Demonstration/Walk-through

Using Glasswall’s File Drop, to Disarm a Malicious File

A malicious example

Max Bussell
Feb 3, 2020 · 3 min read

Glasswall’s file drop can be used to disarm malicious files. My colleague Matt Dignum has written a great technical blog on File Drop, that gets under the hood.

Glasswall’s File Drop can be found here: https://filedrop.glasswallsolutions.com/

Let’s begin with a malicious file. Luckily enough I have one to hand:

The easiest way to validate that the file is malicious before we begin processing it through Glasswall is to upload the file to the well-known site: https://www.virustotal.com/

Here we can see that 32 of the 58 partner vendors on Virus Total have a detection for our malicious sample. Interesting to note at this stage that the file has been on Virus Total for 9 months and not all the vendors are yet to have a detection for what is a known piece of malware.

Okay great let’s drag and drop the malicious file into Glasswall’s File Drop.

In the blink of an eye the file is processed, and the results are displayed on the screen. (Trust me this is lightening quick, but no need to take my word for it. See for yourself by trying Glasswall’s File Drop here)

Nice! We can see that Infected.doc contained the following Active Content: A Macro, DDE links (Dynamic Data Exchange) and some Metadata.

Along with a structural deviation in a jpg image within the doc: APP segment removed.

Let’s download the protected file and check in with Virus Total to validate the result. In case you wasn’t sure a Glasswall protected file has gone through the rigorous d-FIRST process, which I explain in an earlier blog post here. TLDR: Glasswall regenerates a file to a safe standard of ‘known good’, enforcing the format’s structural specification and eradicating high-risk active content. Great let’s download the protected file!

Now it’s time to upload the protected and trusted file to Virus Total to validate the outcome.

Here we can see that all the partner vendors on Virus Total deem our new protected and trusted file not to be malware. All report ‘Undetected’ which Virus Total support defines as Undetected: The given engine does not detect the file as malicious.

https://support.virustotal.com/hc/en-us/articles/115002719069-Reports

This definitely warrants changing the name of our now safe and trusted infected.doc file…

Much better!

Here is a short video which demonstrates the use the File Drop website: https://www.youtube.com/watch?v=K37Hi3SYGMU

Glasswall - Safety and Integrity Through Trusted Files.

Glasswall Engineering

Glasswall Engineering's blog on our technical innovations…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store