Improve detection efficiency

[suNstudents]

In the process of firmware detection, I found that the detection speed was very slow. After using the example-disable-module.emba configuration file, the speed did not improve significantly, and the modules in the list did not seem to be disabled. Is there any way to improve it

[m-1-k-3]

Hi @suNstudents

could you give a few more details on your environment:

• EMBA startcommand
• which firmware you are testing?
• Analysis enviroment - CPU/RAM/HDD
• where is the speed slow? Can you name the running modules?
• What do you exactly mean with "firmware detection"?

[suNstudents]

Thank you for your @m-1-k-3

When I analyzed DAP-3662_HW-A1A2_FW-105.bin in my virtual machine environment, the whole detection process lasted for more than 3 hours. I set the parallel number of modules to 10 and the upper limit of threads for module running to 24. Can you provide me with some optimization suggestions? Thanks a million!

The server configuration is as follows:
cpu 8
Memory 16GB

I disabled the following modules in the configuration file:

( "S99_grepit" "S110_yara_check" "s15_bootloader_check" "s17_apk_check" "s20_shell_check" "s21_python_check" "s22_php_check" "s24_kernel_bin_identifier" "s25_kernel_check" "s26_kernel_vuln_verifier" "s35_http_file_check" "s36_lighttpd" "s40_weak_perm_check" "s45_pass_file_check" "s50_authentication_check" "s55_history_file_check" "s60_cert_file_check" "s65_config_file_check" "s70_hidden_file_check" "s75_network_check" "s80_cronjob_check" "s85_ssh_check" "s90_mail_check" "s95_interesting_binaries_check" "s100_command_inj_check" "s106_deep_key_search" "s107_deep_password_search" "s108_stacs_password_search" "s109_jtr_local_pw_cracking" "s115_usermode_emulator" "s120_cwe_checker")

[m-1-k-3]

Can you provide your startcommand? Usually EMBA should be able to balance the load quite good. So, normally you do not need to adjust the threading. The time of running depends on the firmware you are testing. You have enabled the module s09 which is one of the long running modules. Check your CPU load while running EMBA (e.g. with htop). This should be quite high. If not then you can adjust threading.

[suNstudents]

./emba -P 10 -l /home/project/log_test_4 -f /home/project/DAP-3662_HW-A1A2_FW-105.bin -p ./scan-profiles/disable-moudle.emba

This is the command I am running, I cannot disable the s09 module, because I need the output information of the s09 module, is there any other way to improve the efficiency of detection? What is the server configuration you are using now, and how long does it usually take to analyze a 10MB firmware?

[m-1-k-3]

probably the issue is in your configuration of the modules you are trying to disable. The names are starting with a capital S letter and you need to adjust these settings.