## ON PREMISES SOLUTIONS

### Troubleshooting

#### Detonation error codes for GravityZoneSandbox Analyzer

Sandbox Analyzer On-premises is a powerful antimalware Bitdefender GravityZone solution, designed to analyze suspicious content through different sensors deployed in the enterprise network. Detonation capabilities include file and URL analysis, covering various file formats that are commonly used in advanced attacks.

When detonating samples in Sandbox Analyzer, you may encounter certain errors. This section provides details about these errors and useful tips on how to fix them.

3001 – An unknown error has occurred while detonating the sample.

Description

This error may have multiple causes and requires investigation from Bitdefender.

Solution

To identify the cause, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

3002 – Could not find a software application to open sample file type during detonation.

Description

Sandbox Analyzer uses software applications installed on the detonation image to open specific file types and analyze their behavior. For example, a DOCX type file requires Microsoft Office suite to be installed on the detonation image. This error indicates that the sample could not be analyzed because the required application is missing.

Solution

Make sure that you have installed the software required to open the sample in the detonation image. To verify that an image can analyze samples, run the Golden Image Tester program inside the virtual machine used for building detonation images. For details on how to use Golden Image Tester, refer to Using Golden Image Tester for GravityZone Sandbox Analyzer.

3003 – Could not find the image required for sample detonation.

Description

The detonation images that analyze samples are hosted in the Sandbox Analyzer VM store. This error occurs when you select in GravityZone Control Center a detonation image, but for some reason that image does not exist in the VM store anymore.

Solution

To identify the cause, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

3004 – The image for sample detonation is not ready for use.

Description

Sandbox Analyzer detonates samples using image that have been built from a golden image. This error indicates that building the image has not finished yet.

Solution

Check in the Sandbox Analyzer > Infrastructure > Image Management page, from GravityZone Control Center, that the detonation image has the status Ready.

3005 - The sample file type is not supported for detonation.

Description

This error occurs when Sandbox Analyzer ignores a submitted sample from detonation because it is not supported.

Solution

You can only submit samples of supported formats or types.

For the list of supported types, refer to the Appendices > Sandbox Analyzer Objects section.

3006 – The password provided for the submitted sample was not correct.

Description

In the Sandbox Analyzer > Manual Submission page, from GravityZone Control Center, you can specify a password when submitting archives. This error indicates that Sandbox Analyzer could not open the archive because the provided password did not work.

Solution

Submit the sample and specify the password again.

3007 – An unknown error has occurred in the guest machine during the sample detonation.

Description

This error indicates that something wrong has happened in the virtual machine while detonating the sample.

Solution

This error requires investigation from Bitdefender. Contact Bitdefender Technical Support for guidance.

3008 – The sample could not run during the detonation process.

Description

This error indicates that Sandbox Analyzer has had issues trying to execute the sample.

Solution

Submit the sample again. If the error persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

3009 – The sample took too long to run during the detonation process.

Description

Analyzing a sample may vary depending on the file type, size, and the actions that Sandbox Analyzer performs on. This error indicates analyzing the sample has timed out and, therefore, has failed.

Solution

Submit the sample again. If the error persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

3010 – Could not find a default software application to open the sample file type during the sample detonation.

Description

Sandbox Analyzer requires that the detonation image has software configured as default to open specific file types. For example, Sandbox Analyzer uses Adobe Reader to open PDF files if the application if configured as default. This error indicates that, although the application may be present on the machine, Sandbox Analyzer could not use it because it was not configured as default.

Solution

1. Verify that the software required for detonation is actually installed on the virtual machine. You can do this by running Golden Image Tester. This program indicates whether Microsoft Office, Adobe Reader and Java Runtime Environment are installed on the machine, among information related to the operating system and user's account. For details on how to use Golden Image Tester, refer to Using Golden Image Tester for GravityZone Sandbox Analyzer.

2. Make sure that the installed software is configured as default applications to open specific file types.

3011 – The sample is not compatible with the detonation image.

Description

This error indicates that the sample is file type not supported by the operating system running in the virtual machine. It is also possible that the sample is not an executable file, but is has an executable extension. For example, a BAT file named with .EXE extension.

Solution

Check the sample to be Windows-compatible and to have correct extension. If the error persists, contact Bitdefender Technical Support.

3012 – No virtual machine configured as default or selected for detonation.

Description

This error indicates that no detonation virtual machine was selected in the Sandbox Analyzer settings and neither was configured as default.

Solution

In GravityZone Control Center, go to the Sandbox Analyzer > Infrastructure > Image Management page and set one of the available virtual machines as default. For manual submission, select at least one virtual machine to perform sample analysis.

#### Error codes for image management in Sandbox Analyzer

This section provides details about the error codes related to the image management in GravityZone Sandbox Analyzer On-premises.

Sandbox Analyzer On-premises is a powerful antimalware Bitdefender GravityZone solution, designed to analyze suspicious content through different sensors deployed in the enterprise network. Detonation capabilities include file and URL analysis, covering various file formats that are commonly used in advanced attacks.

When creating and managing virtual machine (VM) images used for object detonation in Sandbox Analyzer, you may encounter certain errors.

Error 1000 - An unknown error has occurred while building the image.

Description

This error may have multiple causes and requires investigation from Bitdefender.

Solution

To identify the cause, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1002 - Could not find the configuration file required for building the image.

Description

Sandbox Analyzer uses mutiple files containing settings for building a VM image. This error occurs when one of them is missing.

Solution

Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1003 - A variable is missing from the configuration file.

Description

When building an image, Sandbox Analyzer uses a file containing certain settings and variables. This error occurs when a variable is missing from that file.

Solution

Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1004 - A variable from the configuration file has an empty or null value.

Description

This error indicates a specific issue with the configuration file required when building the virtual machine image used for detonation.

Solution

Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1005 - The configuration file has an invalid format.

Description

This error indicates a specific issue with the configuration file required when building the virtual machine image used for detonation.

Solution

Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1006 - An error has occurred while converting the image file.

Description

This error indicates that the virtual machine image is not in VMDK format.

Solution

To fix this issue:

1. Make sure that the virtual machine image is in VMDK format.

2. Try to build the image again in the GravityZone Control Center.

Error 1007 - Copying the image file in the VM store has failed.

Description

This error may occur because of a few causes, such as insufficient resources or insufficient user rights to copy the virtual machine image file on the datastore.

Solution

To fix this issue:

1. Verify that is enough disk space on the datastore where the image file is being copied.

2. Check the user rights to perform this operation.

3. Try to build the image again.

If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support to identify any other cause. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1008 - A variable in the configuration file has an invalid value.

Description

This error indicates a specific issue with the configuration file required when building the virtual machine image.

Solution

Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1010 - Could not authenticate to the ESXi host. Please check the credentials.

Description

Building the virtual machine image requires authentication on the ESXi host. This error indicates that the authentication has failed, most probably because of incorrect credentials.

Solution

To fix this issue:

2. In the Sandbox configuration menu, go to VM images > Virtualization host configuration.

3. Check the credentials entered for the ESXi host.

Error 1011 - An error has occurred when trying to connect to the ESXi host on the required port.

Description

This error occurs when connection to ESXi on specific ports fails.

Solution

To fix this issue, check the the following conditions:

• The required communication ports for Sandbox Analyzer are open.

• The SSH service is enabled on the ESXi host.

Error 1012 - A reading error has occurred. The image file could be corrupt.

Description

This error occurs when the VMDK file used for building VM images has been copied incompletely in the VM directory on the ESXi datastore.

Solution

To fix this issue:

1. Copy the VMDK file again in the VM Images directory.

2. Power on the virtual machine created from the VM image file.

3. Check the virtual machine is actually working.

Error 1013 - A SSH protocol error has occurred when trying to connect to the ESXi host.

Description

This error may have multiple causes, such as security certificates issue or the root user is locked out.

Solution

Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1014 - A protocol error has occurred when connecting to the ESXi host API.

Description

This is an error that requires investigation from Bitdefender Technical Support.

Solution

Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1015- An error has occurred when mounting the VMFS file system from the ESXi host.

Description

This error may happen because the VMFS version running on ESXi is other than 5.

Solution

To solve this situation, use VMFS version 5.

If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1016 - An error has occurred when configuring Windows Registry hives.

Description

This error indicates that configuring Windows Registry hives failed, most probably because Windows Registry are corrupt.

Solution

Check the Windows Registry for possible errors and perform a repair to fix them.

For further investigation, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1017 - Could not find the user profile in the image.

Description

Sandbox Analyzer requires the detonation virtual machine to have an Administrator profile enabled and with no password. This error indicates that the profile does not meet these conditions.

Solution

Error 1019 - Unknown error occurred while preparing the image.

Description

This error may occur in the final stages of building the image and requires investigation from Bitdefender Technical Support.

Solution

Run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1020 - The image could not be built because the guest operating system was hibernating.

Description

Sandbox Analyzer requires the operating system used for creating the VM image to have previously been shut down. This error indicates that building the image has failed because the operating system was in hibernation.

Solution

Make sure that the operating system has shut down and try to build the image again.

Error 1021 - The image could not be built due to improper shutdown of the guest operating system.

Description

This error indicates that the guest operating system may have encountered a problem and did not shut down before building the VM image.

Solution

Check the operating system’s status and try to build the image again.

Error 1022 - An error has occurred when trying to mount the image.

Description

This error may have multiple causes, including that the guest operating system may have improperly been shut down.

Solution

Try to build the image again.

If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1023 - Timed out while waiting for an answer from the guest machine. Image build has failed.

Description

This error may usually occur due to insufficient resources.

Solution

To fix this issue:

1. Verify the environment for enough CPU, RAM, and disk space.

2. Try to build the image again.

Error 1024 - A dumping boot sector error has occurred while building the image.

Description

This unlikely error indicates a problem occurred during the image building process.

Solution

To fix this issue, try to build the image again.

If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1025 - Could not find on the image a partition with a supported operating system.

Description

This error may occur when an unsupported operating system was installed on a VM image.

Solution

Use a supported operating system to build the VM image, namely Windows 7 or Windows 10.

Error 1026 - An unknown error has occurred while building the image.

Description

This error may happen because the requirements for building VM image are not met.

Solution

Review the VM image requirements.

If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1027 - An unknown error has occurred in the image during the build process.

Description

This error may have multiple causes and requires investigation from Bitdefender.

Solution

Try to build the image again.

If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1028 - Could not find the binary file required for building the image.

Description

This error requires investigation from Bitdefender Technical Support.

Solution

Try to build the image again.

If the issue persists, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. For details on how to use Sandbox Analyzer LogCollector, refer to Using Sandbox Analyzer LogCollector.

Error 1029 - The version of the configured ESXi datastore is not supported.

Description

This error occurs when the VMFS version running on the ESXi host is other than 5.

Solution

Sandbox Analyzer On-premises supports only VMFS version 5. Make sure that this version runs on the ESXi host.

#### Using Golden Image Tester for GravityZoneSandbox Analyzer

This section describes how to test if a virtual machine meets the conditions for being used a golden image in Sandbox Analyzer On-premises.

Sandbox Analyzer On-premises is a powerful antimalware Bitdefender GravityZone solution, designed to analyze suspicious content through different sensors deployed in the enterprise network. Detonation capabilities include file and URL analysis, covering various file formats that are commonly used in advanced attacks.

In GravityZone Sandbox Analyzer, you can use golden images to build virtual machines to be used in the detonation environment. Golden Image Tester is a tool that helps you check if a virtual machine meets the conditions to be golden image and to detonate certain file types.

You can run Golden Image Tester inside any virtual machine. For example, you can power on a virtual machine on your computer, run Golden Image Tester in it and, if the virtual machine is validated, you can use it as a golden image for Sandbox Analyzer.

##### Running Golden Image Tester without parameters

If you are looking for a straightforward verification of a virtual machine, you can run Golden Image Tester without parameters.

1. In your preferred environment, power on the virtual machine.

4. Extract the ZIP file.

5. Run GoldenImageTester.exe.

While running, the Golder Image Tester displays information regarding the following:

• Default internet browser

• Microsoft Office suite

• Java Runtime Environment

6. After verification, press any key to close the program.

##### Running Golden Image Tester with parameters

To obtain detailed information about a virtual machine, you can run Golden Image Tester by using command lines with parameters.

These parameters allow you to create a log file that you can send to Bitdefender Technical Support for investigation. This log file is saved on the current working drive, under the name GIDebugInformation.log.

In the log file, you are provided with exit codes, verdicts and details for each condition. Exit code is 0 when the conditions are met.

This is how you run Golden Image Tester with parameters:

1. On the virtual machine, open Command Prompt.

3. Navigate to the folder where GoldenImageTester.exe is located.

4. Run the program by using the command: GoldenImageTester.exe.

Golden Image Tester displays information regarding the following:

• Default internet browser

• Microsoft Office suite

• Java Runtime Environment

You can use the command with the following parameters:

Command line parameters

Description

Example

-x

--autoexit

The program displays information regarding the machine terminates without expecting user input.

GoldenImageTester.exe -x

GoldenImageTester.exe --autoexit

-d

--debug

The program enables the debug mode, which creates a log file, and awaits for user input when terminates.

GoldenImageTester.exe -d

GoldenImageTester.exe --debug

### Note

You can use the command line options in any combination. For example, GoldenImageTester.exe -d -x.

##### Interpreting the output

Golden Image Tester verifies several conditions on the virtual machine, as described below. Some of these conditions are mandatory, while others are recommended and they do not prevent using the virtual machine as golden image.

After verification, Golden Image Tester provides a verdict on whether the virtual machine can be used for detonation or not.

If a mandatory condition is not met, Golden Image Tester displays an error message that describes the issue. In this case the virtual machine cannot be golden image for Sandbox Analyzer.

If a recommended condition is not met, Golden Image Tester display a warning message that describe the issue. The virtual machine can be golden image, but it will lack the ability of detonating certain file types, such as PDFs (when Adobe Reader is missing) or Office-compatible files (when Microsoft Office is missing).

Conditions checked by Golden Image Tester:

A virtual machine must have an Administrator user with no password configured. If this condition is not met, the virtual machine cannot be golden image for Sandbox Analyzer.

The operating system on the virtual machine must be fully licensed, otherwise the virtual machine cannot be golden image. Sandbox Analyzer supports Windows 7 and Windows 10.

Default browser

A default internet browser must be configured in the virtual machine. Sandbox Analyzer supports the following browsers:

• Microsoft Internet Explorer

• Mozilla Firefox

Microsoft Office

To detonate Office-compatible files, such as .docx or .xls, the Microsoft Office suite should be installed and licensed. However, you can use the virtual machine as golden image even without Microsoft Office installed.

To detonate PDF files, Adobe Reader should be installed on the virtual machine. However, you can use the virtual machine as golden image even without Adobe Reader installed.

Java Runtime Environment

To detonate Java executables (.jar files), Sandbox Analyzer requires Java Runtime Environment to be installed. However, you can use the virtual machine as golden image even without Adobe Reader installed.

#### Using Sandbox Analyzer LogCollector

This section describes how to use LogCollector for Sandbox Analyzer Virtual Appliance (On-Premises), collect information about the status of Sandbox Analyzer Virtual Appliance (VA) and about events occurred on it. This information helps the Bitdefender Support team to investigate and resolve the issues you encountered with your Sandbox Analyzer VA.

To collect all the needed information:

1. Connect to the Sandbox Analyzer via SSH. You may use PuTTy.

3. Run this command:

# /opt/bitdefender/bin/bdsysinfo-sve

A .tar.gz archive file containing the logs is saved to /root.

The filename has the format: bdsysinfo-xxxxx.tar.gz, where xxxxx is a random string.

The logs deliver the following:

• Files:

/opt/bitdefender/var/log/opt/bitdefender/etc/opt/bitdefender/var/epag/etc/var/log/var/crash
• Command output for:

uname -a

dmesg

ps auwx

cat /proc/meminfo

cat /proc/cpuinfo

df -hT

slabtop --once

cat /proc/mounts

dpkg -l

ls -lR /opt/bitdefender

lsmod

sysctl -a

env

netstat -anpe

getent passwd

getent group

lsof -n

ip addr show

ip route show

docker ps -a

docker images

4. Using WINSCP, copy the file to your machine.

5. Send the file to Bitdefender support.