better: 32)
  • 32GB SSD (better: 128-256)

Note: if the customer requires more than 25000 scans/day, a custom multi-server setup is necessary and needs to be scoped out with the engineering team.

Due to the low resource requirements and cloud-native capability, OPSWAT Filescan does not require nested VMs and can be deployed and operate with its proprietary virtualization technology directly on the host system.

More information available: Throughput / Hardware Requirements here.

Minimum Cloud Requirements

AWS:

  • 5000 scans/day: t3a.2xlarge
  • 10000 scans/day: c4.4xlarge
  • 25000 scans/day: c4.8xlarge
PerformanceSystem performance25000 scans/day is the peak performance for a single-server deployment. This translates to roughly ~1000 scans/hour. A higher throughput is possible, but will require a multi-server setup.
Average Processing TimeThe average processing time per scan is ~20 seconds. On production, it is currently ~12 seconds/scan, but this varies widely based on the input mix.
Supported file types

Side-by-side comparison including dynamic analysis available: Supported File Types.

Files:

APK, ASF, BAT, DLL, DOC, DOCM, DOCX, DOT, DOTM, DOTX, ELF, EML, HTA, HTML, HWP, Java, JScript, JSE, LNK, MBOX, OLE, PDF, PE, PE, POT, POTM, POTX, Powershell, PPAM, PPSX, PPT, PPTM, PPTX, PUB, RFC822, RTF, SCT, SVG, VBScript, WSF, XLS, XLSM, XLSX, XLTM, XLTX

Note: the maximum (default) file size is 100MB per upload, but can be configured (on premise only).

Note #2: the MIME type is detected automatically regardless of the provided file suffix.

Archives Supported

7Z, ACE, BZIP2, CAB, GTAR, GZIP, LZIP, ISO, RAR, TAR, ZIP

More information available: Supported File Types.

Maximum File Size

Default in 1.6.3: 100MB

Default in 1.7.0: 2000MB

Note: all file size limits can be configured

Maximum parallel uploads (part of an archive)

Default in 1.6.3: 5

Default in 1.7.0: 1000 executables, 10 documents, 10 other

IntegrationsAPI
  • OpenAPI specification, including a Swagger documentation available via the webservice
  • Python pip package as a convenience tool that wraps around the API
  • Includes full system management (administration), as well as file/URL scanning and threat graph search
YARA
  • Automated, repeated download of a configurable list of GitHub repositories. All downloaded YARA rules are filtered and compiled to a performant .yarc file, as well as applied to the input file and all extracted/downloaded child objects.
  • On premise: ability to add custom YARA rules
SIEM
  • On premise: a CEF (common event format) syslog feedback can be configured to integrate with a SIEM system (e.g. IBM QRadar, Splunk)
  • Web UX / API: includes a “query generator” that will, for selected IOCs, generate a query that can be used to pivot to e.g. Crowdstrike’s platform and continue threat hunting
MITREAll proprietary generic threat indicators are mapped to the appropriate MITRE ATT&CK tactic and technique (if applicable)
E-Mail
  • On premise: the backend “broker” can be configured to ingest E-Mail files from a postfix server
  • Webservice: we have a full “IMAP” integration that can be polled and ingest any inbound E-Mail, including E-Mail management (e.g. the option to delete the ingested E-Mail)
OSINT
  • VirusTotal
  • ClamAV
  • YARA (see above)
  • OPSWAT
MD CoreFilescan is also available as part of an integration with MD Core. More details: MD Core Engine
ReportingReport Formats

The following report formats are available and exportable via the UX or API:

  • Single-file HTML
  • Single-file PDF
  • MISP
  • STIX (2.1)
Threat IntelligenceSearch

OPSWAT Filescan includes a threat graph and extensive searching capabilities (e.g. a prevalence search to identify other reports that shared the same IOCs within a specified time frame).

Example: Advanced Search / Examples

Storage

On premise: it is stored locally within the on premise instance and no data is shared with third-parties.

Cloud: it is stored locally within the managed instance and no data is shared with third-parties.

Deployment and MaintenanceDeployment

The deployment is fully automated and takes about 45-60 minutes depending on the internet connectivity. See more in the Installation.

Note: the solution may be operated in an air-gapped environment. If an air-gapped deployment is required, an OVF (VMWare) image as “software appliance” can be provided and is available.

RetentionFor the administrator it is possible to configure a retention period (in days). After the retention period is over for a report, all the files which are stored in relation with that report will be deleted. It is also possible to configure if the report itself should be deleted from the system. By default the retention is turned off, the retention period is set to 365 days and report deletion is off.
CapabilityZero-Day / Unknown Malware DetectionDue to the “adaptive dynamic analysis” technology, which can manipulate the control flow to always satisfy environment/conditional checks (e.g. geofencing, anti-analysis), OPSWAT Filescan excels at detecting zero-day malware and extracting threat intelligence data (e.g. IOCs). Many great examples are also tweeted on the official Filescan Twitter account.
Memory Dump Analysis

Yes, we support memory dump analysis. However, only for the initial process. For PEs, we support the following unpackers:

  • ASPack: Advanced commercial packer with a high compression ratio
  • FSG: Freeware, fast to unpack
  • MEW: Specifically designed for small binaries
  • MPRESS: Free, more complex packer
  • PEtite: Freeware packer, similar to ASPack
  • UPX: Cross-platform, open source packer
  • YZPack

The unpacked payload is then disassembled and all code branches are inspected for API call chains and threat indicators.

Sleep Reduction / Anti-EvasionBoth supported. The sleep reduction is implemented within the dynamic analysis modules. Anti-evasion is implemented using adaptive dynamic analysis (see above).
LicensingOEMYes, we support OEM and custom logos. Please get in touch with Chad Loeven and his team for details.
EnterpriseAll OPSWAT Filescan SKUs are already available and can be quoted via SFDC.
EvaluationPOC

Cloud: filescan.io

On premise

Single-Server Deployment Architecture

More information in the OPSWAT Product documentation (User Guide).

Multi-Server Setup

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard