Using Sandbox Analyzer
The Sandbox Analyzer page, on the main left-side menu, provides a unified interface for viewing, filtering and searching automatic and manual submissions to the sandbox environment. The Sandbox Analyzer page consists of two areas:
The searching and filtering area allows you to find submissions by various criteria: name, hash, date, analysis result, status and MITRE's ATT&CK techniques.
The submission cards area displays all submissions in a compact format with detailed information about each one.
Note
As a Partner, you can view by default your company’s submissions to Sandbox Analyzer. To view submissions from all companies under your direct management or from a specific company, use the drop-down list next to Show/hide filters button. The submissions for all direct companies are available in the Sandbox Analyzer Results report.
In the Sandbox Analyzer page, you can take the following actions:
Searching and filtering submission cards
This is what you can do in the filters area:
Search and filter submissions by various criteria. The page will automatically load only the security event cards matching the selected criteria.
Reset filters by clicking the Clear Filters button.
Hide or show the filters area by clicking the corresponding button.
Note
As a Partner, you can view submissions from direct companies even after their license keys expire.
You can search and filter the Sandbox Analyzer submissions by the following criteria:
Company name. From the drop-down list next to Show/hide filters, select all direct companies or the specific company for which you want to see submissions. By default, this page displays your company's submissions.
Sample name and hash (MD5) - Enter in the search field a part or the entire name or hash of the sample you are looking for, then click the Search button.
Note
The displayed cards contain the name of the company on whose behalf the submission was made. You cannot use the company name in the search field.
Date - To filter by date:
Click the
calendar icon to configure the searching time frame.Click the From and To buttons to select the dates defining the time interval.
You can also select a predetermined period from the list of options, relative to the current time (for example, the last 30 days).
You can also specify the hour and minutes for each date of the time interval, using the options beneath the calendar.
Click OK to apply the filter.
Analysis result - Select one or more of the following options:
Clean – the sample is secure.
Infected – the sample is dangerous.
Unsupported – the sample has a format that Sandbox Analyzer could not detonate. To view the complete list with file types and extensions supported by Sandbox Analyzer, refer to Supported File Types and Extensions for Manual Submission.
Severity score - The value indicates how dangerous is a sample on a scale from 100 to 0 (zero). The higher the score, the more dangerous the sample is.
Note
The severity score applies to all submitted samples, including those with Clean or Unsupported status.
Submission type - Select one or more of the following options:
Manual - Sandbox Analyzer has received the sample via Manual Submission option.
Endpoint sensor - Bitdefender Endpoint Security Tools has sent the sample to Sandbox Analyzer based on policy settings.
Submission status - Select one or more of the following check boxes:
Finished – Sandbox Analyzer has delivered the analysis result.
Pending analysis – Sandbox Analyzer is detonating the sample.
Failed – Sandbox Analyzer could not detonate the sample.
ATT&CK techniques. This filtering option integrates MITRE's ATT&CK knowledge base, if applicable. The ATT&CK techniques values change dynamically, based on the security events.
Click the About link to open ATT&CK Matrix in a new tab.
Viewing analysis details
The Sandbox Analyzer page displays submission cards by day, in reverse chronological order.
A submission cards includes the following data:
Analysis result
Sample name
Submission type
Severity score
Files and processes involved
Detonation environment
Hash value (MD5)
ATT&CK techniques
Submission status when a result is unavailable
Each submission card includes a link to a detailed HTML analysis report, if available. To open the report, click the View button.
The HTML report provides rich information organized on multiple levels, with descriptive text, graphics and screen captures that illustrate the sample’s behavior in the detonation environment.
This is what you can learn from a Sandbox Analyzer HTML report:
General data about the analyzed sample, such as: malware name and classification, submission details (file name, type and size, hash, submission time and analysis duration).
Behavioral analysis results, which include all the security events captured during detonation, organized into sections.
The security events refer to:
Writing / deleting / moving / duplicating / replacing files on the system and on removable drives.
Execution of newly-created files.
Changes to the file system.
Changes to the applications running inside the virtual machine.
Changes to the Windows taskbar and Start menu.
Creating / terminating / injecting processes.
Writing / deleting registry keys.
Creating mutex objects.
Creating / starting / stopping / modifying / querying / deleting services.
Changing browser security settings.
Changing Windows Explorer display settings.
Adding files to firewall exception list.
Changing network settings.
Enabling execution at system startup.
Connecting to a remote host.
Accessing certain domains.
Transferring data to and from certain domains.
Accessing URLs, IPs and ports through various communication protocols.
Checking the indicators of virtual environment.
Checking the indicators of monitoring tools.
Creating snapshots.
SSDT, IDT, IRP hooks.
Memory dumps for suspicious processes.
Windows API functions calls.
Becoming inactive for a certain time period to delay execution.
Creating files with actions to be executed at certain time intervals.
Note
Samples submitted to Cloud Sandbox are deleted immediately after detonation. The resulting HTML reports are available for 365 days.
You can also retrieve the Sandbox Analyzer HTML reports via API.
Deleting submission cards
To delete a submission card that you no longer need:
Go to the submission card you want to delete.
Click the Delete Entry option at the left side of the card.
Click Yes to confirm the action.
By following these steps, you only delete the submission card.
The information regarding the submission continues to be available in the Sandbox Analyzer Results report.
Note
This report will continue to be supported only for a limited amount of time.
Manual submission
From Sandbox Analyzer > Manual Submission you can send samples of suspicious objects to Sandbox Analyzer, to determine whether they are threats or harmless files.
You can also access the Manual Submission page by clicking the Submit a sample button at the upper-right side of the filtering area in the Sandbox Analyzer page.
Note
To send objects to Sandbox Analyzer, log in to Control Center using any other supported web browser specified in Connecting to Control Center.
To submit samples to Sandbox Analyzer:
In the Upload page, under Samples, select the company of whose behalf you want to make the submission, then select the object type:
Files - Click the Browse button to select the objects you want to submit for behavioral analysis. In case of password-protected archives, you can define one password per upload session in a dedicated field. During the analysis process, Sandbox Analyzer applies the specified password to all submitted archives.
URL - Fill in the corresponding field with any URL you want to analyze. You can submit only one URL per session.
Note
You cannot submit samples on behalf of companies that have expired license keys.
Under Detonation settings, configure the analysis parameters for the current session:
Command-line arguments Add as many command-line arguments as you want, separated by spaces, to alter the operation of certain programs, such as executables. The command-line arguments apply to all submitted samples during analysis.
Detonate samples individually. Select the check box to have the files from bundle analyzed one by one.
Under Detonation profile, adjust the complexity level of behavioral analysis, while affecting the Sandbox Analyzer throughput.
For example, if set to High, Sandbox Analyzer would perform a more accurate analysis on fewer samples, in the same interval, than on Medium or Low.
In the General settings page, you can make configurations that apply to all manual submissions, regardless of session:
Time limit for sample detonation (minutes) - Allocate a fixed amount of time to complete the sample analysis. The default value is 4 minutes, but sometimes the analysis may take more time. At the end of the configured interval, Sandbox Analyzer interrupts the analysis and generates a report based on the data collected up to that moment. If interrupted when incomplete, the analysis may contain inaccurate results.
Number of reruns allowed - In case of unexpected errors, Sandbox Analyzer tries to detonate the sample as configured until completes the analysis. The default value is 2. That means Sandbox Analyzer will try two more times to detonate the sample in case of error.
Prefiltering - Select this option to exclude from detonation samples already analyzed.
Internet access during detonation - During analysis, some samples require internet connection to complete the analysis. For best result, it is recommended to keep this option enabled.
Click Save to retain the changes.
Go back to the Upload page.
Click Submit.
A progress bar indicates the submission status.
After submission, the Sandbox Analyzer page displays a new card. When the analysis is complete, the card provides the verdict and the corresponding details.
Note
To manually submit samples to Sandbox Analyzer you must have Manage networks rights.