Saferwall Versions Save

A hackable malware sandbox for the 21st Century

What's Changed

• fix(github workflow) depcreated set-output and docker/build-push-action by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/412
• feat (services) post-processor to include first_seen when it's absent by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/413
• feat: add loki-stack chart for log aggregation by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/414
• fix(storage): guarantee sequential write in s3 download by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/415
• fix: Set the nsq config maxInFlight to the same # of goroutines by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/416
• fix(services): increase multi-av scan timeout and nsq msg timeout by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/417
• doc: add documentation how to use compose to develop in the codebase by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/418
• feat: make pulling image contrainers more generic from private registries by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/419
• feat: externalize multi-av scan timeout by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/420
• helm: populate multiav default values for scanTimeout and logLevel by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/421
• feat: change multiav scan timeout from an int (seconds) to duration (string) by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/427
• chore(helm): fix _helpers template by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/428
• chore(helm): default values for new config entries in web apis by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/429
• fix(services): set the status for task progress by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/431
• fix(helm): webapis extra cors origins + new UI by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/432
• fix: update compose to match new UI env vars & bump go to v1.18 by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/433
• feat: Create a summary of behavior activities in sandbox by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/435
• chore(deps): bump google.golang.org/grpc from 1.52.0 to 1.53.0 by @dependabot in https://github.com/saferwall/saferwall/pull/437
• feat(sandbox): append process ID to system events and make events an array instead of an object by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/438
• feat(sandbox): scanning artifacs with Yara by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/439
• feat(sandbox): store process tree data by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/441
• increase gRPC msg size + fix timeout fmt + artifacts length by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/442
• feat: store big byte* API parameters to object storage by @LordNoteworthy in https://github.com/saferwall/saferwall/pull/443

Full Changelog: https://github.com/saferwall/saferwall/compare/v0.4.0...v0.5.0

[0.4.0] - 06/03/2023

Added

• Upload sandbox memdumps and screenshots thumbnails to obj storage #398.
• Upload sandbox desktop screenshots to obj storage #397.
• Sandbox agent health check + basic sysinfo and env data collection #395.
• Push sandbox payload results to the aggregator #391.
• MultiAV McAfee enable scan for potentially unwanted program #387.
• Numerous updates to support different types of messages for the aggregator #383.
  • Add methods for the storage internal pkg to support bucket creation.
  • Generate thumbnails for the sandbox screenshots and add health checks for VMs.
  • Remove cluster-autoscaler form helm chart.
  • Add documentation with the communication format used between services.
• Agent: collect screenshots and memdumps #380.
• Guess file extension and include PE signature #379.
• Curate PE scan results #378.
• Add inlets-operator and metallb charts #376. inlets-operator has been deleted later, and metallb is installed separately from the chart dependencies.
• Add kube-prometheus-stack CRDs and experiment with k3s for local dev.
• Add workflow_dispatch for helm-release and release services job.

Changed

• [helm] Remove elastic stack that was used for logging #404.
• [helm] Do not include kube-prometheus-stack in main chart & remove elastic stack for logging #403.
• Hosting documentation/blog website in cloudflare #402.
• Set k8s version to the same as prod k8s version and update default user/password values in minio helm chart #392.
• Change protobuf message scheme to support uploading object to s3 #383.
• Bind k8s port forwarding services to 0.0.0.0.
• Bump wait-for and golang docker images.
• Bump yara, helm, kuberneters, exiftool, kind, kubens/kubectx and kube-capacity.
• Bump aws-efs-csi-driver, ingress-nginx, couchbase-operator and minio helm chart dependencies.

Fixed

• Use wine + loadlibrary to make windows defender works again thanks to prsyahmi #386.
• MultiAV McAfee doesn't report other kind of malware besides trojan thanks to prsyahmi #387.
• Do not set the file extension/format when it is now known #381.
• MultiAV upgrade Avast to a newer major release.

A hackable malware sandbox for the 21st Century

A hackable malware sandbox for the 21st Century

[0.3.0] - 14/04/2022

Added

• Add pre-commit-config.yaml.
• Update packer/installer/protector sigs and file magic data.
• Introduce new env variables in the UI k8s manifests.
• Add antivirus detections to the list of tags.
• Cleanup file that has not been accessed since a day from the nfs share.
• Documenting saferwall architecture.
• Saferwall sandbox microservice.

Changed

• Change minio operator to the basic minio.
• Move private go packages to internal/ directory.
• Move helm chart from its own repo to main repo.
• Numerous tolling updates: docker-compose, devContainers, and bumping go pkg dependencies.

Fixed

• Fix crash on webapis k8s manifest when generating the toml config.

A hackable malware sandbox for the 21st Century

[0.2.0] - 25/11/2021

Added

• Unit tests for ASCII & Unicode strings and AV label pkg.
• [exiftool] ELF binary testcases.
• [yara]: implement yara scanner and update go package version.
• [kubernetes] AWS spot instance template.
• Introduce a new package for virt-manager.

Fixed

• [magic] Handle case where input is empty.
• [magic] fix out of bounds errors due to file help output on null input.

Changed

• Move cli to a separate github repository
• Clean up package tests + add tests for HashBytes func.
• Update crypto functions to follow idiomatic initialisms. -[bytestats] remove python3 poc + use package fixtures for testing.
• Using zap instead of logrus and asbtract the logging code.
• Asbtract access to object storage and to the database.
• Move the multiav package to a separate repo.
• Separate the consumer into different services (orchestrator, aggregator, pe, metadata, multiav, ML, post-processor).
• Use external NSQ helm chart.

Helm Chart Release

Added

• ML PE classifier(private) and string ranker.
• docker-compose and .devcontainer to ease development.
• A portable executable (PE) file parser.
• A UI for displaying PE parsing results.
• gib: a package to detect gibberish strings.
• bytestats: a package that implements byte and entropy statistics for binary files.
• cli utility to interact with saferwall web apis.
• sdk2json: a package to convert Win32 API definitions to JSON format.

Changed

• Consumer docker image is separated to a base image and an app image.
• Refactor consumer and make it a go module.
• [Helm] reduce minio MEM request, ES and Kibana CPU request to half a core.
• [Helm] bump chart dependency modules.
• [pkg/consumer] add context timeout to multiav scan gRPC API.
• Move the website, the dashboard and the web apis projects to a separate git repos.
• Improvement in CI/CD pipeline: include code coverage, test only changed modules & running custom github action runners.