Brian Girardi


Blog Post created by Brian Girardi Employee on Sep 7, 2017

Dynamic analysis. Sandboxing. Is that all we got? Am I right?!?


Fact. Sandboxing is a necessity to understand malware behavior. It’s the defacto standard for our industry. However, for the average enterprise security team it feels overwhelming to consistently operationalize. In addition, for security vendors trying to keep up with the millions of samples that emerge daily, the infrastructure and expense needed to support and scale long-term may have no ceiling. Thousands of virtual hosts, running for several minutes each, not to mention deception techniques, dynamic IoC's, etc., etc., etc., the long-term math to keep ahead of the malware problem just doesn’t seem to add up.


The concept for What's this file? was born from that perspective. Can we accurately detect and classify known and unknown malware without ever executing it? It seemed like a worthy challenge for RSA Labs.


RSA Labs developed novel techniques to identify and classify malware, and we packaged them into a cloud service that operates like your typical multi-scanner, but its FAR from typical in approach. In addition, we bundled in a light-weight static-analysis UX to round out what we believe is a useful tool for security analysts.


What makes What's this File? different from other multi-scanner type services is:

  1. WTF does not execute the samples you submit.
  2. WTF does not use AV engines for analysis.
  3. WTF uses patented Attack Vector Inspection to identify malware droppers.
  4. WTF uses patented Malware Genealogy to identify malware from its descendants.
  5. WTF gives the analyst the ability to inspect hundreds of extracted file characteristics.


We would greatly appreciate your feedback on its effectiveness, we think it is pretty cool! If you can fool the service let us know. And, WTF is free to use!



Brian Girardi
VP, RSA labs