Dynamic and static analysis with Sandboxie for Windows, including EDR, ClamAV, YARA-X, custom machine learning AI, behavioral analysis, NLP-based detection, website signatures, Ghidra, Suricata, Sigma, and much more than you can imagine.
This project is licensed under the GNU Affero General Public License v3.0 (AGPLv3).
See the LICENSE file for more information.
- After you reset, please enable test signing mode to allow the driver to install; otherwise, the EDR will not work.
- You have to set (manually of course) this part mega_optimization_with_anti_false_positive=True if you don't care about false positives and optimization. This setting is true because every antivirus on virustotal avoids false positives this way.
- Pe header removed: https://www.virustotal.com/gui/file/9b7e921e971fe7523ba83a4599b4006ad214854eb043372129e4f5a68c5a427f
- Original: https://www.virustotal.com/gui/file/1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
- What is the difference and why does YARA still flag it as malware? Because your YARA rule doesn't check for unknown file types and I only removed the pe header and went to detections 0. So this god mode rule will save this antivirus right now!
- If you want Meta Llama 3.2-1B, you need to download it from the releases. We didn't include the optional feature to reduce size.
- Meta Llama 3.2-1B Location: Copy the contents of meta-llama.7z to the following directory: %ProgramFiles%\aHydraDragonAntivirus\hydradragon\meta-llama
- Please allow a minimum of two hours (local time) for the antivirus to fully decompile the file and complete its analysis. Otherwise, it cannot achieve a 90%+ detection rate against fresh samples with fewer false positives.
- Malware Database: Download Link
- Benign Database: Download Link
- Note: Only contains PE files.
- Password: infected
- Install malicious (datamaliciousorder) and benign (data2) database, then install requirements.txt from train.py and just run train.py with the same folder as datamaliciousorder and data2.
- You can compile YARA-X and YARA from the yara folder. The website database is not a complication. See the machine learning training guide to compile machine learning database. To compile antivirus.py install requirements.txt and use assets/HydraDragonAV.png then change based on your installed folder of HydraDragonAntivirus. After compiling Machine Learning, YARA then look at the compiler.iss and replace the code with your installed environment, you can find other files in repo like hydradownload folder and then compile it. It's done! Now you are ready to release your fork of HydraDragonAntivirus.
- I now using 11.4.1: https://ghidra-sre.org/
- Setup file on release HydraDragonAntivirus.exe
- You must look at critical alerts in the logs. They usually contain malware detections. Log file in %ProgramFiles%\aHydraDragonAntivirus\hydradragon\log\antivirus.log and C:\Sandbox\yourusername\DefaultBox\drive\C\DONTREMOVEHydraDragonAntivirusLogs
- Ghidra: %ProgramFiles%\aHydraDragonAntivirus\hydradragon\ghidra
- Ghidra Run: %ProgramFiles%\aHydraDragonAntivirus\hydradragon\ghidra\ghidraRun.bat
- Ghidra log: %ProgramFiles%\aHydraDragonAntivirus\hydradragon\ghidra_logs\analyze.log
- Ghidra projects : %ProgramFiles%\aHydraDragonAntivirus\hydradragon\ghidra_projects
- Ghidra scripts: %ProgramFiles%\aHydraDragonAntivirus\hydradragon\scripts
- Any logs will be removed when you restart the programme. So be careful!
- Don't forget to clean up commandlineandmessages, HiJackThis_logs, zip_extracted, etc. dirs, sandboxie dirs before analysis. Or take a snapshot before you running the program.
- You have to restart the program after the analysis.
- Please don't share your IP in the logs.
- Make sure that the ClamAV database is installed without problems.
- We strongly recommend that you take a snapshot and then go back when you have finished your work.
- Don't forget to take a HiJackThis report with logs (and update the signatures first) before starting the scan to detect malware for the final analysis.
- The final analysis doesn't clean anything, so don't start a new scan afterward it's only for detecting post-injection changes using HiJackThis. Please don't terminate the sandbox environment.
- The new HiJackThis analysis removes the previous analysis file from the sandbox environment.
- Make your username hydradragonav (for example).
- Don't forget to create the 'DefaultBox' folder if it was deleted, by right-clicking on Sandboxie Control and selecting 'Explore Contents'.
- The installer also includes daily.cvd, main.cvd, bytecode.cvd due to download issues with the ClamAV database.
- Here is the server link: https://discord.gg/Rdyw59xqMC
- Create too many files to detect ransomware.
Note 1:
- You need to create a DefaultBox in Sandboxie by running it once with a random application. Also, please clean the DefaultBox items each time you scan.
Note 2:.
- Allow Java on the Windows firewall, as it'll decompile the PE file.
Note 3:
- If you find an issue, please create an issue. Antivirus software might be triggered by website signatures because they are not obfuscated, so exclude the
%ProgramFiles%\aHydraDragonAntivirus\hydradragonfolder. Please only use in a VM as you can only use this for deep analysis of a file. There is no fixed analysis time for a file.
Note 4:
-
https://www.rathlev-home.de/index-e.html?tools/prog-e.html#unpack
-
https://github.com/glmcdona/Process-Dump/releases/tag/v2.1.1
-
I used these projects to decompile (with a current custom database of Detect-It-Easy).
-
I used these projects for AI.
-
I used these projects for EDR.
Note 5:.
- You will need an internet connection to install. It's not an offline installer.
Note 6:
- Don't forget to do a clean up, as it takes up too much space while processing files against ransomware, etc.
- You need too much storage because it logs everything.
Note 7:
- I have collected every malicious IP, domain from the Internet. So there must be big false positives, but I handle them.
Note 8:
- I added en_core_web_md manually to %ProgramFiles%\aHydraDragonAntivirus\hydradragon you can find the spacy path from codechecker\spacyfind.py but you need to rename en_core_web_md folder name which contains config.cfg for an example if version 3.7.1 then it contains a subfolder en_core_web_md.3.8.0
- Also you need run "spacy download en_core_web_md"
Note 9:
- If you are testing a rootkit, please do not enable "bcdedit testsigning on" to run the rootkit on your machine for analysis. We will take care of that.
Note 10:
- HiJackThis version: 3.4.0.17 Beta
- HiJackThis source code: https://github.com/dragokas/hijackthis
Note 11:
- HydraDragonAntivirusSandboxie vcpkg install commandds:
- vcpkg install detours
- vcpkg install libarchive
- vcpkg integrate install
Note 12:
- Inno Setup version 6.4.3
Note 13:
-
Surprisingly, when I dump the process using this method (with pymem and psutil), the GuLoader malware fails to detect the virtual machine and proceeds to install the malware as if it's running on a real system. It behaves just like it would on a physical machine. This is likely an unexpected anti-anti-VM side effect.
-
Tool used: https://github.com/glmcdona/Process-Dump/releases/tag/v2.1.1
Tip 1:
- Don't use suspicious VM names on your machine. (victim, etc.)
Tip 2:
- Use VSCode, VSCodium, or another editor to see live changes to .log files if you're on Windows 10, because Windows 11 Notepad automatically detects changes.
Tip 3:
- Close the Windows Firewall on the VM to avoid any firewall blocking.
Tip 4:
- Try reset the container if malware tries to reboot the PC.
Tip 5:
- Run HiJackThis once outside of the sandbox to avoid being asked to accept the license agreement every time.
Tip 6:
-
If Your program requires command-line arguments. Follow these steps:
-
- Run the program normally. It will exit immediately because no arguments were supplied.
-
- Open Sandboxie Control, right-click the DefaultBox, and select Run Any Program.
-
- Browse to the application executable.
-
- Enter the required arguments in the Command line field.
-
- Click OK to launch the program inside Sandboxie with the correct arguments.
- HIPS detection shouldn't work if you don't open the internet in Sandboxie (the installation already changes Sandboxie.ini for you). To enable it go to: Sandbox -> DefaultBox -> Sandbox Settings -> Restrictions -> Internet Access -> Click "BLock All Programs" then click "Allow All Programs" then save it and you're done!. https://sandboxie-plus.com/sandboxie/restrictionssettings/
Does this collect data?
- No. We can allow GridinSoft and many other companies to collect data. Unlike other companies, they freely allow the use of their cloud, but I'm not allowing that.
How do I use it?
- Just run the shortcut from the desktop, then run advanced dynamic and static analysis on a file.
How good is it?
- It's very good at static analysis, better than Dr.Web and Comodo, but Norton and Kaspersky are on par with my product at static analysis. In dynamic analysis, it is excellent at detecting unknown malware and clearly better than ClamAV in static analysis. ClamAV doesn't have dynamic analysis. It's the best Turkish and open source malware analysis product but it's very aggressive.
Why does my antivirus detect this as malware?
- It's a false positive. It's contains the website, HIPS signatures without obfuscation. It's a fully open source antivirus product.
Why is it 2GB+?
- Because of website signatures, Ghidra, ClamAV and Java Development Kit. Website signatures are not very effective but they can detect old and new viruses. I can remove them if you want. Ghidra is for decompiling but takes too much space. Java Development Kit is for Ghidra. That's 1GB+, but Llama3.2-1B make a total of 3GB+. Note that it's a completely local (except update database and cloud checking for known files) and professional open source antivirus.
Why does the antivirus.exe application take too long to run?
- Sometimes you may have to wait 5+ minutes (or less) the first time you run the programme as a lot of things load.
Which Windows versions are supported?
- (Python 3.12 is required because spaCy does not yet have a stable release for Python 3.13.) Windows 10 64-bit and Windows 11 only (you can run ClamAV, but you can't run HydraDragonAntivirus on Windows 8.1 and it's not supported). If you want, I can create a 32-bit version for Windows 10 32-bit, but I faced some problems. ClamAV has limitations on 32-bit, so it's problematic. On Windows 8.1, ClamAV isn't supported because it's an outdated Windows version. You will get the
api-ms-win-crt-runtime-l1-1-0.dllerror. Even if you add this DLL, you will get another error: "Application failed to start properly (0xc000007b)." Then install this: Microsoft VC Redist. After running%ProgramFiles%\ClamAV\freshclam.exeandclamd.exewithclamd --install, the setup is complete, but you can't run HydraDragonAntivirus on Windows 8.1 because you get an ImportError on line nine due to PySide6. - If you still want support for Windows 7, you will need to manually downgrade to Python 3.8 and many tools. 32-bit support is possible. Although Windows XP support is possible through the One Core API.
What are the minimum RAM and disk space requirements?
- A minimum of 8 GB of RAM is required: 3 GB is used by ClamAV, and the remaining 5 GB is used by other engines.
Any sponsors or supporters?
- Yes, there are supporters for this project. Xcitium (Comodo) has expressed interest in supporting this project by providing malware samples, and Cisco Talos ClamAV community projects. But it's still a one man project.
Are you using leaked YARA rules?
- No we don't but if you have proof please create issue we can remove it.
Why don't you use NictaSoft, GridinSoft and Bitdefender cloud?
- It could significantly boost my antivirus. However, there are some problems. These services are not open source unless you pay. We're not only focused on detection, but also committed to maintaining open-source principles.
Other related repositories?
- I used https://github.com/HydraDragonAntivirus/yarGen to create machinelearning.yar.
- All credits goes to Emirhan Uçan