Troubleshooting
Detonation error codes for GravityZone Sandbox Analyzer
Sandbox Analyzer On-premises is a powerful antimalware Bitdefender GravityZone solution, designed to analyze suspicious content through different sensors deployed in the enterprise network. Detonation capabilities include file and URL analysis, covering various file formats that are commonly used in advanced attacks.
When detonating samples in Sandbox Analyzer, you may encounter certain errors. This section provides details about these errors and useful tips on how to fix them.
3001 – An unknown error has occurred while detonating the sample. | |
|---|---|
Description | This error may have multiple causes and requires investigation from Bitdefender. |
Solution | To identify the cause, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
3002 – Could not find a software application to open sample file type during detonation. | |
|---|---|
Description | Sandbox Analyzer uses software applications installed on the detonation image to open specific file types and analyze their behavior. For example, a DOCX type file requires Microsoft Office suite to be installed on the detonation image. This error indicates that the sample could not be analyzed because the required application is missing. |
Solution | Make sure that you have installed the software required to open the sample in the detonation image. To verify that an image can analyze samples, run the Golden Image Tester program inside the virtual machine used for building detonation images. For details on how to use Golden Image Tester, refer to Using Golden Image Tester for GravityZone Sandbox Analyzer. |
3003 – Could not find the image required for sample detonation. | |
|---|---|
Description | The detonation images that analyze samples are hosted in the Sandbox Analyzer VM store. This error occurs when you select in GravityZone Control Center a detonation image, but for some reason that image does not exist in the VM store anymore. |
Solution | To identify the cause, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
3004 – The image for sample detonation is not ready for use. | |
|---|---|
Description | Sandbox Analyzer detonates samples using image that have been built from a golden image. This error indicates that building the image has not finished yet. |
Solution | Check in the Sandbox Analyzer > Infrastructure > Image Management page, from GravityZone Control Center, that the detonation image has the status Ready. |
3005 - The sample file type is not supported for detonation. | |
|---|---|
Description | This error occurs when Sandbox Analyzer ignores a submitted sample from detonation because it is not supported. |
Solution | You can only submit samples of supported formats or types. For the list of supported types, refer to the Appendices > Sandbox Analyzer Objects section. |
3006 – The password provided for the submitted sample was not correct. | |
|---|---|
Description | In the Sandbox Analyzer > Manual Submission page, from GravityZone Control Center, you can specify a password when submitting archives. This error indicates that Sandbox Analyzer could not open the archive because the provided password did not work. |
Solution | Submit the sample and specify the password again. |
3007 – An unknown error has occurred in the guest machine during the sample detonation. | |
|---|---|
Description | This error indicates that something wrong has happened in the virtual machine while detonating the sample. |
Solution | This error requires investigation from Bitdefender. Contact Bitdefender Technical Support for guidance. |
3008 – The sample could not run during the detonation process. | |
|---|---|
Description | This error indicates that Sandbox Analyzer has had issues trying to execute the sample. |
Solution | Submit the sample again. If the error persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
3009 – The sample took too long to run during the detonation process. | |
|---|---|
Description | Analyzing a sample may vary depending on the file type, size, and the actions that Sandbox Analyzer performs on. This error indicates analyzing the sample has timed out and, therefore, has failed. |
Solution | Submit the sample again. If the error persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
3010 – Could not find a default software application to open the sample file type during the sample detonation. | |
|---|---|
Description | Sandbox Analyzer requires that the detonation image has software configured as default to open specific file types. For example, Sandbox Analyzer uses Adobe Reader to open PDF files if the application if configured as default. This error indicates that, although the application may be present on the machine, Sandbox Analyzer could not use it because it was not configured as default. |
Solution | Follow these steps:
|
3011 – The sample is not compatible with the detonation image. | |
|---|---|
Description | This error indicates that the sample is file type not supported by the operating system running in the virtual machine. It is also possible that the sample is not an executable file, but is has an executable extension. For example, a BAT file named with .EXE extension. |
Solution | Check the sample to be Windows-compatible and to have correct extension. If the error persists, contact Bitdefender Technical Support. |
3012 – No virtual machine configured as default or selected for detonation. | |
|---|---|
Description | This error indicates that no detonation virtual machine was selected in the Sandbox Analyzer settings and neither was configured as default. |
Solution | In GravityZone Control Center, go to the Sandbox Analyzer > Infrastructure > Image Management page and set one of the available virtual machines as default. For manual submission, select at least one virtual machine to perform sample analysis. |
Error codes for image management in Sandbox Analyzer
This section provides details about the error codes related to the image management in GravityZone Sandbox Analyzer On-premises.
Sandbox Analyzer On-premises is a powerful antimalware Bitdefender GravityZone solution, designed to analyze suspicious content through different sensors deployed in the enterprise network. Detonation capabilities include file and URL analysis, covering various file formats that are commonly used in advanced attacks.
When creating and managing virtual machine (VM) images used for object detonation in Sandbox Analyzer, you may encounter certain errors.
Error 1000 - An unknown error has occurred while building the image. | |
|---|---|
Description | This error may have multiple causes and requires investigation from Bitdefender. |
Solution | To identify the cause, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1002 - Could not find the configuration file required for building the image. | |
|---|---|
Description | Sandbox Analyzer uses mutiple files containing settings for building a VM image. This error occurs when one of them is missing. |
Solution | Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1003 - A variable is missing from the configuration file. | |
|---|---|
Description | When building an image, Sandbox Analyzer uses a file containing certain settings and variables. This error occurs when a variable is missing from that file. |
Solution | Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1004 - A variable from the configuration file has an empty or null value. | |
|---|---|
Description | This error indicates a specific issue with the configuration file required when building the virtual machine image used for detonation. |
Solution | Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1005 - The configuration file has an invalid format. | |
|---|---|
Description | This error indicates a specific issue with the configuration file required when building the virtual machine image used for detonation. |
Solution | Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1006 - An error has occurred while converting the image file. | |
|---|---|
Description | This error indicates that the virtual machine image is not in VMDK format. |
Solution | To fix this issue:
|
Error 1007 - Copying the image file in the VM store has failed. | |
|---|---|
Description | This error may occur because of a few causes, such as insufficient resources or insufficient user rights to copy the virtual machine image file on the datastore. |
Solution | To fix this issue:
If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support to identify any other cause. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1008 - A variable in the configuration file has an invalid value. | |
|---|---|
Description | This error indicates a specific issue with the configuration file required when building the virtual machine image. |
Solution | Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1010 - Could not authenticate to the ESXi host. Please check the credentials. | |
|---|---|
Description | Building the virtual machine image requires authentication on the ESXi host. This error indicates that the authentication has failed, most probably because of incorrect credentials. |
Solution | To fix this issue:
|
Error 1011 - An error has occurred when trying to connect to the ESXi host on the required port. | |
|---|---|
Description | This error occurs when connection to ESXi on specific ports fails. |
Solution | To fix this issue, check the the following conditions:
|
Error 1012 - A reading error has occurred. The image file could be corrupt. | |
|---|---|
Description | This error occurs when the VMDK file used for building VM images has been copied incompletely in the VM directory on the ESXi datastore. |
Solution | To fix this issue:
|
Error 1013 - A SSH protocol error has occurred when trying to connect to the ESXi host. | |
|---|---|
Description | This error may have multiple causes, such as security certificates issue or the root user is locked out. |
Solution | Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1014 - A protocol error has occurred when connecting to the ESXi host API. | |
|---|---|
Description | This is an error that requires investigation from Bitdefender Technical Support. |
Solution | Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1015- An error has occurred when mounting the VMFS file system from the ESXi host. | |
|---|---|
Description | This error may happen because the VMFS version running on ESXi is other than 5. |
Solution | To solve this situation, use VMFS version 5. If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1016 - An error has occurred when configuring Windows Registry hives. | |
|---|---|
Description | This error indicates that configuring Windows Registry hives failed, most probably because Windows Registry are corrupt. |
Solution | Check the Windows Registry for possible errors and perform a repair to fix them. For further investigation, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1017 - Could not find the user profile in the image. | |
|---|---|
Description | Sandbox Analyzer requires the detonation virtual machine to have an Administrator profile enabled and with no password. This error indicates that the profile does not meet these conditions. |
Solution | Check that the built-in Administrator is enabled and has no password. |
Error 1019 - Unknown error occurred while preparing the image. | |
|---|---|
Description | This error may occur in the final stages of building the image and requires investigation from Bitdefender Technical Support. |
Solution | Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1020 - The image could not be built because the guest operating system was hibernating. | |
|---|---|
Description | Sandbox Analyzer requires the operating system used for creating the VM image to have previously been shut down. This error indicates that building the image has failed because the operating system was in hibernation. |
Solution | Make sure that the operating system has shut down and try to build the image again. |
Error 1021 - The image could not be built due to improper shutdown of the guest operating system. | |
|---|---|
Description | This error indicates that the guest operating system may have encountered a problem and did not shut down before building the VM image. |
Solution | Check the operating system’s status and try to build the image again. |
Error 1022 - An error has occurred when trying to mount the image. | |
|---|---|
Description | This error may have multiple causes, including that the guest operating system may have improperly been shut down. |
Solution | Try to build the image again. If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1023 - Timed out while waiting for an answer from the guest machine. Image build has failed. | |
|---|---|
Description | This error may usually occur due to insufficient resources. |
Solution | To fix this issue:
|
Error 1024 - A dumping boot sector error has occurred while building the image. | |
|---|---|
Description | This unlikely error indicates a problem occurred during the image building process. |
Solution | To fix this issue, try to build the image again. If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1025 - Could not find on the image a partition with a supported operating system. | |
|---|---|
Description | This error may occur when an unsupported operating system was installed on a VM image. |
Solution | Use a supported operating system to build the VM image, namely Windows 7 or Windows 10. |
Error 1026 - An unknown error has occurred while building the image. | |
|---|---|
Description | This error may happen because the requirements for building VM image are not met. |
Solution | Review the VM image requirements. If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1027 - An unknown error has occurred in the image during the build process. | |
|---|---|
Description | This error may have multiple causes and requires investigation from Bitdefender. |
Solution | Try to build the image again. If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1028 - Could not find the binary file required for building the image. | |
|---|---|
Description | This error requires investigation from Bitdefender Technical Support. |
Solution | Try to build the image again. If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector. |
Error 1029 - The version of the configured ESXi datastore is not supported. | |
|---|---|
Description | This error occurs when the VMFS version running on the ESXi host is other than 5. |
Solution | Sandbox Analyzer On-premises supports only VMFS version 5. Make sure that this version runs on the ESXi host. |
Using Golden Image Tester for GravityZone Sandbox Analyzer
This section describes how to test if a virtual machine meets the conditions for being used a golden image in Sandbox Analyzer On-premises.
Sandbox Analyzer On-premises is a powerful antimalware Bitdefender GravityZone solution, designed to analyze suspicious content through different sensors deployed in the enterprise network. Detonation capabilities include file and URL analysis, covering various file formats that are commonly used in advanced attacks.
In GravityZone Sandbox Analyzer, you can use golden images to build virtual machines to be used in the detonation environment. Golden Image Tester is a tool that helps you check if a virtual machine meets the conditions to be golden image and to detonate certain file types.
You can run Golden Image Tester inside any virtual machine. For example, you can power on a virtual machine on your computer, run Golden Image Tester in it and, if the virtual machine is validated, you can use it as a golden image for Sandbox Analyzer.
Running Golden Image Tester without parameters
If you are looking for a straightforward verification of a virtual machine, you can run Golden Image Tester without parameters.
In your preferred environment, power on the virtual machine.
Log in to the virtual machine.
Download the Golden Image Tester ZIP file from this link.
Extract the ZIP file.
Run
GoldenImageTester.exe.While running, the Golder Image Tester displays information regarding the following:
Administrator user
Windows license
Default internet browser
Microsoft Office suite
Adobe Reader
Java Runtime Environment
After verification, press any key to close the program.
Running Golden Image Tester with parameters
To obtain detailed information about a virtual machine, you can run Golden Image Tester by using command lines with parameters.
These parameters allow you to create a log file that you can send to Bitdefender Technical Support for investigation. This log file is saved on the current working drive, under the name GIDebugInformation.log.
In the log file, you are provided with exit codes, verdicts and details for each condition. Exit code is 0 when the conditions are met.
This is how you run Golden Image Tester with parameters:
On the virtual machine, open Command Prompt.
Download Golden Image Tester from this link.
Navigate to the folder where GoldenImageTester.exe is located.
Run the program by using the command: GoldenImageTester.exe.
Golden Image Tester displays information regarding the following:
Administrator user
Windows license
Default internet browser
Microsoft Office suite
Adobe Reader
Java Runtime Environment
You can use the command with the following parameters:
Command line parameters
Description
Example
-x--autoexitThe program displays information regarding the machine terminates without expecting user input.
GoldenImageTester.exe -xGoldenImageTester.exe --autoexit-d--debugThe program enables the debug mode, which creates a log file, and awaits for user input when terminates.
GoldenImageTester.exe -dGoldenImageTester.exe --debug
Note
You can use the command line options in any combination. For example, GoldenImageTester.exe -d -x.
Interpreting the output
Golden Image Tester verifies several conditions on the virtual machine, as described below. Some of these conditions are mandatory, while others are recommended and they do not prevent using the virtual machine as golden image.
After verification, Golden Image Tester provides a verdict on whether the virtual machine can be used for detonation or not.
If a mandatory condition is not met, Golden Image Tester displays an error message that describes the issue. In this case the virtual machine cannot be golden image for Sandbox Analyzer.
If a recommended condition is not met, Golden Image Tester display a warning message that describe the issue. The virtual machine can be golden image, but it will lack the ability of detonating certain file types, such as PDFs (when Adobe Reader is missing) or Office-compatible files (when Microsoft Office is missing).
Conditions checked by Golden Image Tester:
Administrator user
A virtual machine must have an Administrator user with no password configured. If this condition is not met, the virtual machine cannot be golden image for Sandbox Analyzer.
Windows license
The operating system on the virtual machine must be fully licensed, otherwise the virtual machine cannot be golden image. Sandbox Analyzer supports Windows 7 and Windows 10.
Default browser
A default internet browser must be configured in the virtual machine. Sandbox Analyzer supports the following browsers:
Google Chrome
Microsoft Internet Explorer
Mozilla Firefox
Microsoft Office
To detonate Office-compatible files, such as .docx or .xls, the Microsoft Office suite should be installed and licensed. However, you can use the virtual machine as golden image even without Microsoft Office installed.
Adobe Reader
To detonate PDF files, Adobe Reader should be installed on the virtual machine. However, you can use the virtual machine as golden image even without Adobe Reader installed.
Java Runtime Environment
To detonate Java executables (.jar files), Sandbox Analyzer requires Java Runtime Environment to be installed. However, you can use the virtual machine as golden image even without Adobe Reader installed.
Using Sandbox Analyzer LogCollector
This section describes how to use LogCollector for Sandbox Analyzer Virtual Appliance (On-Premises), collect information about the status of Sandbox Analyzer Virtual Appliance (VA) and about events occurred on it. This information helps the Bitdefender Support team to investigate and resolve the issues you encountered with your Sandbox Analyzer VA.
To collect all the needed information:
Connect to the Sandbox Analyzer via SSH. You may use PuTTy.
Log in with root and provide the password for this user (sve by default).
Run this command:
# /opt/bitdefender/bin/bdsysinfo-sveA .tar.gz archive file containing the logs is saved to /root.
The filename has the format: bdsysinfo-xxxxx.tar.gz, where xxxxx is a random string.
The logs deliver the following:
Files:
/opt/bitdefender/var/log/opt/bitdefender/etc/opt/bitdefender/var/epag/etc/var/log/var/crash
Command output for:
uname -admesgps auwxcat /proc/meminfocat /proc/cpuinfodf -hTslabtop --oncecat /proc/mountsdpkg -lls -lR /opt/bitdefenderlsmodsysctl -aenvnetstat -anpegetent passwdgetent grouplsof -nip addr showip route showdocker ps -adocker images
Using WINSCP, copy the file to your machine.
Send the file to Bitdefender support.