ZeroRisk Sentinel

ZeroRisk Sentinel – Spot malware, phishing & spyware before you click or run, with zero trust required.

Comment

ZeroRisk Sentinel

The Problem

Every day, over 450,000 new malware variants are detected. Keyloggers steal passwords. Phishing sites harvest credentials. Android apps request permissions they have no business needing. Most people are flying blind when it comes to understanding what they're actually downloading or clicking.

The question is simple: How do you know if a file, URL, or app is actually safe?

The Solution

ZeroRisk Sentinel is a hybrid cybersecurity platform that combines client-side analysis with enterprise-grade threat intelligence. It functions as a digital immune system for files, URLs, and Android applications.

Core Capabilities

Capability Description
Deep File Analysis YARA rule scanning, entropy analysis, VirusTotal integration, and sandbox execution for comprehensive malware detection
URL Security Scanner Multi-source threat intelligence including Google Safe Browsing, URLHaus, SSL/DNS analysis, and browser sandboxing
APK Inspector Android permission risk scoring and manifest analysis to identify invasive applications

Architecture

ZeroRisk Sentinel uses a privacy-first hybrid architecture:

Client-Side (Browser)

  • File header analysis
  • JavaScript pattern matching
  • Extension spoofing detection
  • Local heuristic analysis

Backend (Python Flask)

  • YARA rule compilation
  • File hashing (MD5, SHA1, SHA256)
  • VirusTotal API integration
  • URL threat intelligence
  • Hybrid Analysis sandbox
  • Groq AI explanations

The system features graceful degradation — if backend services are unavailable, client-side analysis continues functioning with local pattern matching.

Tech Stack

Frontend

  • Vanilla JavaScript
  • Tailwind CSS
  • Anime.js for animations
  • ECharts for data visualization
  • jsPDF for report generation

Backend

  • Python Flask
  • YARA pattern matching engine
  • python-magic for file type detection
  • AndroGuard for APK analysis
  • dnspython for DNS analysis

External APIs

  • Google Safe Browsing
  • VirusTotal (70+ antivirus engines)
  • URLHaus malware database
  • Hybrid Analysis sandbox
  • urlscan.io browser sandbox
  • Groq AI (Llama 3.3 70B)

Key Features

  • Quick Scan vs Deep Scan: Rapid triage or comprehensive sandbox analysis
  • Extension Spoofing Detection: Identifies files disguised as other formats (e.g., invoice.pdf.exe)
  • Keylogger Identification: Pattern-based detection of keystroke logging code
  • Real-time Console: Live terminal output showing every analysis step
  • AI-Powered Explanations: Groq-powered threat analysis in plain English
  • Professional Reports: Export to JSON or PDF with threat distribution charts

Development Journey

What I Learned

  1. YARA Rules and Malware Signatures: Writing signature-based detection patterns revealed how malware behaves in coordinated, purposeful ways rather than random malicious code.

  2. Entropy Analysis: Implementing Shannon entropy calculations (0-8 scale) to detect packed or encrypted files provided insight into evasion techniques.

  3. Hybrid State Management: Managing async operations between client and server, handling fallbacks, and polling for sandbox results required careful architecture design.

  4. APK Permission Analysis: Understanding how permission combinations tell stories — when an app requests BIND_ACCESSIBILITY_SERVICE + READ_SMS + BIND_VPN_SERVICE, that's surveillanceware.

Challenges Overcome

Challenge: Sandbox Integration Real malware analysis requires isolated execution environments. Sandbox APIs are complex and expensive to maintain.

Solution: Integrated Hybrid Analysis API with intelligent polling. Frontend displays real-time progress ("Analyzing... 12/30") while backend monitors sandbox execution.

Challenge: YARA Deployment YARA requires compiled rules and specific dependencies. Deploying to cloud platforms with all components was non-trivial.

Solution: Built a robust fallback system. If YARA fails, the system uses built-in JavaScript pattern matching for key signatures. Analysis continues with alternative tools.

Challenge: APK Size Limits APKs can be 50MB+. Uploading large files to free-tier backends causes timeouts.

Solution: Implemented size limits with clear user messaging and local permission extraction for lightweight analysis.

Challenge: Security Data Visualization Threat scores, hashes, and entropy values are inherently dry.

Solution: Designed a cyberpunk-inspired interface with animated threat meters, orbital particle systems, real-time terminal consoles, and color-coded severity indicators.

Results

ZeroRisk Sentinel successfully detects:

  • Keyloggers from code patterns
  • Extension spoofing attacks
  • Phishing URLs before clicking
  • Invasive Android permissions
  • Packed/encrypted files via entropy analysis

All analysis includes professional PDF report generation with executive summaries and actionable recommendations.

Future Roadmap

  • Browser extension for instant link analysis
  • Batch processing for multiple files
  • Community-driven YARA rule contributions
  • Mobile application for on-device APK scanning

Security is not a product — it is a process. ZeroRisk Sentinel makes threat analysis accessible to everyone, not just security professionals.

Built With

Share this project:

Updates

posted an update

What's New in ZeroRisk Sentinel v2.1

New Deployment

Live URL: https://zerorisk-sentinel.vercel.app/
The project has been completely restructured and redeployed on Vercel for better performance and reliability.

Major Architecture Overhaul

Hybrid Client-Server Analysis

The biggest shift from the original submission is the move from 100% client-side to a hybrid architecture:

  • Client-side: Fast initial screening, file header analysis, pattern matching, local heuristics
  • Python Backend: Enhanced threat intelligence when available (YARA rules, VirusTotal, AI explanations)
  • Graceful Degradation: Works fully offline with local heuristics when backend is unavailable

New Backend Stack (server.py)

  • Flask-based API with CORS support for frontend communication
  • Modular scanner imports: File scanner, APK analyzer, URL scanner, AI explainer
  • Health check endpoint (/api/status) for real-time backend availability monitoring
  • Secure file handling with temp directories and automatic cleanup

Enhanced File Analysis (file_scanner.py)

YARA Rule Integration

  • Signature-based detection using compiled YARA rules (when available)
  • Automatic fallback to built-in JavaScript patterns when YARA unavailable
  • Tag-based categorization (surveillance, credential_harvest, etc.)

File Intelligence & Hashing

  • Multi-hash generation: MD5, SHA1, SHA256 for every scanned file
  • VirusTotal API integration for hash-based malware lookup
  • Entropy analysis (0-8 scale) to detect packed/encrypted files
  • Magic number detection for actual file type identification

Extension Spoofing Detection

  • Header vs extension comparison to catch invoice.pdf.exe attacks
  • Dangerous extension combo detection (e.g., .pdf.exe, .docx.scr)
  • RTL (Right-to-Left) override character detection for advanced spoofing

PE Structure Analysis

  • Windows executable inspection: PE32/PE64 header validation
  • Relocation table analysis (stripped = common in packed malware)
  • DLL vs EXE detection with suspicious characteristic flags

Two-Tier Scanning System

  • Quick Scan: Samples strategic file positions (start, middle, end) for speed
  • Deep Scan: Full file streaming with chunked processing for thoroughness
  • Dynamic progress tracking with real-time terminal output

URL Security Analysis (url_scanner.py)

Multi-Source Threat Intelligence

  • Google Safe Browsing API: Real-time phishing/malware URL checks
  • URLHaus integration: Community-driven malware distribution database
  • VirusTotal URL scanning: Aggregated results from 70+ security vendors

Technical Analysis

  • SSL/TLS certificate inspection: Validity, expiration, self-signing detection
  • DNS record analysis: A, MX, TXT (SPF) record queries
  • Redirect chain following: Up to 5 hops to detect suspicious destinations
  • Domain age checking: WHOIS lookup for newly registered domains

Local Heuristic Fallback

When backend is unavailable, client-side heuristics detect:

  • IP-based URLs (bypass domain reputation)
  • URL shorteners (hidden destinations)
  • Phishing keywords (login, verify, secure, bank)
  • Risky TLDs (.xyz, .tk, .ml, .ga, .cf)
  • Unusually long paths or excessive subdomains

AI-Powered Explanations (ai_explainer.py)

Groq API Integration

  • Llama 3.3 70B model for context-aware threat analysis
  • Intelligent prompt engineering with security analyst persona
  • Concise explanations (~100 words) focusing on:
    • Most critical indicators and why
    • Apparent code capabilities
    • Unknowns due to static-only analysis
    • Additional evidence needed for confirmation

Graceful Fallback System

  • Heuristic explanations when AI quota exhausted or backend offline
  • Spyware behavior profiling: surveillance, persistence, data exfiltration, stealth
  • Confidence scoring based on indicator severity and combinations

Android APK Analysis (apk_analyzer.py)

Permission-Based Risk Scoring

  • 12 curated permission rules with severity weighting:
    • Critical (35 pts): BIND_ACCESSIBILITY_SERVICE, READ_SMS, BIND_DEVICE_ADMIN
    • High (20 pts): SYSTEM_ALERT_WINDOW, RECORD_AUDIO, BIND_VPN_SERVICE
    • Medium (10 pts): RECEIVE_BOOT_COMPLETED, READ_CONTACTS
    • Low (5 pts): INTERNET, basic permissions

Permission Combination Heuristics

  • Accessibility + Overlay = Clickjacking/keylogging risk (+25 pts)
  • Boot persistence + Internet = Malware persistence indicator (+15 pts)

Merged File Intelligence

APK analysis now combines with full file scanner:

  • Cryptographic hashes for VirusTotal lookup
  • Entropy analysis for packing detection
  • File type verification and extension mismatch detection

Report Generation (generateReport.js)

JSON Export

  • Machine-readable format with complete scan metadata
  • All hashes, findings, VirusTotal results preserved
  • Spyware behavior profiles and confidence scores
  • Timestamped and versioned for audit trails

PDF Report Generation

  • Professional formatted documents using jsPDF
  • Executive summary with security score and threat distribution
  • Per-file detailed breakdowns with severity indicators
  • Actionable recommendations based on threat types
  • Cover page with classification banner and metadata

Frontend Enhancements

New Pages & Navigation

  • url.html: Dedicated URL analysis interface with demo samples
  • results.html: Comprehensive results dashboard with visualizations
  • about.html: Detailed methodology and technology documentation
  • Swipe navigation for mobile (left/right to switch pages)

Visual Improvements

  • Threat proximity map: Animated orbital chart showing risk distribution
  • Security score gauge: ECharts-based gauge with color-coded zones
  • Real-time terminal: Matrix-style console with color-coded log levels
  • Expandable analysis cards: Collapsible sections for detailed findings

Demo Mode

  • Safe sample files for testing without risk:
    • invoice_2025.pdf.exe (extension spoofing)
    • keylogger-demo.py (surveillance patterns)
    • apk-demo.apk (Android permissions)
    • quick_scan_demo.js vs deep_scan_test.js (scan mode comparison)

Privacy & Security Improvements

Client-Side First Philosophy

  • No forced uploads: Initial analysis happens entirely in browser
  • Session-based storage: Results cleared when tab closes
  • Transparent processing: Real-time terminal shows all activity
  • Backend status indicator: Clear indication of local vs cloud analysis

Security Hardening

  • Input validation on all API endpoints
  • Secure filename handling with secure_filename()
  • Temp file cleanup with try/finally blocks
  • CORS configuration for cross-origin safety

Technical Stack Updates

Component Original Updated
Deployment cyberthon-zeta.vercel.app zerorisk-sentinel.vercel.app
Backend None Python Flask + Gunicorn
AI Service None Groq API (Llama 3.3 70B)
File Analysis JS-only patterns YARA + JS fallback
Hash Lookup None VirusTotal API
APK Analysis None AndroGuard integration
URL Analysis Basic heuristics Multi-source threat intel
Reports None JSON + PDF export
Mobile Basic responsive Swipe navigation

Key Metrics

  • 3 scan types: Files, URLs, Android APKs
  • 5 threat levels: Safe, Low, Medium, High, Critical
  • 12+ permission rules for Android analysis
  • 70+ security vendors via VirusTotal aggregation
  • 100% client-side fallback when backend unavailable

What's Next (Roadmap)

  • [ ] Sandboxed dynamic analysis for uncertain files
  • [ ] Expanded format support (Office docs, PDF internals, archives)
  • [ ] Cryptographically signed analysis reports
  • [ ] Community signature contributions
  • [ ] Real-time threat feed integration

Built for the paranoid. Designed for everyone.

ZeroRisk Sentinel v2.1, Transparent, explainable, user-controlled security

Log in or sign up for Devpost to join the conversation.