CLOUD SOLUTIONS

Using Sandbox Analyzer

The Sandbox Analyzer page, on the main left-side menu, provides a unified interface for viewing, filtering and searching automatic and manual submissions to the sandbox environment. The Sandbox Analyzer page consists of two areas:

  1. The searching and filtering area allows you to find submissions by various criteria: name, hash, date, analysis result, status and MITRE's ATT&CK techniques.

  2. The submission cards area displays all submissions in a compact format with detailed information about each one.

sandbox-analyzer-reports-cloud.png

In the Sandbox Analyzer page, you can take the following actions:

Searching and filtering submission cards

This is what you can do in the filters area:

  • Search and filter submissions by various criteria. The page will automatically load only the security event cards matching the selected criteria.

  • Reset filters by clicking the Clear Filters button.

  • Hide the filters area by clicking the Hide Filters button. You can display again the hidden options by clicking Show Filters.

You can search and filter the Sandbox Analyzer submissions by the following criteria:

  • Sample name and hash (MD5) - Enter in the search field a part or the entire name or hash of the sample you are looking for, then click the Search button.

  • Date - To filter by date:

    1. Click the calendar.png calendar icon to configure the searching time frame.

    2. Click the From and To buttons to select the dates defining the time interval.

      You can also select a predetermined period from the list of options, relative to the current time (for example, the last 30 days).

      You can also specify the hour and minutes for each date of the time interval, using the options beneath the calendar.

    3. Click OK to apply the filter.

    sandbox-analyzer-calendar.png
  • Analysis result - Select one or more of the following options:

    • Clean – the sample is secure.

    • Infected – the sample is dangerous.

    • Unsupported – the sample has a format that Sandbox Analyzer could not detonate. To view the complete list with file types and extensions supported by Sandbox Analyzer, refer to Supported File Types and Extensions for Manual Submission.

  • Severity score - The value indicates how dangerous is a sample on a scale from 100 to 0 (zero). The higher the score, the more dangerous the sample is.

    sandbox-analyzer-severity-score.png

    Note

    The severity score applies to all submitted samples, including those with Clean or Unsupported status.

  • Submission type - Select one or more of the following options:

    • Manual - Sandbox Analyzer has received the sample via Manual Submission option.

    • Endpoint sensor - Bitdefender Endpoint Security Tools has sent the sample to Sandbox Analyzer based on policy settings.

  • Submission status - Select one or more of the following check boxes:

    • FinishedSandbox Analyzer has delivered the analysis result.

    • Pending analysisSandbox Analyzer is detonating the sample.

    • FailedSandbox Analyzer could not detonate the sample.

  • ATT&CK techniques. This filtering option integrates MITRE's ATT&CK knowledge base, if applicable. The ATT&CK techniques values change dynamically, based on the security events.

    Click the About link to open ATT&CK Matrix in a new tab.

    sandbox-analyzer-mitre-techniques.png

Viewing analysis details

The Sandbox Analyzer page displays submission cards by day, in reverse chronological order.

sandbox-analyzer-submission-card.png

A submission cards includes the following data:

  • Analysis result

  • Sample name

  • Submission type

  • Severity score

  • Files and processes involved

  • Detonation environment

  • Hash value (MD5)

  • ATT&CK techniques

  • Submission status when a result is unavailable

Each submission card includes a link to a detailed HTML analysis report, if available. To open the report, click the View button.

The HTML report provides rich information organized on multiple levels, with descriptive text, graphics and screen captures that illustrate the sample’s behavior in the detonation environment.

This is what you can learn from a Sandbox Analyzer HTML report:

  1. General data about the analyzed sample, such as: malware name and classification, submission details (file name, type and size, hash, submission time and analysis duration).

  2. Behavioral analysis results, which include all the security events captured during detonation, organized into sections.

    sandbox-analyzer-html-report.png

    The security events refer to:

    • Writing / deleting / moving / duplicating / replacing files on the system and on removable drives.

    • Execution of newly-created files.

    • Changes to the file system.

    • Changes to the applications running inside the virtual machine.

    • Changes to the Windows taskbar and Start menu.

    • Creating / terminating / injecting processes.

    • Writing / deleting registry keys.

    • Creating mutex objects.

    • Creating / starting / stopping / modifying / querying / deleting services.

    • Changing browser security settings.

    • Changing Windows Explorer display settings.

    • Adding files to firewall exception list.

    • Changing network settings.

    • Enabling execution at system startup.

    • Connecting to a remote host.

    • Accessing certain domains.

    • Transferring data to and from certain domains.

    • Accessing URLs, IPs and ports through various communication protocols.

    • Checking the indicators of virtual environment.

    • Checking the indicators of monitoring tools.

    • Creating snapshots.

    • SSDT, IDT, IRP hooks.

    • Memory dumps for suspicious processes.

    • Windows API functions calls.

    • Becoming inactive for a certain time period to delay execution.

    • Creating files with actions to be executed at certain time intervals.

Note

Samples submitted to Cloud Sandbox are deleted immediately after detonation. The resulting HTML reports are available for 365 days.

Deleting submission cards

To delete a submission card that you no longer need:

  1. Go to the submission card you want to delete.

  2. Click the Delete Entry option at the left side of the card.

  3. Click Yes to confirm the action.

    By following these steps, you only delete the submission card.

The information regarding the submission continues to be available in the Sandbox Analyzer Results (Deprecated) report.

Note

This report will continue to be supported only for a limited amount of time.

Manual submission

From Sandbox Analyzer > Manual Submission you can send samples of suspicious objects to Sandbox Analyzer, to determine whether they are threats or harmless files.

You can also access the Manual Submission page by clicking the Submit a sample button at the upper-right side of the filtering area in the Sandbox Analyzer page.

Note

Sandbox Analyzer Manual Submission is compatible with all web browsers required by Control Center, except Internet Explorer 9.

To send objects to Sandbox Analyzer, log in to Control Center using any other supported web browser specified in Connecting to Control Center.

sandbox-analyzer-manual-submission-upload-cloud.png

To submit samples to Sandbox Analyzer:

  1. In the Upload page, under Samples, select the object type:

    • Files - Click the Browse button to select the objects you want to submit for behavioral analysis. In case of password-protected archives, you can define one password per upload session in a dedicated field. During the analysis process, Sandbox Analyzer applies the specified password to all submitted archives.

    • URL - Fill in the corresponding field with any URL you want to analyze. You can submit only one URL per session.

  2. Under Detonation settings, configure the analysis parameters for the current session:

    • Command-line arguments Add as many command-line arguments as you want, separated by spaces, to alter the operation of certain programs, such as executables. The command-line arguments apply to all submitted samples during analysis.

    • Detonate samples individually. Select the check box to have the files from bundle analyzed one by one.

  3. Under Detonation profile, adjust the complexity level of behavioral analysis, while affecting the Sandbox Analyzer throughput.

    For example, if set to High, Sandbox Analyzer would perform a more accurate analysis on fewer samples, in the same interval, than on Medium or Low.

  4. In the General settings page, you can make configurations that apply to all manual submissions, regardless of session:

    • Time limit for sample detonation (minutes) - Allocate a fixed amount of time to complete the sample analysis. The default value is 4 minutes, but sometimes the analysis may take more time. At the end of the configured interval, Sandbox Analyzer interrupts the analysis and generates a report based on the data collected up to that moment. If interrupted when incomplete, the analysis may contain inaccurate results.

    • Number of reruns allowed - In case of unexpected errors, Sandbox Analyzer tries to detonate the sample as configured until completes the analysis. The default value is 2. That means Sandbox Analyzer will try two more times to detonate the sample in case of error.

    • Prefiltering - Select this option to exclude from detonation samples already analyzed.

    • Internet access during detonation - During analysis, some samples require internet connection to complete the analysis. For best result, it is recommended to keep this option enabled.

    • Click Save to retain the changes.

    sandbox-analyzer-general-settings.PNG
  5. Go back to the Upload page.

  6. Click Submit.

    A progress bar indicates the submission status.

    After submission, the Sandbox Analyzer page displays a new card. When the analysis is complete, the card provides the verdict and the corresponding details.

Note

To manually submit samples to Sandbox Analyzer you must have Manage Networks rights.