RingForge Workbench v1.6 Release Notes

Overview

RingForge Workbench v1.6 introduces a major usability and workflow upgrade centered on a new startup experience and the first release of Browser Extension Analysis. This version improves how analysts enter the platform, select workflows, and review browser extension packages using the same dark RingForge visual style used throughout the rest of the product.

Version 1.6 builds on the modular GUI work completed in earlier releases and turns those structural improvements into a more polished analyst-facing experience. The platform now opens with a branded splash screen and launcher, allowing users to choose the analysis workflow they want to run instead of starting directly inside the static triage interface.

In addition to the startup improvements, v1.6 adds a new Browser Extension Analysis module for Chrome, Edge, and Chromium-style extensions. This module supports unpacked extension folders, ZIP archives, and CRX packages, and provides manifest parsing, file inventory, file preview, risk notes, risk scoring, verdicting, and exportable reports.

What's New in v1.6

New startup flow

Added a RingForge splash screen using branded startup artwork
Added a launcher/home screen for selecting analysis workflows
Improved startup UX by separating the launcher from the static analysis interface
Preserved the existing static analysis GUI while making it accessible from the new launcher flow

New launcher options

The launcher now provides direct access to:

Static Analysis
Dynamic Analysis
API Analysis
Spec Analysis
Browser Extension Analysis

New Browser Extension Analysis module

Added the first version of Browser Extension Analysis for browser-based extensions, including support for:

Unpacked extension folders
ZIP archives
CRX packages

The Browser Extension Analysis module includes:

Manifest parsing
Summary view of key manifest fields
File inventory
File preview panel
Risk notes
Risk score
Risk verdict
Color-coded verdict display
Manifest JSON viewer
Quick-save JSON report export
Quick-save HTML report export
Report folder support

Browser extension reporting

Added JSON export for structured browser extension analysis results
Added HTML export for browser extension reports
Styled Browser Extension Analysis HTML reports to match the main RingForge reporting theme
Added report folder support for quick export workflows

UI and workflow improvements

Improved launcher clarity and naming for browser extension workflows
Fixed extension analysis focus behavior so the analysis window stays in front after source selection
Improved lower-pane layout in Browser Extension Analysis with dedicated sections for:
- File Inventory
- File Preview
- Risk Notes
- Manifest JSON
Added better visual separation and flow for export actions

Browser Extension Analysis Details

Supported extension sources

RingForge Workbench v1.6 can analyze:

Unpacked browser extension folders
ZIP-based extension packages
CRX packages

Summary fields shown

The Browser Extension Analysis summary includes:

Name
Version
Description
Manifest Version
Permissions
Host Permissions
Background / Service Worker
Content Scripts
Web Resources
Externally Connectable
Update URL
Commands
CSP
Risk Score
Risk Verdict
Files Found

Risk scoring and notes

The module generates risk notes using:

Manifest-derived indicators
Permission review
Host permission review
Basic source scanning for common suspicious indicators

Initial source scanning includes checks for patterns such as:

eval
new Function
XMLHttpRequest
fetch
document.cookie
chrome.cookies
chrome.tabs
chrome.scripting
chrome.webRequest
remote URLs

Export support

Browser extension analysis results can now be quickly saved to:

JSON
HTML

Reports are stored in a generated extension report folder for easier review and organization.

Improvements from Earlier Versions

Continued the GUI modularization effort begun in earlier versions
Expanded the launcher concept into a real analyst-facing workflow selector
Extended the RingForge reporting style into the new browser extension reporting workflow
Improved product presentation and navigation without removing the existing static triage functionality

Notes

Browser Extension Analysis in v1.6 is focused on static review and reporting
Dynamic browser automation for extension execution is not part of this release
The static analysis interface remains available and is now launched through the new startup flow

Upgrade Summary

RingForge Workbench v1.6 is a feature and workflow release focused on:

Better startup experience
Cleaner module selection
First-class Browser Extension Analysis
Matching export/report support for the new analysis type
Improved analyst usability across the application

RingForge Workbench v1.5 — Release Notes

RingForge Workbench v1.5 delivers a major polish and stability upgrade for the Manual API Tester, improving request handling, response viewing, reporting, and overall GUI consistency. This release turns the Manual API Tester into a more complete and professional API testing workspace while preserving the broader RingForge analysis workflow.

Highlights

Rebuilt and stabilized the Manual API Tester workflow
Fixed request threading and response handling issues
Added a response summary bar for status, timing, content type, and size
Added real elapsed time tracking in milliseconds
Added Copy Response support
Added Body / Headers / Raw response tabs
Improved readability for HTML and text-based responses
Added new API test presets, including JSONPlaceholder GET/POST and Example.com
Improved preset note handling and preset loading behavior
Improved Manual API button styling consistency with the rest of the app
Fixed HTML report save/open workflow for Manual API testing
Improved generated HTML report output for API responses

v1.5 Changelog

Rebuilt APIAnalysisWindow for improved stability and maintainability
Fixed request worker thread startup and completion handling
Fixed response queue handling and output refresh behavior
Added response metadata summary strip
Added real request timing using elapsed milliseconds
Added Copy Response button and clipboard support
Added Body / Headers / Raw response tab layout
Improved JSON response formatting
Improved HTML response readability by inserting basic line breaks between tags
Added JSONPlaceholder GET Test preset
Added JSONPlaceholder POST Test preset
Added Example.com Test preset
Improved preset notes and preset loading status feedback
Updated Manual API action buttons to better match shared GUI styling
Fixed save/open HTML report functionality
Added automatic report generation support for opening the latest HTML report when needed
Fixed missing HTML escaping import required for report generation
Improved overall Manual API Tester usability and visual polish

Result

v1.5 significantly improves the Manual API testing experience in RingForge Workbench and provides a stronger foundation for future API-focused enhancements such as response history, additional export options, and deeper request/response analysis features.

Release Summary

v1.4 turns RingForge Workbench into a more reliable and analyst-friendly platform for software assessment by improving scoring quality, reducing false positives, strengthening trust signals like signatures and YARA, and significantly maturing the API Spec Analysis feature into a more actionable review capability.

RingForge Workbench v1.3 Release Notes

Release Summary

RingForge Workbench v1.3 focuses on major GUI polish, a fully upgraded API Spec Analysis workflow, improved report organization, and cleaner parser behavior across OpenAPI and Swagger specifications. This release turns API Spec Analysis into a practical, polished feature with structured reporting, endpoint inventory, authentication visibility, and better output management.

Highlights

Added a redesigned API Spec Analysis workspace
Improved support for OpenAPI 3.x and Swagger 2.0 specifications
Added structured endpoint inventory reporting
Added polished HTML report generation for spec analysis
Improved auth parsing and normalization
Improved per-endpoint authentication reporting
Improved report naming using the analyzed spec name
Added spec-specific latest report handling
Continued overall GUI polish and branding cleanup for RingForge Workbench

v1.3 Changelog

Added redesigned API Spec Analysis workspace
Added Overview metrics and improved endpoint inventory layout
Added polished HTML reporting for spec analysis
Improved OpenAPI 3 and Swagger 2 support
Improved auth normalization and per-endpoint auth reporting
Improved report naming using spec file names
Added spec-specific latest report handling
Continued GUI polish and branding refinement across RingForge Workbench

RingForge Analyzer v1.2

RingForge Analyzer v1.2 is a GUI polish and workflow refinement release that builds on the v1.1 scoring and workflow milestone. This version focuses on visual consistency, cleaner usability, and a more streamlined experience across the main GUI, Dynamic Analysis, and API Spec Analysis workflows.

Highlights

Refined the main GUI so the output panel is visible on launch
Improved button styling, spacing, and consistency across the application
Standardized Browse and Clear button behavior to better align with entry-field layouts
Simplified the main workflow by consolidating API and Spec entry into API Spec Analysis
Reworked the Dynamic Analysis window to better match the main GUI
Reworked the API Spec Analysis window for a clearer, more report-style layout
Preserved the v1.1 combined scoring and workflow functionality across Static, Dynamic, and Spec/API analysis

Main GUI improvements

Output area now displays correctly at startup
Main action row spacing was tightened for a cleaner, more professional appearance
Button styling was standardized across main actions and side utility controls
Browse and Clear controls were resized and aligned to better match adjacent text-entry rows
Main workflow buttons were simplified to reduce confusion and clutter

Dynamic Analysis improvements

Dynamic Analysis window now follows the same visual structure as the main GUI
Settings were grouped into a clearer Dynamic Analysis Settings section
Enable Procmon Capture was moved next to timeout controls for a more logical layout
Dynamic action row was simplified to:
- Run Dynamic Analysis
- Open Case Folder
- Open Latest Report
Removed the redundant export button from the primary action row
Side Browse buttons were resized and aligned for better consistency
Output pane remains visible and continues to support live run feedback

API Spec Analysis improvements

Renamed and positioned as the primary API/spec workflow
Updated visual structure to match the main GUI and Dynamic Analysis window
Organized output into:
- Summary
- Risk Notes
- Endpoint Inventory
Improved top action row and control styling
API spec analysis continues to save into the case spec folder
API spec results continue to feed the combined Spec/API scoring workflow

API testing workflow

Manual live API request testing remains available as a separate advanced utility
The primary user-facing workflow is now centered on API Spec Analysis
This keeps the main GUI focused while preserving flexibility for deeper manual API testing when needed

Versioning

v1.1 = scoring and workflow milestone
v1.2 = GUI polish, usability refinement, and workflow cleanup

Notes

Core combined scoring behavior introduced in v1.1 remains intact
No major architecture changes were introduced in v1.2
This release is intended as the polished follow-up to the validated v1.1 milestone

What’s New in v1.1

Added Dynamic Analysis window workflow
Added Procmon configuration support
Added dynamic HTML report export
Added browser-based PDF fallback workflow
Improved dynamic findings noise reduction on non-isolated hosts
Improved progress/status wording for optional tool steps
Began UI theming updates to align with report styling

This is the first branded release of RingForge Analyzer, expanding the project from a static triage workflow into a hybrid static + dynamic analysis platform. This release introduces the first major dynamic-analysis workflow for behavioral capture, persistence-change detection, dropped-file triage, and analyst-facing findings, all integrated into the GUI.

Added

dedicated dynamic_analysis package for orchestration, Procmon handling, parsing, persistence diffing, findings, and utilities
Procmon-backed dynamic capture workflow
Procmon CSV parsing and normalized JSON output
interesting-event filtering for higher-value behavior review
dropped-file candidate triage
scheduled task snapshotting and diffing
Windows service snapshotting and diffing
analyst-facing findings summaries
separate Dynamic Analysis GUI window
live phase/status updates during dynamic runs

Improved

cleaner dynamic case structure under metadata, procmon, persistence, files, and reports
more useful GUI output with highlights, task/service diff summaries, top written paths, top network processes, and final JSON summary
reduced dropped-file triage noise by focusing on suspicious and user-writable locations
reduced false findings caused by the tool’s own snapshotting activity
better GUI handling of samples that exit with nonzero return codes

Fixed

Procmon launch hang caused by blocking startup behavior
GUI worker-thread issue that prevented backend execution
scheduled-task snapshot reliability issues from PowerShell JSON handling
excessive dropped-file overcounting during benign runs
self-generated false persistence and LOLBin findings

Dynamic case artifacts

cases/<case_name>/
  metadata/
    run_config.json
    sample_info.json
    run_summary.json
  procmon/
    raw.pml
    export.csv
    parsed_events.json
    interesting_events.json
  persistence/
    tasks_before.json
    tasks_after.json
    task_diffs.json
    services_before.json
    services_after.json
    service_diffs.json
  files/
    dropped_files.json
    dropped_files_summary.json
  reports/
    dynamic_findings.json

Notes

Dynamic analysis in this release is intended for use in an isolated Windows VM or sandbox. RingForge Analyzer v1.0 establishes the first major dynamic-analysis baseline for the platform and creates a strong foundation for future tuning and expansion.

Release Notes – v4.0

This release improves the static triage pipeline with stronger signing validation, better false-positive control, executable API analysis, and clearer risk scoring.

Added

executable API import analysis
API behavior chain detection for PE files
api_analysis.json output artifact
API Analysis section in Markdown and HTML reports
API-chain scoring support in the risk model

Improved

Authenticode parsing now correctly recognizes successful verification states from osslsigncode
signing cache handling now reparses cached raw signing output so improved parsing logic is applied to previously analyzed files
scoring logic better handles legitimate signed installers and launchers
VirusTotal-aware dampening and trusted-signature handling reduce false positives more reliably

Fixed

cases where valid signed software could still be treated like unsigned or partially trusted samples
over-scoring of legitimate installer and launcher software
missing API analysis visibility in reports after feature integration
stale signing cache results preventing corrected verification logic from being reflected in new runs

Notes

v4 is best packaged as an onedir release
keep the executable together with the bundled scripts, engine files, and tools
separate API spec / endpoint analysis is planned as a future mode

Release Notes

Static Software / Malware Analysis v3.0.0 improves the GUI workflow and fixes multiple packaging and execution issues discovered during testing.

Added

VirusTotal API key field in the GUI
Open Case Files button
Open HTML Report button
Open PDF Report button
Packaged release README for Windows distribution

Fixed

Fixed VirusTotal integration so the GUI correctly passes VT_API_KEY to the backend
Fixed packaged EXE relaunch/self-spawn behavior
Fixed release folder layout for scripts, tools, and backend runtime
Fixed progress handling so successful runs reconcile correctly at completion
Fixed final status handling for score, verdict, confidence, and VirusTotal summary

Improved

Better packaged Windows EXE workflow
Better end-user report access
Better final-state progress display and result summary behavior

Release Notes — Version 2

Version 2 builds on the initial public release with major improvements to the Windows GUI workflow, packaging, path handling, and troubleshooting experience. This release focuses on making the project easier to run, easier to understand, and more reliable for day-to-day use, especially for users testing on Windows.

What was added and improved in Version 2

GUI improvements

Updated progress handling in the GUI for timestamped analysis.log entries
Improved step tracking for long-running analysis jobs
Added better success handling so completed runs reach 100%
Improved report/finalize progress behavior
Clearer step labels in the progress view
Better handling for repeated or reused case folders during testing

Windows usability improvements

Added clearer Windows-friendly status handling for steps that rely on Linux-oriented tooling
File Type and Strings now show as Not Available on Windows when the supporting tools are not present, instead of appearing as hard failures
Updated labels to make Linux-dependent steps easier to understand:
- File Type (Linux tool / optional on Windows)
- Strings (Linux tool / optional on Windows)
Added Windows note that PDF generation may be optional depending on environment/tool availability

Engine and path fixes

CASE_ROOT_DIR handling was fixed so case output location selection works correctly
CAPA rules and signatures directory overrides are now properly honored
Improved compatibility with frozen configuration handling
Better detection and handling of report artifacts generated during analysis

Packaging and release improvements

Improved Windows packaging workflow for the GUI
Clarified that the recommended Windows distribution model is:
- GUI executable
- backend scripts
- engine package
- CAPA rules/signature folders
Added better documentation for release folder structure and support files required at runtime

Documentation and troubleshooting improvements

README was expanded and rewritten for a cleaner, more professional setup experience
Added more detailed Windows setup guidance
Added troubleshooting for:
- invalid CAPA rules folder paths
- missing static_triage.py in packaged releases
- lief installed into the wrong Python environment
- 7-Zip not in PATH
- PowerShell path and prompt mistakes
- stale or appended analysis.log behavior
- Windows EXE support file layout issues

Included in this release

Updated GUI and CLI workflows for static triage
Hashing support (MD5, SHA1, SHA256)
Strings extraction with optional lightweight mode
capa capability analysis
PE and LIEF metadata collection
IOC extraction to structured output formats
Report generation in Markdown, HTML, and PDF
Recursive extraction support for common archive and installer formats
Inno Setup extraction support
Bootstrap support for retrieving required CAPA rules
Improved Windows GUI release packaging guidance
Expanded README and troubleshooting documentation

Recommended environment

Ubuntu or WSL remains the best-supported environment for full feature compatibility and the most complete tooling support.

Windows support has been improved significantly in Version 2, especially for the GUI workflow, but some steps still depend on Linux-oriented tooling and may appear as Not Available unless equivalent tools are installed and configured.

Additional notes

CAPA rules are still not vendored directly in the repository and should be retrieved during setup
Windows packaged releases should include the required support files and folders alongside the GUI executable
For the most reliable end-to-end execution path, Ubuntu/WSL is still recommended

Thank you for checking out Version 2 of the Static Software / Malware Analysis — Static Triage Pipeline.

Releases: aring87/ringforge-workbench