ThreatGuard is a production-grade, web-based platform designed for security researchers and SOC analysts to perform deep static analysis of files and identify malicious URLs. It combines multiple scanning engines, signature-based detection, and external threat intelligence into a high-performance, asynchronous dashboard.
- Static PE Parsing: Deep inspection of Portable Executable (EXE/DLL) headers, sections, and import/export tables.
- YARA Integration: Custom signature-based detection using advanced YARA rules for known malware families.
- Indicator Extraction (IOCs): Automatic extraction of embedded URLs, IP addresses, and registry keys from files.
- Entropy Calculation: Per-section entropy analysis to detect packed or encrypted malicious payloads.
- VirusTotal Intelligence: Instant hash lookup against 70+ antivirus engines.
- SSL/TLS Validation: Real-time certificate verification (issuer, expiry, and security flags).
- Domain WHOIS: Identification of "young" or suspicious domains frequently used in phishing.
- Phishing Detection: Heuristic keyword analysis and domain structure inspection.
- Redirect Mapping: Follows and visualizes the entire redirection chain to find the final malicious destination.
- Live Metrics: Real-time visualization of risk trends and detection ratios using Recharts.
- Dynamic Risk Scoring: Algorithmic calculation (0–100) based on weighted threat signals.
- PDF Exports: Professional, downloadable threat reports for compliance and internal sharing.
- Scan History: Full auditing of all past user activity with paginated history and filters.
| Layer | Technologies |
|---|---|
| Backend | Python 3.9+, Django, Django REST Framework, Celery |
| Frontend | React 18, Vite, Axios, Recharts, Lucide Icons |
| Database | PostgreSQL (Primary), Redis (Message Broker) |
| Analysis | pefile, yara-python, python-whois, weasyprint |
| Auth | JWT (SimpleJWT) with Refresh Token Rotation |
- Python 3.9+ and Node.js 18+
- Redis Server (Running on
localhost:6379) - PostgreSQL (Or SQLite for quick local testing)
cd backend
python -m venv venv
source venv/bin/activate # On Windows: .\venv\Scripts\activate
pip install -r requirements.txt
# Setup Environment
cp .env.example .env # Update your VIRUSTOTAL_API_KEY in .env
# Database & Admin
python manage.py migrate
python manage.py createsuperuser # Optional
python manage.py runserverIn a new terminal:
cd backend
# Windows:
celery -A malware_platform worker --loglevel=info -P eventlet
# Linux/Mac:
celery -A malware_platform worker --loglevel=infoIn a new terminal:
cd frontend
npm install
npm run dev- Navigate to
http://localhost:5173. - Register a new account or use the login tab to sign in.
- Go to the File Scanner page.
- Drag and drop an executable (EXE, DLL) or a document (PDF, ZIP).
- Watch the live scan stages progress (Hashing → PE Analysis → YARA → VirusTotal).
- Click View Full Report to see the deep dive analysis.
- Go to the URL Scanner page.
- Paste a suspicious link (e.g.,
http://login-verify-paypal.me). - The system will resolve the IP, check the SSL status, and calculate a risk score.
- Check the Dashboard for a high-level view of your security posture.
- View "Risk Distribution" to see how many malicious items were detected in your history.
- From any scan result page or the History table, click the PDF icon.
- The system generates a branded report suitable for sharing with a security team.
.
├── backend/
│ ├── scanner/ # File analysis modules & tasks
│ ├── url_scanner/ # URL analysis logic & WHOIS checks
│ ├── accounts/ # Auth, User Profile, & Dashboard API
│ ├── reports/ # PDF generation service & templates
│ ├── malware_platform/ # Global settings & URLs
│ └── requirements.txt # Python dependencies
├── frontend/
│ ├── src/
│ │ ├── api/ # Axios config & interceptors
│ │ ├── components/ # Reusable UI (Badges, Sections, etc.)
│ │ ├── context/ # AuthProvider (JWT handling)
│ │ └── pages/ # Full page views
│ ├── package.json # Frontend dependencies
│ └── index.html # Entry point
└── README.md # You are here
ThreatGuard is intended for educational and security research purposes only. Do not upload sensitive or proprietary information. The platform analysis is static; files are never executed.