Frequently Asked Questions (FAQ)

This webpage is a free malware analysis service for the community. Using this service you can submit files for in-depth static and dynamic analysis.

Falcon Sandbox is a high end malware analysis framework with a very agile architecture. It can be implemented as a large-scale system processing hundred thousands of files automatically (utilizing e.g. the simple REST API) or as a webservice for incident response, forensics and/or as an enterprise self-service portal. Due to its simple interface and numerous integration capabilities with other technology providers, it seamlessly enriches a SOCs incident response workflow and security stack. Falcon Sandbox is currently in use by SOCs, CERTs, DFIR teams, IT-security forensic labs, researchers and threat intelligence service providers all around the world. Multiple S&P 100, Fortune 500 and U.S. government agencies are using Falcon Sandbox and enjoying it every day. Please take a look at the Falcon Sandbox product page for more information.

If you are interested in licensing the full version of Falcon Sandbox (includes the webservice, API, runtime monitors, load balancing controller, hybrid analysis technology, report generator, all indicators, signatures, scripts, etc.) or have any questions, please use our contact form and get in touch.

The default analysis system supports any kind of PE (.exe, .scr, .pif, .dll, .com, .cpl, etc.), Office (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub), PDF, APK, executable JAR, Windows Script Component (.sct), Windows Shortcut (.lnk), Windows Help (.chm), HTML Application (.hta), Windows Script File (*.wsf), Javascript (.js), Visual Basic (*.vbs, *.vbe), Shockwave Flash (.swf), Perl (.pl), Powershell (.ps1, .psd1, .psm1), Scalable Vector Graphics (.svg), Python (.py) and Perl (.pl) scripts, Linux ELF executables, MIME RFC 822 (*.eml), Microsoft Installer packages(*.msi) and Outlook *.msg files.

Yes, it is possible to analyze a file with dependencies, but in order to do so there are some additional requirements:

• Archive format must be ZIP
• Archive needs to contain a "start file"
• Archive needs to have all files (directories are not supported) in the same location as start file

In order for the Falcon Sandbox to know which file needs to be run, a file with the name "init.properties" must be included in the archive. This file need to include the following syntax:

startFile=[startFileName]

For example:

startFile=sample.exe

Yes, the free malware analysis service comes with convenient "Quick Scan" endpoints that perform CrowdStrike Falcon Static Analysis (ML) and e.g. Metadefender AV scans rapidly. To do bulk scans, utilize the 'scan_file' CLI of the VxAPI Python API connector or utilize the Quick Scan endpoints directly.

We currently support hybrid (static and runtime) analysis on Windows 7, Windows 10 and extensive static analysis for Android APK files.

Falcon Sandbox offers a wide range of integrations including:

• VirusTotal and OPSWAT Metadefender (online and on-site)
• SIEM systems (e.g. HP ArcSight)
• NSRL (Whitelist)
• Thug honeyclient (e.g. URL exploit analysis)
• Suricata (ETOpen/ETPro rules)
• TOR (avoid e.g. external IP fingerprinting)
• Phantom

You can upload archives in one of the following formats with/without a password: ace, arj, 7z, bzip2, gzip2, iso, rar, rev, tar, wim, xz and zip.
If you use a password, only the typical 'infected' password is accepted.
Additional limits to archives:

• Maximum number of files: 20
• Maximum nested level: 1
• Maximum size of an archive: 100MB
• Maximum size of the single file in the archive: 100MB

Yes. All registered users can generate a restricted free Public API key. For more information, please visit our Public API information page.

Yes, the API is very extensive and supports a wide range of operations, including, but not limited to: single/bulk file and URL submissions, advanced search capabilities, report data retrieval and data erasure (based on privileges).

Yes, there is a variety of advanced search queries. You can search for a virus family name, find all reports that contacted a specific IP address, domain, URL, have a specific file type, fuzzy hash, #hashtag, shared artifact and so on. Here are selected examples of some advanced search operators:

• host:95.181.53.78
• port:3448
• domain:checkip.dyndns.org
• vxfamily:upatre
• indicatorid:network-6 (Show all reports matching 'Contacts Random Domain Names')
• filetype:jar
• filetype_tag:hwp
• url:google
• similar-to:hash
• authentihash:hash
• tag:teslacrypt

Note: you may need to be logged in to use the advanced search queries listed above.

A behavior indicator is a small script file that registers itself for a specific data type or event and abstracts the input to a specific behavior, such as when a malware adds an entry to an autostart registry pathway, changes firewall settings, injects into another process or sends data on unusual ports. Behavior indicators are classified as either "malicious", "suspicious" or simply "informative". As each indicator includes information about the data that made it trigger, it becomes easier to understand the functionality of the analyzed malware/software in-depth and find entrypoints for deeper analysis.

Behavior indicators can trigger on a multitude of data types or events. Some of them include registry accesses, process memory strings, API calls, created mutants/files, network traffic, injected processes, disassembly instructions, and a lot more.

Currently, the full version comes with multiple hundred generic behavior indicators and thousands of YARA rules ready to use. Part of the daily work of our development team is to add new behavior indicators. As we come accross interesting samples a lot, the number of behavior indicators is constantly growing.

Yes, decrypted SSL traffic is included for Windows analysis on a per host basis in the "Network Analysis" section of the report (see "Show SSL" buttons and subsequent modal).

Hybrid Analysis combines runtime data with extensive static analysis of memory dumps to extract annotated disassembly listings and deduct additional IOCs (strings/API call chains). This unique feature allows extraction of behavior indicators regardless of execution and helps detect unknown threats even of the most evasive malware. All data extracted from the Hybrid Analysis engine is processed automatically and integrated into the Falcon Sandbox reports.

The system comes with various input file parser scripts that extract embedded files/VBA macros from Office documents, Javascript/XFA streams/hyperlinks from PDF files and all kind of other identifiers from PE headers (e.g. section entropy, IMPHASH, authentihash), etc. Static analysis is applied at the pre-runtime and post-runtime report generator phase and also includes YARA signature matches on any input and extracted file.

You can control anything that happens using so called "action scripts" (which open the browser, move your mouse, etc.) that are based on a powerful scripting language. If you have access to the full standalone system, it is possible to create your own scripts and make them available to the execution environments.

We have a load-balancing controller that can feed an arbitrary amount of files to the execution environments and generate reports in parallel. Currently, we suggest to run at most 16 virtual machines per controller instance. In general, it is possible to create distributed large-scale systems using Falcon Bridge up to a point that allows processing hundred thousands of files per day. Our extensive bootstrap/utility ecosystems automates VM management.

The Falcon Sandbox full standalone package comes with a copy of the webservice that can be operated on the same server as the base system or at a remote server. In general, the full standalone system includes all the functionality that you experience here and a lot more. The full system operates entirely autonomous and does not depend on any additional back end systems or outgoing connection even.

Yes. Although offline reports are not available for download on the public service, they are available to the private webservices and full standalone system. An "offline" HTML report has no external references and is a single HTML file. Other report formats include XML, MAEC (4.1), OpenIOC (1.1), MISP XML and JSON for automatic post-processing.

Yes, we support any bitness.