Under the Hood of Dr.Web vxCube

The analyzer consists of several components and services that interact with each other. The architecture of the product is illustrated in the picture below.

vxCube Web App
The main application, which provides a convenient interface for interacting with a file analysis system. It also supports an API to automate file analysis tasks. It also includes a Python library  for convenience.

vxCube Flow API
The component that distributes file analysis tasks among different services. It helps integrate new services into the analysis system.

Windows Sandbox Service
A virtual environment to run files on the Windows OS. This virtual machine is a modified hypervisor that uses built-in function hooks and hardware virtualization technology.

Linux Sandbox Service
A service for dynamic analysis of ELF files. Files are run on a virtual machine with the required architecture and bitness, and all events are logged by a special driver installed on the virtual machine.

Android Sandbox Service (optional)
A virtual environment to run files on the Android OS. A unique implementation of an Android OS image.

Analyser Service
A service that analyzes file behavior recorded on a virtual machine. It assesses the maliciousness and generates descriptions (in a text format, MAEC, or STIX).

Dr.Web Scan Service
A service that scans files and memory dumps created after running a sample.

The components transfer files through the common Storage (as illustrated on the picture above), implemented as an FTP server. To store data about users and analysis results, the service uses the PostgreSQL database. The RabbitMQ message broker transfers tasks between services.

For utmost security, each virtual machine has its own isolated network space and uses a VPN server for internet access. To ensure correct operation of Dr.Web vxCube, VPN server must be configured manually. For more information, see Appendix C. Configuring a separate VPN server.