Monday, 23 July 2012

VirusTotal += Behavioural Information

There has already been some Twitter buzz around this even though we have not announced it publicly yet, indeed, some of you have already noticed it:


We have introduced behavioural information in our reports. The idea behind this is that the samples submitted to VirusTotal get executed automatically in a controlled (sandboxed) environment and the actions performed are recorded in order to give the analyst a high level overview of what the sample is doing.

Please note that there are already fantastic sandboxes out there, most noticeably:
We do not intend to compete against any of them, our aim is just to produce complementary reports to the ones generated by these awesome online sandboxes that will further help the security community.

Currently we are just processing new samples (never seen before by VirusTotal) that are Portable Executables (PEs) and are below 8MB in size. The execution is still a best effort operation and it is completely asynchronous, hence, do not expect the VirusTotal reports to have any fancy Ajax informing about the progress of the behavioural data extraction. Once you submit a file, the information will appear at a later moment in time and there are no guarantees about it being generated.

These are just a couple of examples of the reports generated (make sure you scroll down to the tabs below the antivirus verdicts table):
https://www.virustotal.com/file/2f2a645b873a5dfe7985a2c9cbfeff3424e68d9181791c908081c023c2a817b0/analysis/
https://www.virustotal.com/file/bf7ab9dcc69d8e0a1777fcb72e568708450fe32fae4d9cd67a68c27d2a2209cd/analysis/
https://www.virustotal.com/file/e5fbeab009326a5ae129942bd824868ddbdec3efc4cb48404581c290aac1b4c9/analysis/

Malekal has done a far better job than us at explaining the different fields present in the report, you may want to refer to his "VirusTotal: Behavioural information" post to learn more. Please note that the reports just show the fields that are applicable to the binary under consideration, for example, you wont see the Windows Services section if the executable is not interacting with any Windows Services.

We also saw on Twitter that Claudio Guarnieri was wondering what technology were we using to produce these reports, yes, it is your brilliant Cuckoo indeed (or nearly, some tweaks were made), so thank you very much for it, you have done an amazing job, congratulations.

Over the coming weeks we would like to work on the VirusTotal UI in order to make the behavioural information and the rest of the data on the reports (additional information and antivirus reports) more eye-catching, thus easing navigation. We are a team of hardcore engineers and as you may have noticed our taste for design is not all that great, hence, we would really appreciate some suggestions from the community regarding how could we structure our layout in order to make the reports more useful to all of you.

Once this is done we may start thinking about giving feedback to the user regarding the behavioural report generation process so that analysts can take full advantage of this new feature.

5 comments: