We utilize artificial intelligence for site translations, and while we strive for accuracy, they may not always be 100% precise. Your understanding is appreciated.
Metadefender for Malware Analysis

Uncover Hidden Threats in Seconds with Next-Gen Malware Analysis

Fast, Accurate, Efficient, and Scalable Sandbox Solutions

10x

Faster

Than Tradition Sandboxes

100x

Higher Volume

File Analysis

<1 Hour

Setup

For Immediate Protection

25k+

Sandbox Scans

Per Day on Just One Server

Welcome to the Era of Adaptive Threat Analysis

Whether you are looking for rich reports or best-in-class protection to enhance your cybersecurity posture, our adaptive threat analysis technology offers organizations scalable solutions, flexible deployment options, and enhanced resource efficiency for comprehensive malware analysis.

MetaDefender Sandbox

Standalone dynamic threat analysis with rich reporting for SOC managers and threat hunters.

Adaptive Sandbox for MetaDefender Cloud

Adaptive Sandbox module for MetaDefender Cloud that integrates with Deep CDR, Multiscanning, and other modules.

Adaptive Sandbox for MetaDefender Core

Adaptive Sandbox module for MetaDefender Core with on-prem and hybrid deployment for rapid threat analysis.

Evolving Challenges of Modern Threat Management

Powered by emulation-based technology, tackle challenges by streamlining SOC alert triaging and enabling dynamic, real-time file analysis across your security framework. Reduce resource demands, eliminate the need for extensive infrastructure, and support both cloud-native and on-premises deployments tailored for critical environments.

Adaptive Threat Landscape

Evasive techniques bypass traditional analysis methods.

Delayed Response in SOCs

Inefficient alert triaging delays incident resolution.

Real-Time Analysis Barriers

Network-level file scanning remains unattainable.

Resource-Intensive Processes

Handling large file volumes requires significant infrastructure.

Lack of Cloud-Native Support

Not optimized for seamless cloud integration.

Complex Deployment and Maintenance

High upkeep and difficult setups strain operational teams.

OPSWAT Emulation-Based Sandbox Technology

Rapid Scanning, Easy Deployment

Static and Dynamic, Threat Analysis

Flexible Integrations

Simple Operation and Automated

Traditional Sandboxes Are No Longer an Option

Traditional SandboxMetaDefender Sandbox
Speed
Slow (5-10 minutes per analysis)
Fast, up to 10x faster than traditional sandboxes
Scalability
Not cloud-native (e.g., AWS EC2 instances do not  allow nested virtualization), requires hardware (VMs) 
Fully cloud-native with auto-scaling capabilities
Resource Usage
High resource requirements, with a locked-in application stack/OS per instance
Highly resource-efficient, 100x more volume
Detection Evasion
Easy to fingerprint and vulnerable to custom evasion tricks
Adaptive execution environment, bypassing sophisticated anti-analysis techniques
Best Use Case
Forensic analysis and exploit detection
Effective against modern threats like scripts and documents Counter highly evasive, multi-layered attacks 

Speed and Accuracy Across the Entire Malware Analysis Pipeline

Add the layers of adaptive threat analysis into your malware analysis pipelines, to enhance your security posture and respond more effectively to evolving threats.

Threat Intelligence

Threat Intelligence

  • Reputation Checks
  • Milliseconds
  • Quickly cross-checks input data against known bad hashes and whitelists.

Deep Static Analysis

Deep Static Analysis

  • Static Fast-Pass
  • Up to a few seconds
  • Conducts initial static analysis in less than a second, bypassing common obfuscation techniques.

Dynamic Fast-Pass

Dynamic Fast-Pass

  • 10 seconds on Average 
  • Uses emulation within a lightweight virtualization layer for fast, adaptive threat detection.
  • Threat Intelligence

    • Reputation Checks
    • Milliseconds
    • Quickly cross-checks input data against known bad hashes and whitelists.
  • Deep Static Analysis

    • Static Fast-Pass
    • Up to a few seconds
    • Conducts initial static analysis in less than a second, bypassing common obfuscation techniques.
  • Dynamic Fast-Pass

    • 10 seconds on Average 
    • Uses emulation within a lightweight virtualization layer for fast, adaptive threat detection.

Boost Efficacy Rates up to 99.7% when combining Reputation Service with Sandbox’s Deep Static Analysis & Dynamic Fast-Pass.

MetaDefender Reputation Service API verifies hashes, IPs, domains, and URLs, while Sandbox extracts and dynamically inspects IOCs. These complementary technologies work together to achieve a near 100% detection rate for a robust defense system.

Based on an internal benchmark, results may vary.

Comprehensive Sandbox Reporting

Overview of our cybersecurity software's capabilities, including sample analysis, malware family decoding, disassembly unpacking, similarity search, and more.

Metadefender Sandbox
MetaDefender Sandbox

Synthetic (Fabricated) Sample

This sample stands as a purpose-built example to highlight the diverse capabilities of MetaDefender Sandbox (previously known as OPSWAT Filescan Sandbox).

Crafted to show-off real-world cyber threats, embedding multiple files and file-types into each other. This effectively demonstrates our solution's prowess in adaptive threat analysis, behavioral analysis, and advanced security measures.

Metadefender Sandbox
MetaDefender Sandbox

Geofencing

Malware documents employing geofencing have become a significant threat to cybersecurity. These malicious files often employ location-based triggers, making detection and mitigation a challenging task. However, Adaptive Threat Analysis stands out from traditional approaches by offering the capability to accurately emulate and falsify the expected geolocation values, effectively neutralizing the tactics employed by malware, thus enhancing our ability to protect against such threats.

In the sample provided below, we can observe a geofencing malware attempting to execute exclusively within a specific country. However, our innovative solution successfully bypasses this restriction, as previously mentioned, by emulating the desired geolocation values, demonstrating our superior capability in countering such geofencing-based threats.

Metadefender Sandbox
MetaDefender Sandbox

Phishing Detection

By rendering suspicious websites and subjecting them to our advanced machine learning engine we're capable of identifying nearly 300 brands. In the example provided below, you can witness a Russian website masquerading as a computer gaming company known as Steam. Our solution excels in comparing the site's content to the genuine URL, swiftly identifying such fraudulent attempts to safeguard your digital assets and personal information.

Metadefender Sandbox
MetaDefender Sandbox

Offline URL Reputation

The offline URL detector ML model provides a new layer of defense by effectively detecting suspicious URLs, offering a robust means to identify and mitigate threats posed by malicious links. It leverages a dataset containing hundreds of thousands of URLs, meticulously labeled as either no threat or malicious by reputable vendors, to assess the feasibility of accurately detecting suspicious URLs through machine learning techniques.

It is important to note that this feature is particularly useful in air-gapped environments where online reputation lookups are not available.

Metadefender Sandbox
MetaDefender Sandbox

Malware Config Extraction of a Packed Sample

The sample below reveals a malware that was packed using the UPX packing technique. Despite its attempt to evade detection and defenses, our analysis successfully unpacked the payload, exposing its true identity as a Dridex Trojan. We were able to uncover the malware configuration, shedding light on the malicious intent behind this threat, extracting valuable IOCs.

Metadefender Sandbox
MetaDefender Sandbox

Similarity Search

Employing Similarity Search functionality, sandbox has detected a file remarkably resembling a known malware. Notably, this file had been previously marked as non-malicious, revealing the potential for false negatives in our security assessments. This discovery empowers us to specifically target and rectify these overlooked threats.

It is important to highlight that Similarity Search is highly valuable for threat research and hunting, as it can help uncover samples from the same malware family or campaign, providing additional IOCs or relevant information about specific threat activities.

Metadefender Sandbox
MetaDefender Sandbox

Native Executable

Our disassembling engine revealed intriguing findings within the target sample. Surprisingly, this sample monitors the system time using the uncommon <rdtsc> instruction and accesses an internal, undocumented structure in Windows, commonly used for different malicious tricks. These unusual actions raise questions about its purpose and underscore the need for further investigation to assess potential risks to the system.

Metadefender Sandbox
MetaDefender Sandbox

.NET Executable

The sample under examination was built using .NET framework. While we refrain from displaying the actual CIL, our decompilation process extracts and presents noteworthy information, including strings, registry artifacts, and API calls.

Besides that, we parse the .NET metadata to identify .NET-specific functions and resources. This process allows to extract detailed information about the assembly, such as methods, classes, and embedded resources, which is critical for analyzing the behavior and structure of .NET applications.

Metadefender Sandbox
MetaDefender Sandbox

Shellcode Emulation

Many application exploits bring their final payload in raw binary format (shellcode), which might be an obstacle when parsing the payload. With our shellcode emulation we are able to discover and analyse the behaviour of the final payload, in this example for a widely leveraged Office vulnerability in the equation editor. Hence opening the door to gathering the relevant IOCs.

Metadefender Sandbox
MetaDefender Sandbox

Highly Obfuscated VBA Macro

Obfuscated VBA macros present a significant challenge to deliver a reasonable response time of active threats. This unclear code makes the analysis and understanding of threats a high complex task that demands a lot of time and efforts. Our cutting-edge VBA emulation technology is able to overcome these challenges and provides a comprehensive analysis of obfuscated VBA macro together with clear insights into its functionality in seconds.

The analyzed sample is an Excel document with highly obfuscated VBA code that drops and runs a .NET DLL file, together with a LNK file in charge of continuing the malware execution chain. After VBA emulation, MetaDefender Sandbox identifies launched processes and the main deobfuscating function, automatically extracts obfuscated strings and saves dropped files (previously hardcoded and encrypted in the VBA code). This rapidly show the main purpose of the malware and give us the possibility of a further analysis of this threat.

Metadefender Sandbox
MetaDefender Sandbox

Sandbox Evasion via Task Scheduler

Using Windows Task Scheduler to execute malicious payloads at a later time is a stealthy technique to evade sandbox environments seen in recent threats. It exploits the delay in execution to effectively bypass the short analysis window typical of sandboxes.

The following sample is an obfuscated VBScript that downloads the malicious payload and creates a scheduled task to run it 67 minutes later. Traditional sandboxes maintain the execution for only a few minutes and the malicious behavior would be never exposed. In the other hand, our VBScript emulator is able to detect and overcomes this evasion technique (T1497), adapting the execution environment to continue with further analysis, and getting the full report in 12 seconds.

Metadefender Sandbox
MetaDefender Sandbox

.NET Reflection

NET Reflection is a powerful feature provided by the .NET framework that allows programs to inspect and manipulate a .NET file structure and behavior at runtime. It enables the examination of assemblies, modules, and types, as well as the ability to dynamically create instances of types, invoke methods, and access fields and properties.

Malware can use reflection to dynamically load and execute code from assemblies that are not referenced at compile time, allowing to fetch additional payloads from remote servers (or hidden in the current file) and execute them without writing them to disk, reducing the risk of detection.

In this case, we can see how the analysed VBScript loads and runs a .NET assembly into memory directly from bytes stored in a Windows register.

Metadefender Sandbox
MetaDefender Sandbox

XOR Decrypting Payload Stored in PE Resource

This feature enables to reveal hidden artifacts encrypted within PE resources. Malicious artifacts are often encrypted to evade detection and obscure the true intent of the sample. Uncovering these artifacts is essential, as they typically contain critical data (as C2 information) or payloads. By extracting them, the sandbox can deliver a deeper scan, with higher chance of identifying the most valuable IOCs.

This sample stores that encrypted artifacts using the XOR algorithm, simple but efficient to evade detection. By analyzing patterns in the encrypted data, the encryption key can be guessed, allowing to decrypt the hidden.

Detonator - The Endless Quest for the Perfect Sandbox

The Story Behind OPSWAT’s Leading Malware Analysis Solution

Detonator - The Endless Quest for the Perfect Sandbox

The Story Behind OPSWAT’s Leading Malware Analysis Solution

Unlock New Ways to Utilize Sandbox

Discover how OPSWAT is bringing adaptive threat analysis-based sandboxing out of the SOC and all the way to the network perimeter.

ICAP and Sandbox

Malware scanning for web and file transfers via ICAP.

Kiosk and Sandbox

Secure environments from peripheral and removable media threats in utilities, healthcare, and defense.

Storage Security and Sandbox

Scans and sanitizes all files transferred on a network to protect against unknown threats.

Filescan.io Community

Uncover hidden threats with insightful malware analysis powered by OPSWAT's MetaDefender Sandbox technology—try it free.
Industries

Purpose-Built for Every Sector

  • Energy & Utility

    Transfer critical infrastructure data between IT-OT securely.

  • Manufacturing

    Transfer operational updates into and operational data out of critical sites

  • Government

    Transfer classified documents, and sensitive government data.

  • Finance

    Transfer sensitive customer information and trade secrets.

  • Healthcare

    Transfer of patient and medical records between systems.

  • Media

    Transfer large video files across sites and external partners.

Resources

Learn More About MetaDefender Sandbox

  • Whitepaper

    Leverage Adaptive Threat Analysis to Detect Highly Evasive Malware

    Leverage Adaptive Threat Analysis to Detect Highly Evasive Malware

  • Datasheet

    MetaDefender Sandbox Datasheet

    See more stats and technical specifications in this datasheet

  • Customer Story

    Scaling Threat Detection with MetaDefender Sandbox

    How a Cybersecurity Solutions Provider Efficiently Protects Data and Communications With OPSWAT

  • Documentation

    MetaDefender Sandbox Documentation

    See additional information and technical resources.

  • Blog

    Malware Analysis Blog

    The latest practical insights and best practices for managing cybersecurity operations from OPSWAT, including incident response, vulnerability management, and optimizing security posture.

  • EBOOK

    The Need for Smarter Sandboxes

    Evolving Malware Detection and Threat Analysis

  • Blog

    Validated Speed & Security: Venak Security’s AMTSO-Aligned Test Confirms MetaDefender Sandbox Leadership

    OPSWAT's MetaDefender Sandbox underwent a rigorous Venak Security evaluation, following the AMTSO Sandbox Evaluation Framework—and didn’t just meet the benchmark, it redefined it.

  • Buyers' Guide

    The Buyer’s Guide to Sandbox Technology

    How to Choose the Right Malware Analysis Solution for Evasive Threats

Frequently Asked

MetaDefender Sandbox FAQs

Emulation-Based Advantages

MetaDefender Sandbox uses adaptive sandbox technology. This makes it faster and more resource-efficient than traditional sandboxes, which often rely on costly and hard-to-maintain virtual machines. Additionally, unlike many traditional sandboxes MetaDefender Sandbox is cloud native by design, offering flexible cloud deployment options.

Thanks to its adaptative, emulation-based approach, MetaDefender Sandbox efficiently adapts its execution pathway based on the required environment and conditions to safely detonate covert malware that would otherwise remain dormant and undetected. In case of geofencing, when the code checks for location data, MetaDefender Sandbox can emulate multiple outcomes—far more dynamic than a limited virtual machine.

Deployment Options

MetaDefender Sandbox can be deployed on-premises, in the cloud, or in air-gapped environments, providing flexibility and aiding compliance with various security requirements.

Cloud deployment allows organizations to scale quickly and integrate the latest threat intelligence in real time, bringing Sandbox to the perimeter. Due to its speed and inline capabilities, Sandbox enhances overall security responsiveness and can be offered as part of other use cases whereas traditional sandboxes live in the SOC.

Yes, it is designed for high-security operations, allowing it to function effectively in air-gapped environments by supporting offline updates and configurations.

Integration and Usability

This integration enhances functionality, enabling broader threat intelligence usage and supporting various security protocols and services, such as ICAP and email scanning.

MetaDefender Sandbox supports a wide range of integrations including ICAP for web security, direct email integration for secure attachment scanning, and more, facilitating seamless operations within existing security infrastructures.

Absolutely, MetaDefender Sandbox offers various configuration options that can be tailored to specific security requirements and workflows.

Cost and Investment

Pricing varies based on deployment size and customer needs, with both subscription and sub-licensing (OEM) options available.

Investing in MetaDefender Sandbox leads to significant savings by preventing costly security breaches and improving malware detection and response capabilities.

Maintenance is lower compared to traditional sandboxes, with periodic updates needed for threat engines and software, managed automatically in cloud deployments.

Technical Support and Maintenance

OPSWAT provides customized support for these deployments, including tailored installation procedures and dedicated technical assistance.

It requires periodic updates to maintain effective threat detection. OPSWAT offers streamlined processes for updating systems, especially in on-premises and air-gapped setups.

OPSWAT provides online tutorials, webinars, and comprehensive user guides to ensure effective usage of MetaDefender Sandbox.

A trial period is offered, including full access to its capabilities, allowing organizations to evaluate its fit within their security landscape before making a full commitment.

CYBERSECURITY ATTACKS ARE ON THE RISE

Talk to an OPSWAT Expert Today

OPSWAT is a leader in cybersecurity solutions because we understand the risks and challenges that modern organizations face. We've developed threat intelligence capabilities that enable your team to understand threats and respond faster than ever.

Get started with our team today to discover our security intelligence solutions.