This repository is self-developed Assemblyline service which submits a file or a URL from Assemblyline4 to MetaDefender Sandbox (previously known as OPSWAT Filescan Sandbox), and after a successful scan its fetches and parses the result.
Using this integration it is necessary to have a MetaDefender Sandbox API-key. You can use the Activation Key that you received from your OPSWAT Sales Representative, and follow the instructions on the License Activation page or you can create an API key on the Community site under API Key tab.
The result contains two types of heuristic:
- MetaDefender Sandbox verdict is VERDICT : This is the final verdict of MetaDefender Sandbox and added as a ResultSection
- VERDICT threat indicators: Comes from signal groups and added as a subsection
Heuristic score is the following:
| score | MetaDefender Sandbox verdict |
|---|---|
| -1000 | BENIGN |
| 0 | NO THREAT |
| 299 | UNKNOWN |
| 500 | SUSPICIOUS |
| 850 | LIKELY MALICIOUS |
| 1000 | MALICIOUS |
Official, and more detailed documentation is available here.