what
an analysis bench, not a sandbox.
void8 is a portable static-analysis pipeline that runs on a disposable windows ltsc vm. drop a binary, get a scored verdict with the supporting evidence laid out — signatures, persistence diffs, extracted indicators, yara matches, local reputation, and a contextual second opinion from a local model.
built for the msp and security practitioner making allowlist calls without standing up a full sandbox stack. when virustotal says clean and you still need to decide, this is the bench you sit down at.
run
three steps. no terminal dance.
01download void8.zip# one file
02unzip onto a clean windows ltsc vm# your snapshot, your rules
03double-click install.bat# server up, browser open
analyze. revert to snapshot. repeat. the entire toolchain ships inside the zip — no package manager, no installer chain, no network dependency at install time.
inside
what the bench actually does.
provenancemark-of-the-web inspection surfaces the originating zone, host, and referrer for any file downloaded through a browser, outlook, or smb share.
scoringweighted scoring across vt detections, signatures, entropy, pe characteristics, and yara matches, mapped to clean / suspicious / dangerous. signed-publisher trust softens soft-signal escalations; family yara matches force-escalate regardless.
reputationevery persisted scan becomes a reputation signal. hash, publisher, and product history are aggregated from your own reports directory — no external trust service. prior dangerous verdicts force-escalate; a local denylist provides a hard-block path.
persistenceautoruns baselines on every scan, auto-diffed against the prior baseline to surface exactly what an installer added, removed, or modified.
unpackingrecognized installers (nsis, msi, inno, sfx, cab, msix) are extracted and every child pe gets a stripped signature check inline.
yaradrop-in rule folder with category and severity meta that maps directly to scoring. ships with a 15-rule starter set covering common families, injection, lolbin abuse, packers, and anti-debug.
indicatorsstrings extraction over the first 5mb, regex pulls for urls / ips / domains / registry / suspicious apis, then checked against urlhaus and optionally abuseipdb and otx.
reportsevery scan persists as structured json with the full autoruns csv embedded. browse, reload, export, or capture standalone state snapshots as before/after baselines.
ai assistlocal ollama, verdict-aware prompting, full environment context. clean files get a brief reassurance; suspicious files get specific pestudio tabs to check and dynamic steps to run. no data leaves the box.
built on sigcheck · pestudio · autoruns · procmon · system informer · regshot · yara
next
where it's going.
next
automated dynamic analysis
one-click procmon launch with pre-configured filters, sample execution, autoruns diff, and inetsim correlation — appended to the static report.
planned
macos and linux builds
platform-native benches for mach-o and elf with the same scoring model and frontend. likely go for single-binary distribution.
planned
kasm workspace image
pre-built kasm image with void8 inside. upload, analyze, discard. zero local footprint.