Analyze files with Payload Security
Payload Security is an online service that analyzes files in virtual environments to determine whether they are potentially malicious in nature.
It can best be describes as a free analysis environment on the Internet that runs the selected file through a series of tests that include, among other options, running the file in a virtual environment, testing it with multiple antivirus engines, and observing behavior when run on a system.
What is particularly interesting about this is that it displays several analysis options to users after a file has been selected for analysis. You may select an analysis environment -- Windows 7 32-bit, Linux and Android are available -- select different action scripts, the runtime duration, and even pass custom execution parameters.
Payload Security
You need to accept the terms of service, and may enter an email address if you want to be notified when the scan completes.
The scan itself is queued, and the queue position is displayed on the screen. The queue was relatively short, around 10 entries, when I ran tests. The scan itself takes a couple of minutes to complete, but usually not longer than that.
The page that is displayed in the end offers very extensive information. You can check out this page, a scan of the Textify program which I reviewed recently, for details on how that looks like.
Here are a couple of highlights:
- How 66 different antivirus vendors classify the file.
- Whether an extracted file was identified as malicious, and how it was classified.
- A list of indicators that are flagged as suspicious, e.g. whether IP or URLs are found that were flagged as malicious by an engine, whether it can create remote threads, or if it reads the computer name.
- A list of informative indicators, for instance if it reads the Registry for installed applications, scans for window names, or drops files.
- File details such as the hash and language, file classification using TrlD, and version information.
- Information about included files and file imports, extracted files (sorted by flagged / not flagged).
- Screenshots of installation or program execution.
- Process and network analysis.
- Extracted strings.
The information that Payload Security provides is very helpful in determining whether a file is potentially malicious in nature. There is still the chance of false positives, for instance when antivirus engines flag one or multiple of the included files wrongly as malicious.
Closing Words
Payload Security is a handy online security scanner that you may use to find out more about files before you execute them on your system. It's analysis of files includes screenshots, data from dozens of antivirus vendors, and information taken from execution in virtual environments.
Now You: Which service do you use to analyze files?
Oops! The analysis system reported an error:
The file “fe6f970f2ae1076eb20d5d2e1bcfe69400a1ac9b9ffe6d5081747ca22909e6c0” has the file format “swf”, which is currently disabled by configuration
………………. nose XD
virustotal is simply good enough for me.
I use nothing because it’s useless anyway, especially if you send them ‘private data’ away which you should’t and for the rest of the stuff you can use GPO policy to enforce nothing bypasses the OS security mechanism. In additional a simply firewall also blocks the payload itself from downloading shit over the internet/lan. That you can’t trust or use such files was several times proven and it’s beyond me why people still uploading everything into the cloud. Every malware developer tests their shit against such services and ‘stealth’ them by e.g. obfuscating it and and and.
At the end such services collecting nothing but data and you help them to gain even more data, I’m not only talking about the data you upload to them you also reveal your identify, meta-data and more when you trust such services. Mostly these people which using such services are the same which blocking Windows Defender, .. no words for this stupidness, so you choose to share more data with such multi-av scanning engines instead of only trusting the provider which you already choosed for your OS. Genius!
Instead of using useless tools how about showing people how to really work with the OS mechanism? I did this: https://github.com/CHEF-KOCH/HWAB .. and with this you not need any additional tools, av or services because NOTHING can bypass these restrictins without breaking the OS mechanism by itself (which in 99% requirs additional infections).
I’M using Maldun beacuse it’s 64bit OS
https://www.maldun.com/submit/submit_file/
the real drawback is that it does not emulate Windows 10, and that you can not complete an installation wizard and run the installed program.
Looks like it could have drawbacks according to the knowledge base: https://team.vxstream-sandbox.com/pages/viewpage.action?pageId=1802362
A similar service is Jotti’s which I can remember from Windows XP days: https://virusscan.jotti.org/
Thanks for the article, Martin. And, thank you, @TelV for the caution!