File submit

  • What file formats are supported by the sandbox ?
    • - Windows executable files (32 and 64 bits): programs (.exe), screen savers (.scr)
    • - Windows dynamic library (32 and 64 bits): libraries (.dll), panels (.cpl)
    • - Office documents: Word, Excel and PowerPoint files (.doc, .docm, .docx, .rtf, .xls, .xlsm, .xlsx, .mshtml, .hta, .ppt, .pptx, .ppam)
    • - Script files: Javascript (.js, .jse, .wsf), Visual Basic Script (.vbs, .vbe, .wsf)
    • - Shortcut files: .lnk
    • - PDF files: .pdf
    • - JAR files: .jar
    • - Microsoft installers: .msi
    • - PowerShell files: .ps1
    • - Batch files: .bat .cmd
    • - Iso files: .iso (currently not available on the API)
    • - Web files: .html
    • - Message files: .eml (eml only)
    • - Compressed files: formats supported by 7z (see here )
    • Note: Depending on the selected VM, the amount of supported file types may vary and the limit size is set up to 500MB. If you submit a file whose type is not supported, the analysis will cancel immediately and you should see the following error message on the submission page:

      Error, file format was not recognized for file.unk. All supported file formats are listed on /faq/. You can also try to rename the file extension or specify an environment to use in "Advanced" -> "Specific launch environment"

  • I cannot submit files because my security solution block them

      You have the possibility in the web interface to submit a (single) file inside a password protected ZIP or RAR archive. It should bypass your antivirus / firewall scanning process. For the archive password, please use one of the industry standard such as "infected", "virus" or "malware".

      On the same theme, please note that all material that you download from the web interface (dumps, samples) is put inside a password protected archive. The archive password is "infected".

  • Is there a limit on file uploads?

      The upload limit for a single file is currently set to 5242.88 MB on this server. Any file bigger than this limit will be discarded. A limit on the amount of submitted files per day may also be set by the local administrator. Please refer to your account details.

  • How can I submit multiple files?

      Currently, the only way to submit multiple files at once is to use the advanced upload form. There, you can either drag 'n drop multiple files or select multiple files after clicking the Add Files button. A status screen displaying the ongoing progress of analyses will be displayed.
      If you want to upload multiple files in the sandbox for one analysis you must use the free mode option that you can activate on the advanced upload form and submit your archive file containing all your files. You will be able to unzip them inside the sandbox.

      Uploading a ZIP or RAR archive containing multiple files is only supported in Free mode option.
  • I want to analyze large batch of files

      The best way to analyze large batches of files is to do it via the API. If your are not interested in dumps data but only in the scan result, scan using the light mode in order to save bandwidth, especially for very large batches.


  • How much time should I let the analysis run?

      This is a tricky question. You want to let enough time in order for the malware to execute its payload. But each malware is different:

      1. - Some malware execute their payload immediately
      2. - Some malware try to avoid sandbox/antivirus detection by staying dormant for a large amount of time before executing their payload
      3. - Some malware require a lot of time because their are heavily obfuscated/are packed multiple times
      4. - Some malware are actually doing a lot of CPU-heavy operations
      From our experience, the vast majority of the malware can be put in the first two categories. For these typical malware, we observed that a timeout of 60 seconds is enough most of the time to get interesting result. Don't hesitate to enable time acceleration in order to counter the evasion tricks used by the malware belonging to the second category.

      For the other categories of malware, there is no rule of thumb. But keep in mind that malware authors want their creation to remain unnoticed. Since a heavy CPU usage is likely to get noticed by the user, they tend to avoid to resort to such methods. That's why a timeout of 10 minutes should be more than enough in 99,9% of the cases.


  • How can I search for similar analyses/files ?

      By using the search interface, you are able to list all the analysis present in the web interface, matching a given set of search criteria:

    • - sha256 (full word, case insensitive)
    • - user keyword (full word, case insensitive)
    • - signature match (full word, case insensitive)
    • - user name (full word, case insensitive)
    • - filename (complete or partial, case insensitive)
    • - url (complete or partial, case insensitive)
    • - best match signature (complete or partial, case insensitive)
    • Please note that only the analysis that you are allowed to see will be listed (i.e. your analyses + the public analyses).