This MCP server enables large language models (LLMs) to perform basic static triage of PE (Portable Executable) files. By providing tools to analyze potentially malicious files, it allows an LLM to generate analysis reports with minimal prompting.
To set up the TriageMCP server, follow these steps:
First, install all required Python packages:
pip install pefile yara-python die-python fastmcp
Open the triage.py file and modify the following configuration variables to match your environment:
<TOOL>_EXE_PATH: Update with the correct path to your analysis toolsYARA_RULE_PATH: Set to the directory containing your YARA rulesAfter configuring the paths, install the MCP server:
fastmcp install .\triage.py
The TriageMCP server is designed to be used with an LLM to analyze PE files. Here's a basic example of how to use it:
You can use the following simple prompt to initiate a PE file analysis:
You are a malware analyst tasked to analyse the sample at <PATH> with your MCP tools. Create a markdown report that summarizes your findings.
For more comprehensive analysis, consider enhancing your prompts with:
The more specific information you provide in your prompt, the more detailed and relevant the analysis will be.
Currently, the TriageMCP server offers basic static PE file analysis. Future versions are planned to include:
To add this MCP server to Claude Code, run this command in your terminal:
claude mcp add-json "triagemcp" '{"command":"python","args":["-m","triage"]}'See the official Claude Code MCP documentation for more details.
There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.
If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.
To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".
When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:
{
"mcpServers": {
"triagemcp": {
"command": "python",
"args": [
"-m",
"triage"
]
}
}
}To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.
Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.
The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.
You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.
To add this MCP server to Claude Desktop:
1. Find your configuration file:
~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%\Claude\claude_desktop_config.json~/.config/Claude/claude_desktop_config.json2. Add this to your configuration file:
{
"mcpServers": {
"triagemcp": {
"command": "python",
"args": [
"-m",
"triage"
]
}
}
}3. Restart Claude Desktop for the changes to take effect