Technical Datasheet

The purpose of this page is to provide Question/Responses to technical questions that are frequently asked.

CategoryFeatureMetaDefender Sandbox Compliance
RequirementsHardware Requirements

Minimum requirements (on premise):

  • Ubuntu Server 22.04 or Red Hat Enterprise Linux 9.5
  • 8 vCPUs (better: 16)
  • 32 GB RAM
  • 256 GB SSD (better: 512 GB)*

Note: if the customer requires more than 25000 scans/day, a custom multi-server setup is necessary and needs to be scoped out with the engineering team.

Due to the low resource requirements and cloud-native capability, MetaDefender Sandbox does not require nested VMs and can be deployed and operated with its proprietary emulation technology running directly on the host system.

More information available: Throughput / Hardware Requirements

  • Disc space recommendation is assuming default retention settings and an average file size is assumed to be in the single digit MB range. If very large files are sent at large quantities, total disc size has to be much larger or retention settings more strict.
Minimum Cloud Requirements

AWS EC2 instances:

  • 5000 scans/day: r6a.xlarge
  • 10000 scans/day: m6a.2xlarge
  • 25000 scans/day: c6a.4xlarge
PerformanceSystem performance25000 scans/day is the peak performance for a single-server deployment. This translates to roughly ~1000 scans/hour. A higher throughput is possible, but will require a multi-server setup.
Average Processing TimeThe average processing time per scan is ~20 seconds. On production, it is currently ~12 seconds/scan, but this varies widely based on the input mix.
Supported file types

Side-by-side comparison including dynamic analysis available: Supported File Types.

Files:

APK, ASF, BAT, DLL, DOC, DOCM, DOCX, DOT, DOTM, DOTX, ELF, EML, HTA, HTML, HWP, Java, JScript, JSE, LNK, MBOX, OLE, PDF, PE, PE, POT, POTM, POTX, Powershell, PPAM, PPSX, PPT, PPTM, PPTX, PUB, RFC822, RTF, SCT, SVG, VBScript, WSF, XLS, XLSM, XLSX, XLTM, XLTX..etc.

Click here to see all the supported file types

Note: the maximum (default) file size is 100MB per upload, but can be configured (on premise only).

Note #2: the MIME type is detected automatically regardless of the provided file suffix.

Archives Supported

7Z, ACE, BZIP2, CAB, GTAR, GZIP, LZIP, ISO, RAR, TAR, ZIP

More information available: Supported File Types.

Maximum File Size

Default: 2000MB

Note: all file size limits can be configured

Maximum parallel uploads (part of an archive)Default: 1000 executables, 10 documents, 10 other
IntegrationsAPI
  • OpenAPI specification, including a Swagger documentation available via the webservice
  • Python pip package as a convenience tool that wraps around the API
  • Includes full system management (administration), as well as file/URL scanning and threat graph search
YARA
  • Automated, repeated download of a configurable list of GitHub repositories. All downloaded YARA rules are filtered and compiled to a performant .yarc file, as well as applied to the input file and all extracted/downloaded child objects.
  • On premise: ability to add custom YARA rules
SIEM
  • On premise: a CEF (common event format) syslog feedback can be configured to integrate with a SIEM system (e.g. IBM QRadar, Splunk)
  • Web UX / API: includes a “query generator” that will, for selected IOCs, generate a query that can be used to pivot to e.g. Crowdstrike’s platform and continue threat hunting
MITREAll proprietary generic threat indicators are mapped to the appropriate MITRE ATT&CK tactic and technique (if applicable)
E-Mail
  • On premise: the backend “broker” can be configured to ingest E-Mail files from a postfix server
  • Webservice: we have a full “IMAP” integration that can be polled and ingest any inbound E-Mail, including E-Mail management (e.g. the option to delete the ingested E-Mail)
OSINT
  • VirusTotal
  • ClamAV
  • YARA (see above)
  • OPSWAT Reputation Service
MD CoreThe sandbox engine is also available as part of an integration with MD Core. More details: MD Core Adaptive Sandbox Engine Features
SOAR
  • Palo Alto - Cortex XSOAR
  • Splunk SOAR
  • Assemblyline 4

Full list: https://docs.opswat.com/filescan/integrations

ReportingReport Formats

The following report formats are available and exportable via the UX or API:

  • Single-file HTML
  • Single-file PDF
  • MISP
  • STIX (2.1)
Threat IntelligenceSearch

MetaDefender Sandbox includes a threat graph and extensive searching capabilities (e.g. a prevalence search to identify other reports that shared the same IOCs within a specified time frame).

Example: Advanced Search / Examples

As of MetaDefender Sandbox 1.8.0, a new Threat Intelligence Similarity search feature is available, which enables detection of unknown threats. Read more here.

Storage

On premise: it is stored locally within the on premise instance and no data is shared with third-parties.

Cloud: it is stored locally within the managed instance and no data is shared with third-parties.

Deployment and MaintenanceDeployment

The deployment is fully automated and takes about 25-30 minutes depending on the internet connectivity. See more in the Installation.

Note: the solution may be installed and operated in an air-gapped environment. See Offline Installation

CIS ComplianceMetaDefender Sandbox can be installed on a hardened Linux system that complies with the Level 1 profile of the CIS Benchmarks
RetentionAdministrators can configure a retention period (in days). After the retention period is over for a report, all the files which are stored in relation to that report will be deleted. It is also possible to configure if the report itself should be deleted from the system. By default, the retention period is set to 365 days and report deletion is turned off.
CapabilityZero-Day / Unknown Malware DetectionDue to the “adaptive dynamic analysis” technology, which can manipulate the control flow to always satisfy environment/conditional checks (e.g. geofencing, anti-analysis), MetaDefender Sandbox excels at detecting zero-day malware and extracting threat intelligence data (e.g. IOCs). Many great examples are also tweeted on the official Filescan Twitter account.
Memory Dump Analysis

Yes, we support memory dump analysis. However, only for the initial process. For PEs, we support the following unpackers:

  • ASPack: Advanced commercial packer with a high compression ratio
  • FSG: Freeware, fast to unpack
  • MEW: Specifically designed for small binaries
  • MPRESS: Free, more complex packer
  • PEtite: Freeware packer, similar to ASPack
  • UPX: Cross-platform, open source packer
  • YZPack

The unpacked payload is then disassembled and all code branches are inspected for API call chains and threat indicators.

Sleep Reduction / Anti-EvasionBoth supported. The sleep reduction is implemented within the dynamic analysis modules. Anti-evasion is implemented using adaptive dynamic analysis (see above).
LicensingOEMYes, we support OEM and custom logos. Please get in touch with Hamid Karimi his team for details.
EnterpriseAll MetaDefender Sandbox SKUs are already available and can be quoted via SFDC.
EvaluationPOC

Cloud (public): filescan.io

On premise

POC Guide: API Workflow Guide
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Performance Measurement

See the "Technical Datasheet" for a complete list of features: https://docs.opswat.com/filescan/datasheet/technical-datasheet

On This Page
Technical Datasheet