Technical Datasheet

The purpose of this page is to provide Question/Responses that may be used as part of a RFP process. It’s basically a more complete version of OPSWAT_FileScan_Datasheet.pdf going into more technical details, where needed.

Category	Feature	OPSWAT Filescan Compliance
Requirements	Hardware Requirements	Minimum requirements (on premise): Ubuntu Server 20.04 8 vCPUs (better: 16) 16GB RAM (better: 32) 32GB SSD (better: 128-256) Note: if the customer requires more than 25000 scans/day, a custom multi-server setup is necessary and needs to be scoped out with the engineering team. Due to the low resource requirements and cloud-native capability, OPSWAT Filescan does not require nested VMs and can be deployed and operate with its proprietary virtualization technology directly on the host system. More information available: Throughput / Hardware Requirements here.
	Minimum Cloud Requirements	AWS: 5000 scans/day: t3a.2xlarge 10000 scans/day: c4.4xlarge 25000 scans/day: c4.8xlarge
Performance	System performance	25000 scans/day is the peak performance for a single-server deployment. This translates to roughly ~1000 scans/hour. A higher throughput is possible, but will require a multi-server setup.
	Average Processing Time	The average processing time per scan is ~20 seconds. On production, it is currently ~12 seconds/scan, but this varies widely based on the input mix.
	Supported file types	Side-by-side comparison including dynamic analysis available: Supported File Types. Files: APK, ASF, BAT, DLL, DOC, DOCM, DOCX, DOT, DOTM, DOTX, ELF, EML, HTA, HTML, HWP, Java, JScript, JSE, LNK, MBOX, OLE, PDF, PE, PE, POT, POTM, POTX, Powershell, PPAM, PPSX, PPT, PPTM, PPTX, PUB, RFC822, RTF, SCT, SVG, VBScript, WSF, XLS, XLSM, XLSX, XLTM, XLTX Note: the maximum (default) file size is 100MB per upload, but can be configured (on premise only). Note #2: the MIME type is detected automatically regardless of the provided file suffix.
	Archives Supported	7Z, ACE, BZIP2, CAB, GTAR, GZIP, LZIP, ISO, RAR, TAR, ZIP More information available: Supported File Types.
	Maximum File Size	Default in 1.6.3: 100MB Default in 1.7.0: 2000MB Note: all file size limits can be configured
	Maximum parallel uploads (part of an archive)	Default in 1.6.3: 5 Default in 1.7.0: 1000 executables, 10 documents, 10 other
Integrations	API	OpenAPI specification, including a Swagger documentation available via the webservice Python pip package as a convenience tool that wraps around the API Includes full system management (administration), as well as file/URL scanning and threat graph search
	YARA	Automated, repeated download of a configurable list of GitHub repositories. All downloaded YARA rules are filtered and compiled to a performant .yarc file, as well as applied to the input file and all extracted/downloaded child objects. On premise: ability to add custom YARA rules
	SIEM	On premise: a CEF (common event format) syslog feedback can be configured to integrate with a SIEM system (e.g. IBM QRadar, Splunk) Web UX / API: includes a “query generator” that will, for selected IOCs, generate a query that can be used to pivot to e.g. Crowdstrike’s platform and continue threat hunting
	MITRE	All proprietary generic threat indicators are mapped to the appropriate MITRE ATT&CK tactic and technique (if applicable)
	E-Mail	On premise: the backend “broker” can be configured to ingest E-Mail files from a postfix server Webservice: we have a full “IMAP” integration that can be polled and ingest any inbound E-Mail, including E-Mail management (e.g. the option to delete the ingested E-Mail)
	OSINT	VirusTotal ClamAV YARA (see above) OPSWAT
	MD Core	Filescan is also available as part of an integration with MD Core. More details: MD Core Engine
Reporting	Report Formats	The following report formats are available and exportable via the UX or API: Single-file HTML Single-file PDF MISP STIX (2.1)
Threat Intelligence	Search	OPSWAT Filescan includes a threat graph and extensive searching capabilities (e.g. a prevalence search to identify other reports that shared the same IOCs within a specified time frame). Example: Advanced Search / Examples
	Storage	On premise: it is stored locally within the on premise instance and no data is shared with third-parties. Cloud: it is stored locally within the managed instance and no data is shared with third-parties.
Deployment and Maintenance	Deployment	The deployment is fully automated and takes about 45-60 minutes depending on the internet connectivity. See more in the Installation. Note: the solution may be operated in an air-gapped environment. If an air-gapped deployment is required, an OVF (VMWare) image as “software appliance” can be provided and is available.
	Retention	For the administrator it is possible to configure a retention period (in days). After the retention period is over for a report, all the files which are stored in relation with that report will be deleted. It is also possible to configure if the report itself should be deleted from the system. By default the retention is turned off, the retention period is set to 365 days and report deletion is off.
Capability	Zero-Day / Unknown Malware Detection	Due to the “adaptive dynamic analysis” technology, which can manipulate the control flow to always satisfy environment/conditional checks (e.g. geofencing, anti-analysis), OPSWAT Filescan excels at detecting zero-day malware and extracting threat intelligence data (e.g. IOCs). Many great examples are also tweeted on the official Filescan Twitter account.
	Memory Dump Analysis	Yes, we support memory dump analysis. However, only for the initial process. For PEs, we support the following unpackers: ASPack: Advanced commercial packer with a high compression ratio FSG: Freeware, fast to unpack MEW: Specifically designed for small binaries MPRESS: Free, more complex packer PEtite: Freeware packer, similar to ASPack UPX: Cross-platform, open source packer YZPack The unpacked payload is then disassembled and all code branches are inspected for API call chains and threat indicators.
	Sleep Reduction / Anti-Evasion	Both supported. The sleep reduction is implemented within the dynamic analysis modules. Anti-evasion is implemented using adaptive dynamic analysis (see above).
Licensing	OEM	Yes, we support OEM and custom logos. Please get in touch with Chad Loeven and his team for details.
	Enterprise	All OPSWAT Filescan SKUs are already available and can be quoted via SFDC.
Evaluation	POC	Cloud: filescan.io On premise

Single-Server Deployment Architecture

More information in the OPSWAT Product documentation (User Guide).

Multi-Server Setup

Last updated on

Was this page helpful?