MultiScanner is a file analysis framework that assists the user in evaluating a set of files by automatically running a suite of tools for the user and aggregating the output. Tools can be custom built Python scripts, web APIs, software running on another machine, etc. Tools are incorporated by creating modules that run in the MultiScanner framework.
Modules are designed to be quickly written and easily incorporated into the framework. Currently written and maintained modules are related to malware analytics, but the framework is not limited to that scope. For a list of modules you can look in modules/. Descriptions and config options can be found on the Analysis Modules page.
MultiScanner also supports a distributed workflow for sample storage, analysis, and report viewing. This functionality includes a web interface, a REST API, a distributed file system (GlusterFS), distributed report storage / searching (Elasticsearch), and distributed task management (Celery / RabbitMQ). Please see Architecture for more details.
Usage
MultiScanner can be used as a command-line interface, a Python API, or a distributed system with a web interface. See the documentation for more detailed information on installation and usage.
Command-Line
Install Python (2.7 or 3.4+) if you haven't already.
Then run the following (substituting the actual file you want to scan for
<file>
):$ git clone https://github.com/mitre/multiscanner.git
$ cd multiscanner
$ sudo -HE ./install.sh
$ multiscanner init
config.ini
to see what modules are enabled. See Configuration for more information.Now you can scan a file (substituting the actual file you want to scan for
<file>
):$ multiscanner <file>
$ multiscanner --help
install.sh
script, install pip (if you haven't already) and run the following:$ pip install -r requirements.txt
Python API
import multiscanner
multiscanner.config_init(filepath)
output = multiscanner.multiscan(file_list)
results = multiscanner.parse_reports(output, python=True)
Web Interface
Install the latest versions of Docker and Docker Compose if you haven't already.
$ git clone https://github.com/mitre/multiscanner.git
$ cd multiscanner
$ docker-compose up
http://localhost:8000
in your web browser.Note: this should not be used in production; it is simply an introduction to what a full installation would look like. See here for more details.
Documentation
For more information, see the full documentation on ReadTheDocs.
Tags
Analysis Framework
Analytic Machines
Antivirus
Cuckoo
Malware Analysis
Malware Analyzer
Malware Research
Metadata
MultiScanner
Python
Scan
Scanning
Yara