Profiler

Cerbero Profiler is a tool designed primarily for malware and forensic analysis. It supports a huge number of file formats (listed below) on which it performs analysis and lets the user inspect their internal layout. Profiler is often used to identify 0-day threats and personal information inside of files. However, given the scale of the project, it has many other uses and we encourage you to visit our blog in order to see Profiler in action.

Click here to download our brochure.

Some of the file types supported by Profiler are:

APK, APNG, AXML, BMP, BZ2, CHM, CLASS, DEX, DIB, DLL, DOC, DOCX, ELF, EOT, EXE, GIF, GZIP, JAR, JPEG, JSE, LNK, LZMA, MACH-O, MSI, O, OCX, ODT, OTF, PDB, PFB, PNG, PPS, PPT, PPTX, PRX, PUFF, RAW, RTF, SO, SQLITE3, SWF, SYS, T1, T2, TIFF, TORRENT, TTC, TTF, VBE, WOFF, XDP, XLS, XLSX, XML, ZIP

Product information

Cerbero Profiler represents a new approach to security and file analysis. It is not an antivirus nor does it behave like one, instead it creates a profile of a scanned file by identifying threats and privacy issues, and exposes this profile to the user along with warnings and other information. It is mainly intended for security and forensic analysis. However, it can be used also by medium and advanced users: an inexperienced user might not be able to evaluate the risk of JavaScript code, but a system administrator can. This makes the software accessible to companies outside of the security industry as well. On top of that, the product offers an easy risk evaluation so that even users with little experience can benefit from it.

The main intent of Profiler is the analysis of 0-day exploits and private information contained in files. The key point is the interaction with the user who can evaluate in detail any issue discovered by Profiler and perform further inspection on the file. Another important feature is the ability to analyze embedded or referenced files, since in many cases the security issue may not be in the originally scanned file, but in a file contained in or referenced from it (a simple case would be a JPEG disclosing geolocation information embedded into a PDF). The analysis of one or more files can be saved into projects which may also include a copy of the files themselves.

Videotheque

Check out our most recent video uploads featuring Profiler in action!

Features

This is a list of some relevant features of Profiler. Please note that it is not possible to enumerate all features because of the complexity and on-going improvement of the product.


  • Various scan modes
    • Single file scan
    • Directory scan
    • Full and custom disk scan
  • Fast multithreaded profiling
  • Automatized updates
  • Large files support
  • Identification among many other things of:
    • Embedded files
    • Personal information
    • Parsing issues
    • Possible shellcode
    • Unused, unreferenced or custom data
      • Entropic analysis of foreign data
    • Metadata
    • Scripting and bytecode
  • File format view
  • Extraction of C++ types via Clang
    • Support for all advanced C++ type features
  • Supported file formats:
    • Android Application Package (APK)
      • Binary XML converter
    • Compound File Binary Format (DOC, XLS, PPT, MSI, etc.)
      • Visual Basic Application code extraction
      • DOC safe text preview
    • Compression formats (GZIP, BZIP2, LZMA)
    • Dalvik Executable (DEX)
      • Dalvik disassembler
      • Layout ranges
    • Device Independent Bitmap (DIB, BMP)
    • Executable and Linkable Format
      • Preliminary support
    • Fonts
      • Compact Font Format (CFont)
        • Type1 and Type2 disassembler
      • Embedded Open Type (EOT)
        • TrueType converter
        • MicroType Express (cvt, hdmx, VDMX tables not rebuilded)
      • Open Type (OTF)
        • TrueType bytecode disassembler
        • Compact Font Format
      • Tag Image File Format (TIFF)
      • TrueType (SFont, TTF)
        • TrueType bytecode disassembler
      • TrueType Collection (TTC)
      • Type1 (T1, PFB)
        • Type1 disassembler
      • Web Open Font Format (WOFF)
        • TrueType converter
    • Graphics Interchange Format (GIF)
    • Info-Tech Storage Format (CHM, CHI, CHQ, CHW, etc.)
    • Java Class (CLASS)
      • Class bytecode disassembler
      • Layout ranges
    • Joint Photographic Experts Group (JPEG)
    • Mach-O (App, Kext, DyLib)
      • Universal binaries
      • Apple code signatures
      • Apple binary protection
    • Program Database (PDB)
      • Types extraction/li>
    • Portable Document Format (PDF)
      • Decryption
      • JavaScript extraction
      • Object search
    • Portable Executable (PE, EXE, DLL, SYS, OCX, etc.)
      • Analisys
      • Layout ranges
      • Embedded resources validation and analysis
      • Embedded resources preview
      • Digital certificates validation
      • Full format support
      • MSIL disassembler
    • Portable Network Graphics (PNG, APNG)
    • Rich Text Format (RTF)
      • OLE extraction
      • Safe text preview
    • Shockwave Flash (SWF)
      • ActionScript2 disassembler
      • ActionScript3 disassembler
  • SQLite3
    • Tables inspection
    • Free pages inspection
  • Torrent
  • Windows Encoded Scripts (VBE, JSE)
  • Windows Lnk (LNK)
  • XML Data Package (XDP)
    • Embedded PDF extraction
    • JavaScript extraction
  • XML
  • Zip Archive (ZIP: covers many file extensions)
    • Decompression: Deflate, BZIP2, LZMA
    • Decryption: ZipCrypto, WinZip AES
    • Zip bomb detection
    • Incomplete archives support
  • Advanced report saving functionality:
    • Generate reports for millions of files
    • Include the scanned files into the report project itself
    • Optional compression
    • Optional symmetric encryption
  • Powerful Python 3 SDK
    • Custom scripts
    • Access to core classes
    • Access to format classes
    • Access to filters
    • User defined actions
    • Action configuration
    • Hooks
    • Key providers
    • Logic providers
    • Scan providers
    • Use of imported C++ types
    • Creation of new views
    • Output console
    • Command line
    • Capstone support
    • libmagic support
    • YARA support
  • Powerful filter technology including:
    • Conversion algorithms
    • Compression algorithms
    • Encryption algorithms
    • Cryptographic hashes
    • Disassemblers
    • Capability to apply filters to embedded files
    • Range parameters
    • Sandboxed Lua scripting
  • Plugins and actions
    • JavaScript beautifier
    • JavaScript debugger
    • Pastebin upload
    • XML indenter
    • Entropic analysis
  • Embedded file analysis
    • Custom embedded files (with optional filters)
  • Intuitive workspace
    • Advanced and customizable hex view
      • Visualization of data ranges
    • Plots and pie charts
    • Easy risk evaluation
    • Syntax highlighting
    • Media preview
    • Global and individual bookmarks
      • Analysis view jump
    • Global and individual file notes
    • Dock-based interface with navigability
  • Cryptographic hashes
  • Advanced password input dialog
  • Names unmangling
    • Visual C++
    • GCC 3 & 4
  • Tools
    • Header Manager
      • C++ types importer via Clang
      • Explorer
    • Full-fledged JavaScript debugger
  • 3rd Party Libraries
    • Capstone (including Python bindings)
    • libmagic (including Python bindings)
    • YARA (including Python bindings)
  • This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)