What's New in ZeroRisk Sentinel v2.1
New Deployment
Live URL: https://zerorisk-sentinel.vercel.app/
The project has been completely restructured and redeployed on Vercel for better performance and reliability.
Major Architecture Overhaul
Hybrid Client-Server Analysis
The biggest shift from the original submission is the move from 100% client-side to a hybrid architecture:
- Client-side: Fast initial screening, file header analysis, pattern matching, local heuristics
- Python Backend: Enhanced threat intelligence when available (YARA rules, VirusTotal, AI explanations)
- Graceful Degradation: Works fully offline with local heuristics when backend is unavailable
New Backend Stack (server.py)
- Flask-based API with CORS support for frontend communication
- Modular scanner imports: File scanner, APK analyzer, URL scanner, AI explainer
- Health check endpoint (
/api/status) for real-time backend availability monitoring - Secure file handling with temp directories and automatic cleanup
Enhanced File Analysis (file_scanner.py)
YARA Rule Integration
- Signature-based detection using compiled YARA rules (when available)
- Automatic fallback to built-in JavaScript patterns when YARA unavailable
- Tag-based categorization (surveillance, credential_harvest, etc.)
File Intelligence & Hashing
- Multi-hash generation: MD5, SHA1, SHA256 for every scanned file
- VirusTotal API integration for hash-based malware lookup
- Entropy analysis (0-8 scale) to detect packed/encrypted files
- Magic number detection for actual file type identification
Extension Spoofing Detection
- Header vs extension comparison to catch
invoice.pdf.exeattacks - Dangerous extension combo detection (e.g.,
.pdf.exe,.docx.scr) - RTL (Right-to-Left) override character detection for advanced spoofing
PE Structure Analysis
- Windows executable inspection: PE32/PE64 header validation
- Relocation table analysis (stripped = common in packed malware)
- DLL vs EXE detection with suspicious characteristic flags
Two-Tier Scanning System
- Quick Scan: Samples strategic file positions (start, middle, end) for speed
- Deep Scan: Full file streaming with chunked processing for thoroughness
- Dynamic progress tracking with real-time terminal output
URL Security Analysis (url_scanner.py)
Multi-Source Threat Intelligence
- Google Safe Browsing API: Real-time phishing/malware URL checks
- URLHaus integration: Community-driven malware distribution database
- VirusTotal URL scanning: Aggregated results from 70+ security vendors
Technical Analysis
- SSL/TLS certificate inspection: Validity, expiration, self-signing detection
- DNS record analysis: A, MX, TXT (SPF) record queries
- Redirect chain following: Up to 5 hops to detect suspicious destinations
- Domain age checking: WHOIS lookup for newly registered domains
Local Heuristic Fallback
When backend is unavailable, client-side heuristics detect:
- IP-based URLs (bypass domain reputation)
- URL shorteners (hidden destinations)
- Phishing keywords (login, verify, secure, bank)
- Risky TLDs (.xyz, .tk, .ml, .ga, .cf)
- Unusually long paths or excessive subdomains
AI-Powered Explanations (ai_explainer.py)
Groq API Integration
- Llama 3.3 70B model for context-aware threat analysis
- Intelligent prompt engineering with security analyst persona
- Concise explanations (~100 words) focusing on:
- Most critical indicators and why
- Apparent code capabilities
- Unknowns due to static-only analysis
- Additional evidence needed for confirmation
Graceful Fallback System
- Heuristic explanations when AI quota exhausted or backend offline
- Spyware behavior profiling: surveillance, persistence, data exfiltration, stealth
- Confidence scoring based on indicator severity and combinations
Android APK Analysis (apk_analyzer.py)
Permission-Based Risk Scoring
- 12 curated permission rules with severity weighting:
- Critical (35 pts): BIND_ACCESSIBILITY_SERVICE, READ_SMS, BIND_DEVICE_ADMIN
- High (20 pts): SYSTEM_ALERT_WINDOW, RECORD_AUDIO, BIND_VPN_SERVICE
- Medium (10 pts): RECEIVE_BOOT_COMPLETED, READ_CONTACTS
- Low (5 pts): INTERNET, basic permissions
Permission Combination Heuristics
- Accessibility + Overlay = Clickjacking/keylogging risk (+25 pts)
- Boot persistence + Internet = Malware persistence indicator (+15 pts)
Merged File Intelligence
APK analysis now combines with full file scanner:
- Cryptographic hashes for VirusTotal lookup
- Entropy analysis for packing detection
- File type verification and extension mismatch detection
Report Generation (generateReport.js)
JSON Export
- Machine-readable format with complete scan metadata
- All hashes, findings, VirusTotal results preserved
- Spyware behavior profiles and confidence scores
- Timestamped and versioned for audit trails
PDF Report Generation
- Professional formatted documents using jsPDF
- Executive summary with security score and threat distribution
- Per-file detailed breakdowns with severity indicators
- Actionable recommendations based on threat types
- Cover page with classification banner and metadata
Frontend Enhancements
New Pages & Navigation
url.html: Dedicated URL analysis interface with demo samplesresults.html: Comprehensive results dashboard with visualizationsabout.html: Detailed methodology and technology documentation- Swipe navigation for mobile (left/right to switch pages)
Visual Improvements
- Threat proximity map: Animated orbital chart showing risk distribution
- Security score gauge: ECharts-based gauge with color-coded zones
- Real-time terminal: Matrix-style console with color-coded log levels
- Expandable analysis cards: Collapsible sections for detailed findings
Demo Mode
- Safe sample files for testing without risk:
invoice_2025.pdf.exe(extension spoofing)keylogger-demo.py(surveillance patterns)apk-demo.apk(Android permissions)quick_scan_demo.jsvsdeep_scan_test.js(scan mode comparison)
Privacy & Security Improvements
Client-Side First Philosophy
- No forced uploads: Initial analysis happens entirely in browser
- Session-based storage: Results cleared when tab closes
- Transparent processing: Real-time terminal shows all activity
- Backend status indicator: Clear indication of local vs cloud analysis
Security Hardening
- Input validation on all API endpoints
- Secure filename handling with
secure_filename() - Temp file cleanup with try/finally blocks
- CORS configuration for cross-origin safety
Technical Stack Updates
| Component | Original | Updated |
|---|---|---|
| Deployment | cyberthon-zeta.vercel.app | zerorisk-sentinel.vercel.app |
| Backend | None | Python Flask + Gunicorn |
| AI Service | None | Groq API (Llama 3.3 70B) |
| File Analysis | JS-only patterns | YARA + JS fallback |
| Hash Lookup | None | VirusTotal API |
| APK Analysis | None | AndroGuard integration |
| URL Analysis | Basic heuristics | Multi-source threat intel |
| Reports | None | JSON + PDF export |
| Mobile | Basic responsive | Swipe navigation |
Key Metrics
- 3 scan types: Files, URLs, Android APKs
- 5 threat levels: Safe, Low, Medium, High, Critical
- 12+ permission rules for Android analysis
- 70+ security vendors via VirusTotal aggregation
- 100% client-side fallback when backend unavailable
What's Next (Roadmap)
- [ ] Sandboxed dynamic analysis for uncertain files
- [ ] Expanded format support (Office docs, PDF internals, archives)
- [ ] Cryptographically signed analysis reports
- [ ] Community signature contributions
- [ ] Real-time threat feed integration
Built for the paranoid. Designed for everyone.
ZeroRisk Sentinel v2.1, Transparent, explainable, user-controlled security
Log in or sign up for Devpost to join the conversation.