Saferwall is an open source malware analysis platform.

It aims for the following goals:

  • Provide a collaborative platform to share samples among malware researchers.
  • Acts as a system expert, to help researchers generates an automated malware analysis report.
  • Hunting platform to find new malwares.
  • Quality ensurance for signatures before releasing.


  • Static analysis:

    • Crypto hashes, packer identification,
    • Strings extraction
    • Portable Executable file parser
  • Multiple AV scanner which includes major antivirus vendors:

    Vendors status Vendors status
    Avast :heavy_check_mark: FSecure :heavy_check_mark:
    Avira :heavy_check_mark: Kaspersky :heavy_check_mark:
    Bitdefender :heavy_check_mark: McAfee :heavy_check_mark:
    ClamAV :heavy_check_mark: Sophos :heavy_check_mark:
    Comodo :heavy_check_mark: Symantec :heavy_check_mark:
    ESET :heavy_check_mark: Windows Defender :heavy_check_mark:
    TrendMicro :heavy_check_mark: DrWeb :heavy_check_mark:

Current architecture / Workflow:

Here is a basic workflow which happens during a file scan:

  • Frontend talks to the the backend via REST APIs.
  • Backend uploads samples to the object storage.
  • Backend pushes a message into the scanning queue.
  • Consumer fetches the file and copy it into to the nfs share avoiding to pull the sample on every container.
  • Consumer calls asynchronously scanning services (like AV scanners) via gRPC calls and waits for results.