Leveraging the Wildfire API in a more efficient fashion #9
Comments
|
This is something we can definitely take a look at as we build a new binary analysis framework for Cb ThreatHunter and beyond - cc'ing @askthedragon and @smultani to put this into the idea queue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The cb-wildfire-connector doesn't currently make an efficient use of the API. It supports wildfire analysis for a maximum of 4 simultaneous files at a time. If those 4 files happen to take 15 mins each (the maximum analysis time for wildfire), then other files either aren't submitted to wildfire or get backed up waiting for analysis.
The wildfire API supports bulk checking of file hashes. It's possible to submit a list of hashes to wildfire and wildfire will return the current verdict or status for each hash. This is a much more efficient call than checking each hash individually repeatedly. Carbon black could continually submit files to wildfire and add/remove the hashes for those files from the aforementioned list as verdicts are rendered. This also has the added benefit of allowing CB to keep submitting files to wildfire without waiting for one of the 4 threads to be freed up to analyze the next file.
The text was updated successfully, but these errors were encountered: