ZeroRisk Sentinel v2.2

Advanced Threat Detection

A hybrid cybersecurity platform combining client-side analysis with backend-enhanced threat intelligence. Features YARA rule scanning, VirusTotal integration, AI-powered explanations, live browser sandbox analysis, file sandboxing, and multi-layered detection for files, URLs, and Android APKs.

3
Scan Types
5
Threat Levels
Hybrid
Analysis Mode
AI
Explanations
Sandbox
File + URL

What ZeroRisk Sentinel Does

ZeroRisk Sentinel is a comprehensive security analysis platform that inspects files, URLs, and Android applications for malicious indicators before execution. The system uses a hybrid architecture where client-side JavaScript performs initial analysis, while an optional Python backend provides enhanced threat intelligence through YARA rules, VirusTotal lookups, AI-powered explanations, and live sandbox analysis.

File Scanner

Analyze any file type for malware signatures, suspicious patterns, extension spoofing, and keylogger indicators.

File Sandbox

Execute files in isolated environment to detect real-time malicious behavior, process injection, and network activity.

URL Analyzer

Check URLs against multiple threat databases with SSL/DNS analysis and optional Deep Scan sandboxing.

APK Inspector

Extract Android app permissions, metadata, and detect risky permission combinations.

File Analysis Engine

Multi-layered detection with backend-enhanced intelligence

1

YARA Rule-Based Detection

The backend employs YARA rules to identify malware families and suspicious patterns. When YARA is unavailable, the system falls back to built-in JavaScript pattern matching for keylogger signatures, code execution functions, and suspicious API calls.

// YARA match example
Rule: keylogger_windows_api
Tags: [surveillance, credential_harvest]
Severity: CRITICAL
  • Signature-based malware detection
  • Behavioral pattern matching
  • Automatic fallback to JS patterns
  • Tag-based categorization
2

File Intelligence & Hashing

Every scanned file generates cryptographic hashes (MD5, SHA1, SHA256) which are checked against VirusTotal's database of known malware. The system also performs entropy analysis (0-8 scale) to detect packed or encrypted files commonly used to evade detection.

  • MD5, SHA1, SHA256 hash generation
  • VirusTotal hash lookup
  • Entropy analysis (detects packing)
  • Magic number file type detection
SHA256: a3f5c8...
Entropy: 7.8/8.0 (High)
VT: 12/70 engines flagged
Status: LIKELY PACKED
3

File Sandbox Analysis Deep Scan

Files can be submitted to a Hybrid Analysis sandbox for real-time execution monitoring. The sandbox executes the file in an isolated Windows environment and monitors all behavior including process spawning, network connections, file drops, and registry modifications.

  • Real-time execution in isolated VM
  • Process injection detection
  • Network activity monitoring
  • MITRE ATT&CK technique mapping
  • Dropped file analysis
  • Screenshot capture
// Sandbox Results
Verdict: MALICIOUS
Processes: 7 spawned
Network: 12 connections
MITRE: T1055 (Injection)
4

Extension Spoofing Detection

Detects malicious files disguised as harmless documents by comparing the actual file header (magic numbers) against the claimed extension. Identifies dangerous patterns like invoice.pdf.exe and RTL (Right-to-Left) override attacks.

// Suspicious file detected
Filename: report.docx.exe
Header: 4D 5A (Windows Executable)
[ALERT] Extension spoofing attack!
5

Quick Scan vs Deep Scan

Two analysis modes provide flexibility based on your needs. Quick Scan samples strategic file positions for rapid assessment. Deep Scan streams the entire file content and optionally submits to sandbox for thorough detection.

Quick Scan

Fast sampling of key file positions. Good for rapid triage of multiple files.

Deep Scan

Full file streaming + optional sandbox analysis. Detects hidden threats.

URL Security Analysis

Multi-source threat intelligence with live browser sandboxing

The URL analyzer performs comprehensive security checks by querying multiple threat intelligence sources and analyzing technical indicators. When the backend is unavailable, it gracefully falls back to local heuristic analysis. The optional Deep Scan feature provides live browser sandbox analysis.

Google Safe Browsing

Checks URLs against Google's database of known phishing, malware, and unwanted software sites.

Real-time API

URLHaus

Community-driven database of malware distribution URLs.

Community Intel

VirusTotal URL

Aggregated scan results from 70+ security vendors and URL scanners.

70+ Engines

SSL Certificate

Analyzes SSL/TLS certificates for expiration, self-signing, and validity issues.

Live Check

DNS Analysis

Queries A, MX, and TXT records including SPF verification for email security.

Multi-record

Redirect Chain

Follows HTTP redirects to detect suspicious redirect chains and final destinations.

Up to 5 hops

AbuseIPDB

IP reputation and abuse report database checking for known malicious hosts.

IP Intelligence

SecurityTrails

Domain intelligence with subdomain enumeration and historical DNS data.

Domain Intel

Deep Scan (Browser Sandbox)

The Deep Scan feature submits URLs to a browser sandbox for live analysis. This provides:

  • Screenshot of rendered page
  • Network activity monitoring
  • Console log collection
  • Server information extraction
  • Brand impersonation detection
  • Suspicious domain tracking
  • Resource loading analysis
  • DOM hash fingerprinting
// Deep Scan Results
Network Requests: 47 total
Suspicious Domains: 2 detected
Screenshot: Captured
Verdict: CLEAN

Android APK Inspector

Permission-based risk analysis with merged file intelligence

Permission Risk Scoring

Analyzes declared Android permissions against a curated rule set of 12 high-risk permission patterns. Each permission is assigned a severity (critical/high/medium/low) with weighted scoring.

BIND_ACCESSIBILITY_SERVICE CRITICAL
READ_SMS / RECEIVE_SMS CRITICAL
SYSTEM_ALERT_WINDOW HIGH
BIND_VPN_SERVICE HIGH

Merged Intelligence

APK analysis combines permission scoring with the full file scanner capabilities, providing hashes, entropy analysis, and VirusTotal results in a single comprehensive report.

  • Package metadata extraction
  • Activity, service, receiver enumeration
  • Permission combination heuristics
  • File hashes (MD5, SHA1, SHA256)
  • Entropy analysis for packing detection
  • VirusTotal APK lookup

Note: APK analysis is performed via static permission inspection. No runtime execution, emulation, or dynamic behavior monitoring is performed.

AI-Powered Explanations

Context-aware threat analysis using Groq LLM

How It Works

When backend connectivity is available, scan results are sent to the Groq API using the Llama 3.3 70B model. The AI analyzes detected indicators and generates human-readable explanations of what the code appears capable of, what remains unknown, and what additional evidence would be needed for confirmation.

  • Identifies most critical indicators
  • Explains apparent code capabilities
  • Clarifies static analysis limitations
  • Suggests additional verification steps
// AI Analysis Output
This file exhibits multiple coordinated behaviors associated with spyware. The SetWindowsHookEx API call indicates potential keystroke monitoring capability. Combined with network communication patterns, this suggests possible credential harvesting functionality.
Source: AI-assisted (Groq)

Fallback Mode: When AI quota is exhausted or backend is unavailable, the system automatically switches to heuristic-based explanations generated from the spyware behavior profile.

User Interface Features

Professional design with intuitive interactions

Info Modals

Professional modal system with SVG icons for explaining features like Deep Scan mode.

  • Click outside to close
  • Escape key support
  • Background scroll lock
  • Smooth animations

Enhanced Buttons

Improved button interactions with larger hitboxes and visual feedback.

  • Larger clickable area
  • Color change on click
  • Scale animation feedback
  • Professional styling

PDF Reports

Professional PDF report generation with clean layout and proper formatting.

  • Clean cover page design
  • Executive summary
  • Threat distribution charts
  • Detailed file/URL breakdown

Report Generation

Export comprehensive security reports in multiple formats

JSON

JSON Export

Machine-readable format containing complete scan data including hashes, findings, spyware profiles, URL analysis with Deep Scan data, and metadata for integration.

  • Complete scan metadata
  • All file hashes (MD5, SHA1, SHA256)
  • Detailed findings with severity
  • VirusTotal results
  • Sandbox data & screenshots
PDF

PDF Report

Professional formatted document with executive summary, threat distribution, detailed file analysis, URL security section, and actionable recommendations.

  • Executive summary with security score
  • Threat distribution visualization
  • Per-file detailed breakdown
  • URL analysis with service checks
  • Security recommendations

System Architecture

Hybrid client-server design with graceful degradation

Client-Side (Browser)

  • File header analysis
  • JavaScript pattern matching
  • Extension spoofing detection
  • Local heuristic analysis
  • Session storage for results
  • Info modal system

Backend (Python)

  • YARA rule compilation
  • File hashing & entropy
  • VirusTotal API integration
  • URL threat intelligence
  • URL sandbox (browser)
  • File sandbox (Hybrid Analysis)
  • AI explanation service

External APIs

  • Google Safe Browsing
  • VirusTotal (files & URLs)
  • URLHaus malware DB
  • AbuseIPDB IP reputation
  • SecurityTrails domain intel
  • Browser sandbox (URLs)
  • Hybrid Analysis (file sandbox)
  • Groq AI (Llama 3.3 70B)
  • WHOIS domain lookup

Graceful Degradation: When backend services are unavailable, the system automatically falls back to client-side analysis. All core detection capabilities remain functional without external dependencies.

Privacy & Security

Your data stays under your control

Client-Side First

  • Initial analysis happens in your browser
  • No files uploaded unless backend scan requested
  • Session-based storage (cleared on close)
  • No persistent data retention

Transparent Processing

  • Real-time terminal output shows all activity
  • Clear indication of backend vs local analysis
  • All API calls visible in network logs
  • Open-source detection patterns

Limitations

  • Static analysis only (no execution)
  • Heuristic results, not definitive proof
  • Does not replace antivirus software
  • Designed for educational/demonstration use

Best Practices

  • Verify file sources before opening
  • Don't trust file extensions alone
  • Keep antivirus software updated
  • Report suspicious findings for verification

Technology Stack

Frontend

Vanilla JavaScript, Tailwind CSS, Anime.js, ECharts, jsPDF

Backend

Python Flask, YARA, AndroGuard, python-magic, dnspython

AI/ML

Groq API, Llama 3.3 70B model for threat explanations

Sandbox

Hybrid Analysis (files), Browser Sandbox (URLs)

Threat Intel

VirusTotal, Google Safe Browsing, URLHaus, WHOIS

← Swipe to change pages →