Published on May 11th, 2016 📆 | 6126 Views ⚑0
MultiScanner — Modular File Scanning Analysis Framework
MultiScanner is a file analysis framework that allows the user to evaluate a set of files with a set of tools. Tools can be custom built python scripts, web APIs, software running on another machine, etc. Tools are incorporated by creating modules that run in the MultiScanner framework. Modules are designed to be quickly written and easily incorporated into the framework. Currently written and maintained modules are related to malware analytics, but the framework is not limited to that scope.
Python 2.7 is recommended for MultiScanner. This versatile scanning framework is compatible with Python 2.6+ and even Python 3.3+ is supported but not thoroughly maintained and tested. If you stumble upon an issues with these python versions let the developer know about them and help them correct those errors by submitting an issue or a pull request on GitHub. An installer script is included in the project install.sh, which installs the prerequisites on most systems.
apt-get install -y build-essential curl dh-autoreconf gcc libffi-dev libfuzzy-dev python-dev python-pip git
If you’re running on RedHat or Debian based linux distribution you should try and run install.sh which will pull all system requirements necessary for MultiScanner to run and if you are using some other distribution you should check requirements2.txt and requirements3.txt files in the same directory that lists all the required python packages for this framework. At the moment those files contain the following requirements:
#Requirements future #Required by modules bitstring paramiko pefile pyclamd python-magic requests ssdeep
MultiScanner must have a configuration file to run. Generate the MultiScanner default configuration by running
python multiscanner.py init after cloning the repository. This command can be used to rewrite the configuration file to its default state or, if new modules have been written, to add their configuration to the configuration file.
Default modules have the option to be run locally or via SSH. The development team runs MultiScanner on a Linux host and hosts the majority of analytical tools on a separate Windows machine. The SSH server used in this environment is freeSSHd.
A network share accessible to both the MultiScanner and the Analytic Machines is required for the multi-machine setup. Once configured, the network share path must be defined in the configuration file, config.ini. To do this, set the
copyfilesto option under
[main] to be the mount point on the system running MultiScanner. Modules can have a
replacement path option, which is the network share mount point on the analytic machine.
Modules are intended to be quickly written and incorporated into the framework. A finished module must be placed in the modules folder before it can be used. The configuration file does not need to be manually updated. Modules are configured within the configuration file, config.ini. You can find more information about all the modules that are implemented and also how to use and write your own modules in documentation folder, when you download MultiScanner
Use in other projects
MultiScanner can be incorporated as a module in another projects. Below is a simple example of how to import MultiScanner into a Python script.
import multiscanner output = multiscanner.multiscan(FileList) Results = multiscanner.parse_reports(output, python=True)
Results is a dictionary object where each key is a filename of a scanned file.
multiscanner.config_init(filepath) will create a default configuration file at the location defined by filepath.