Frequently asked questions

Is it possible to automate the submission of samples to Anubis?
Yes. There are two ways.

1. You can use this python script. It accepts a filename as argument and an optional email address and should run under all operating systems that have a python interpreter. For its exact usage please have a look at the script's starting comment.
2. We also offer a norman- and cwsandbox-compatible submission URL. If you already have an automatic submission to one of these services in place then this will probably be the most easiest way for you (e.g. if you are using the norman-submit handler of nepenthes). This URL is http://anubis.iseclab.org/nepenthes_action.php.

What kind of files can I submit to Anubis?
Anubis will analyze all Windows executable files. When you upload a file to the Anubis environment it will be executed by calling CreateProcess. Thus, it does not matter what your file is called (or which file extension it has), i.e. it is not a problem if your file is called, for example, postcard.txt, as long as it is actually an executable.
What will not work, however, is if the file is a zipped or compressed executable: as Anubis will blindly try to execute it the analysis will not work as expected (also see next question). Note, also, that Anubis does not support analysis of (shared) libraries at the moment.

Anubis tries to analyze a program called ntvdm.exe, not the file I uploaded. Why is that?
Anubis expects to analyze an executable (see question above for details), but you probably submitted a file it fails to execute. This is what happens: Windows notices that the file is no valid executable and thinks it is an old DOS executable (which doesn't have any headers). In Windows XP, however, old DOS files are not executed directly, they are thrown into the NT virtual machine (ntvdm.exe). That's why you see Anubis analyzing the process ntvdm.exe.

Is Anubis related to TTAnalyze in any way?
Yes. TTAnalyze is its predecessor.

Last Modified: 2009-12-14