Skip to content

Windows Filesystem Scanner getting started guide🔗

This guide explains how to use the SandboxAQ Filesystem Scanner (formerly Host Scanner) to obtain a cryptography scan from the filesystem in Windows.


The Windows Filesystem Scanner is distributed as a zip package named cs-host-scanner-<VERSION>-x86_64-<PLATFORM>.zip. When you extract this package, it creates a directory named cs-host-scanner-<VERSION>-x86_64-<PLATFORM> that contains an executable cs-host-scanner file, the required libraries for Windows, and a README file. For instance:

├── cs-host-scanner.exe
├── libffi-6.dll
├── libgmp-10.dll
├── zlib1.dll

You can move the cs-host-scanner-<VERSION>-x86_64-<PLATFORM> directory anywhere on your system.


If you move the executable file, make sure to also move the DLLs. They must be in the same directory.

Scanning a Filesystem🔗

Navigate to a directory where you have write permissions to store scan results.

Move the cs-host-scanner.exe executable file, and the libffi-6.dll, libgmp-10.dll, and zlib1.dll libraries to your chosen directory and run:

.\cs-host-scanner.exe `
    --root \path\to\root\directory `
    --output scan.cst.gz

When the Filesystem Scanner has finished executing, the directory you chose earlier will contain the generated trace file.

You can change the directory where the Filesystem Scanner generates traces with the --output option.

Upload the trace to AQtive Guard to run an analysis and generate a report. Refer to these instructions:


Refer to the Filesystem Scanner reference for details on scanning .NET Framework applications and for a list of available parameters.