Using Glasswall’s File Drop, to Disarm a Malicious File
Glasswall’s file drop can be used to disarm malicious files. My colleague Matt Dignum has written a great technical blog on File Drop, that gets under the hood.
Glasswall’s File Drop can be found here: https://filedrop.glasswallsolutions.com/
Let’s begin with a malicious file. Luckily enough I have one to hand:
The easiest way to validate that the file is malicious before we begin processing it through Glasswall is to upload the file to the well-known site: https://www.virustotal.com/
Here we can see that 32 of the 58 partner vendors on Virus Total have a detection for our malicious sample. Interesting to note at this stage that the file has been on Virus Total for 9 months and not all the vendors are yet to have a detection for what is a known piece of malware.
Okay great let’s drag and drop the malicious file into Glasswall’s File Drop.
In the blink of an eye the file is processed, and the results are displayed on the screen. (Trust me this is lightening quick, but no need to take my word for it. See for yourself by trying Glasswall’s File Drop here)
Nice! We can see that Infected.doc contained the following Active Content: A Macro, DDE links (Dynamic Data Exchange) and some Metadata.
Along with a structural deviation in a jpg image within the doc: APP segment removed.
Let’s download the protected file and check in with Virus Total to validate the result. In case you wasn’t sure a Glasswall protected file has gone through the rigorous d-FIRST process, which I explain in an earlier blog post here. TLDR: Glasswall regenerates a file to a safe standard of ‘known good’, enforcing the format’s structural specification and eradicating high-risk active content. Great let’s download the protected file!
Now it’s time to upload the protected and trusted file to Virus Total to validate the outcome.
Here we can see that all the partner vendors on Virus Total deem our new protected and trusted file not to be malware. All report ‘Undetected’ which Virus Total support defines as Undetected: The given engine does not detect the file as malicious.
This definitely warrants changing the name of our now safe and trusted infected.doc file…
Here is a short video which demonstrates the use the File Drop website: https://www.youtube.com/watch?v=K37Hi3SYGMU
Glasswall - Safety and Integrity Through Trusted Files.