OPSWAT Announces FileScan.IO Asset Acquisition. Read More

Integration of Viper Malware Analysis Framework and Metadefender Core

Viper (viper.li) is a malware repository and analysis framework, developed by Claudio Guarnieri, Kevin Breen and Mariano Graziano. Viper was written in Python and several modules have been developed for it. These modules can be integrated to additional malware analysis tools like Cuckoo Sandbox, etc.

Inside the Viper framework, malware samples can be stored, ordered and organized, and binaries can be tagged and searched. Besides storage, several operations can be executed on the samples stored within the framework. Be it the inspection of binaries, executable files or Office documents and PDF files, plenty of tools are available in the Viper framework to analyze these files.

Viper Modules

Office File and VBA Analysis

Although the Viper framework has a web interface with most functions available, it is recommended to utilize the module through the CLI.

Viper Web UI. Click to Enlarge

Our company, Secure Networx Ltd., provides malware defense services to our customers, including malware detection, malware analysis, incident handling and response, as well as training. Viper has an important role in the course of our work, as the location where files get submitted to be analyzed for our clients and also where we store our self-gathered samples. We have grown to like Viper a lot during our work, and it is particularly nice for us to be able to integrate with other malware analysis technologies to determine whether files are malicious. Before going into deeper analysis, we like to get a quick idea of whether any of the leading antivirus engines detected a file as a threat. There are several online solutions for this, like MetaDefender.com, but in case of files that contain business or other confidential data, an online solution is not viable option for us; we never upload confidential files to other services! We need to maintain confidentiality and privacy.

In order to bypass the privacy problem, we needed our own multi-scanning solution, and this is how we came into contact with the OPSWAT MetaDefender Core (formerly Metascan) solution. Integrating Viper with MetaDefender Core v3 and v4 allows us to host a multi-scanning server in our own environment, so that we can get comprehensive scan results from many scan engines without files leaving our network. By not allowing files to leave our network, we have better control over the visibility of our data. We have started using the Linux-based MetaDefender Core v4 and are extremely satisfied with it.

Since Viper did not have MetaDefender integration capabilities, we developed our own module that is capable of submitting a single file (or files in batches) for scanning to our own on-premises MetaDefender server, and were able to display the results through their flexible APIs.

MetaDefender Core Analysis Module

The integration module uses the REST API interface of the MetaDefender server for file transmission and for reading out the results. MetaDefender's API sends JSON responses that the module processes and displays. The module is developed for the currently stable Viper 1.2, but it runs seamlessly with Viper 1.3 beta.

Active or Disabled MetaDefender Core Engines

The module can scan the current and open files through the MetaDefender server, but it was developed so that it can simultaneously submit multiple files for inspection to the MetaDefender server. Viper's interactive shell makes simultaneous scanning possible by running a search (such as find tag 20160126), and returning a multi-element list that shows all of the files that had the 20160126 tag added. Our MetaDefender module is capable of sending all files on the multi-element list to the MetaDefender server, and is able to retrieve and display the results through the API.

Single File Analysis

Three-element Finding List and Analysis

The Viper and MetaDefender Core integration module is easy to configure and install: simply copy the module to Viper's modules folder and enter the IP and port of the MetaDefender server in the ms.py file. There is no need for any further settings.

Viper MetaDefender Core Module Config

If an administrator would like to retrieve MetaDefender Core license information, they will need to enter the username and password associated with their API. Entering the username and password is not obligatory for other purposes at this time, however we have prepared the module for future MetaDefender Core functions that will require authentication.

We found that the MetaDefender Core module is suitable and fast for initial scans, since it can submit a great deal of files to the MetaDefender Core server for simultaneous scanning, while also maintaining the confidentiality of the files. Our integration module is now available on GitHub (https://github.com/securenetworx/viper-metascan) and we hope that other MetaDefender Core users will benefit from using it.

Author: Tamas Kocsis, Secure Networx

Secure Networx Ltd. is a provider of malware defense services, offering technical analysis, training and incident response to protect their customers from threats.

For more information, please contact one of our cybersecurity experts.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.