Content & Malware Analysis

 View Only
  • 1.  CAS detonation capabilities

    Posted Aug 21, 2020 04:26 AM
    Hi everyone

    Maybe some of you know How many maximum URL detonations can the CA S500-A1 perform in one task?


    Thank you and best regards


  • 2.  RE: CAS detonation capabilities

    Broadcom Employee
    Posted Aug 27, 2020 03:19 PM
    Hi Jakub,

    The Sandbox is going to analyze one URL per task. You can submit multiple URLs as a task, but the CAS will divide them up into individual tasks - so submitting 1 task with 6 URLs will result in 6 tasks.


    As far as how many you could submit at a time, there isn't a hard limit, but there may be adverse affects from any device waiting for a response from the sandbox, as the other URLs will be added to the queue.

    Hope this helps!



  • 3.  RE: CAS detonation capabilities

    Posted Aug 31, 2020 03:23 AM
    Hi Jacob

    Thank you for your answer and i have another
    What with case like dropping file like .pdf or .word format with URLs inside this file also will be analyzed separately per task.



  • 4.  RE: CAS detonation capabilities

    Broadcom Employee
    Posted Aug 31, 2020 11:40 AM
    Hi Jakub,

    Thank you for your question. First, let me stress that the CAS was built as a file analyzer, and not a URL analyzer, and so its functionality is built on analyzing files, and the behavior of a file when it is open. 

    When a file is detonated in the sandbox, unaided by a python script, it is simply opened. That is it. If you open a file in Windows, and it doesn't start automatically opening every URL in the document, don't expect anything different out of the sandbox. The ability to have any different results is going to depend on your knowledge of Windows and your knowledge of Python.

    As you may be aware, you can use Python scripts with your detonation. (More on the structure here). There are a few that come with the CAS, such as ghost_user.py, which helps navigate installers. You can also customize Windows itself with certain behaviors. In order to have URLs opened on any .pdf or word doc that you drop, you would need to come up with a way using those constraints. I currently haven't seen it done before, so I couldn't tell you how to do it, or whether it is possible.

    If you were able to accomplish it though, it would count as one detonation, and be one task. Do note that the default timeout on the sandbox is set for 60 seconds, and so if you put too many urls in, they might not all detonate.

    Hope this helps!





  • 5.  RE: CAS detonation capabilities

    Posted Sep 08, 2020 02:43 AM
    Thank you very much for your help.



    Thank you once again and best regards