There are several ways to tune the CAPE performance


“Processing” consists of three steps after the malware is executed in a VM. Those are

  • processing of raw data

  • signature matching

  • reporting

Processing can take up to 30 minutes if the original raw log is large. This is caused by many API calls in that log. Several steps will iterate through that API list which causes a slowdown. There are several ways to mitigate the impact:

Evented signatures

Evented signatures have a common loop through the API calls. Use them wherever possible and either switch the old-style signatures with their api-call loop or convert them to event based signatures


Reports that contain the API log will also iterate through the list. De-activate reports you do not need. For automated environments switching off the html report will be a good choice.


Ram boost can be switched on in the configuration (in conf/processing.conf -> ram_boost in [behavior]). This will keep the whole API list in Ram. Do that only if you have plenty of Ram (>20 GB for 8 VMs).