Using Sandbox Analyzer

The Sandbox Analyzer page, on the main left-side menu, provides a unified interface for viewing, filtering and searching automatic and manual submissions to the sandbox environment. The Sandbox Analyzer page consists of two areas:

The searching and filtering area allows you to find submissions by various criteria: name, hash, date, analysis result, status, detonation environment and MITRE's ATT&CK techniques.
The submission cards area displays all submissions in a compact format with detailed information about each one.

In the Sandbox Analyzer page, you can take the following actions:

Searching and filtering submission cards

This is what you can do in the filters area:

Search and filter submissions by various criteria. The page will automatically load only the security event cards matching the selected criteria.
Reset filters by clicking the Clear Filters button.
Hide or show the filters area by clicking the corresponding button.

You can search and filter the Sandbox Analyzer submissions by the following criteria:

Sample name and hash (MD5) - Enter in the search field a part or the entire name or hash of the sample you are looking for, then click the Search button.
Date - To filter by date:
1. Click the calendar icon to configure the searching time frame.
2. Click the From and To buttons to select the dates defining the time interval.
  You can also select a predetermined period from the list of options, relative to the current time (for example, the last 30 days).
  You can also specify the hour and minutes for each date of the time interval, using the options beneath the calendar.
3. Click OK to apply the filter.
Analysis result - Select one or more of the following options:
- Clean – the sample is secure.
- Infected – the sample is dangerous.
- Unsupported – the sample has a format that Sandbox Analyzer could not detonate. To view the complete list with file types and extensions supported by Sandbox Analyzer, refer to Supported File Types and Extensions for Manual Submission.
Severity score - The value indicates how dangerous is a sample on a scale from 100 to 0 (zero). The higher the score, the more dangerous the sample is.
Note
The severity score applies to all submitted samples, including those with Clean or Unsupported status.
Submission type - Select one or more of the following options:
- Manual - Sandbox Analyzer has received the sample via Manual Submission option.
- Endpoint sensor - Bitdefender Endpoint Security Tools has sent the sample to Sandbox Analyzer based on policy settings.
- Network traffic sensor - Network sensor has sent the sample to a local Sandbox Analyzer instance based on policy settings.
- Centralized quarantine - GravityZone has sent the sample to a local Sandbox Analyzer instance based on policy settings.
- API - The sample has been submitted to a local Sandbox Analyzer instance by using API methods.
- ICAP sensor - Security Server has submitted the sample to a local Sandbox Analyzer instance after scanning an ICAP server.
Submission status - Select one or more of the following check boxes:
- Finished – Sandbox Analyzer has delivered the analysis result.
- Pending analysis – Sandbox Analyzer is detonating the sample.
- Failed – Sandbox Analyzer could not detonate the sample.
Environment. Here are listed the virtual machines available for detonation, including the Sandbox Analyzer instance hosted by Bitdefender. Select one or more check boxes to view what samples have been detonated in certain environments.
ATT&CK techniques. This filtering option integrates MITRE's ATT&CK knowledge base, if applicable. The ATT&CK techniques values change dynamically, based on the security events.
Click the About link to open ATT&CK Matrix in a new tab.

Viewing analysis details

The Sandbox Analyzer page displays submission cards by day, in reverse chronological order.

A submission cards includes the following data:

Analysis result
Sample name
Submission type
Severity score
Files and processes involved
Endpoint that submitted the sample to Sandbox Analyzer
Detonation environment
Hash value (MD5)
ATT&CK techniques
Submission status when a result is unavailable

Each submission card includes a link to a detailed HTML analysis report, if available. To open the report, click the View button.

The HTML report provides rich information organized on multiple levels, with descriptive text, graphics and screen captures that illustrate the sample’s behavior in the detonation environment.

This is what you can learn from a Sandbox Analyzer HTML report:

General data about the analyzed sample, such as: malware name and classification, submission details (file name, type and size, hash, submission time and analysis duration).
Behavioral analysis results, which include all the security events captured during detonation, organized into sections.
The security events refer to:
- Writing / deleting / moving / duplicating / replacing files on the system and on removable drives.
- Execution of newly-created files.
- Changes to the file system.
- Changes to the applications running inside the virtual machine.
- Changes to the Windows taskbar and Start menu.
- Creating / terminating / injecting processes.
- Writing / deleting registry keys.
- Creating mutex objects.
- Creating / starting / stopping / modifying / querying / deleting services.
- Changing browser security settings.
- Changing Windows Explorer display settings.
- Adding files to firewall exception list.
- Changing network settings.
- Enabling execution at system startup.
- Connecting to a remote host.
- Accessing certain domains.
- Transferring data to and from certain domains.
- Accessing URLs, IPs and ports through various communication protocols.
- Checking the indicators of virtual environment.
- Checking the indicators of monitoring tools.
- Creating snapshots.
- SSDT, IDT, IRP hooks.
- Memory dumps for suspicious processes.
- Windows API functions calls.
- Becoming inactive for a certain time period to delay execution.
- Creating files with actions to be executed at certain time intervals.

Note

Samples submitted to Cloud Sandbox are deleted immediately after detonation. The resulting HTML reports are available for 365 days.

Samples submitted to local instances of Sandbox Analyzer On-premises and the HTML reports are available for14 days by default. You can increase the time range in the Sandbox Manager section.

Resubmitting samples

From the submission cards area, you can resend already detonated samples to a local Sandbox Analyzer instance without having to upload them again. You may do this for samples previously submitted to the local Sandbox Analyzer instance by any sensor or method, automatically, manually or via API.

To resubmit a sample:

Click Resubmit to analyze in the submission card.
Note
This option is available only with Sandbox Analyzer On-premises license.
In the configuration window, keep the settings from the previous submission or change them as follows:
1. Under Image management, select the virtual machine image you want to use for detonation.
2. Under Detonation configurations, configure the following settings:
  - Time limit for sample detonation (minutes) - Allocate a fixed amount of time to complete the sample analysis.
    The default value is 4 minutes, but sometimes the analysis may take more time.
    At the end of the configured interval, Sandbox Analyzer interrupts the analysis and generates a report based on the data collected up to that moment.
    If interrupted when incomplete, the analysis may contain inaccurate results.
  - Number of reruns allowed - In case of unexpected errors, Sandbox Analyzer tries to detonate the sample as configured until completes the analysis (the default value is 2).
    That means Sandbox Analyzer will try two more times to detonate the sample in case of error.
  - Prefiltering - Select this option to exclude from detonation samples already analyzed.
  - Internet access during detonation - During analysis, some samples require internet connection to complete the analysis.
    Note
    For best result, it is recommended to keep this option enabled.
3. Under Detonation profile, adjust the complexity level of behavioral analysis, while affecting the Sandbox Analyzer throughput.
  For example, if set to High, Sandbox Analyzer would perform a more accurate analysis on fewer samples, in the same interval, than on Medium or Low.
Click Resubmit.

After resubmission, the Sandbox Analyzer page displays a new card and the data retention for that sample is extended accordingly.

Note

The Resubmit to analyze option is available for samples still present on the Sandbox Analyzer datastore.

Make sure that data retention is configured in the Sandbox Analyzer > Sandbox Manager page of the policy settings.

Deleting submission cards

To delete a submission card that you no longer need:

Go to the submission card you want to delete.
Click the Delete Entry option at the left side of the card.
Click Yes to confirm the action.
By following these steps, you only delete the submission card.

The information regarding the submission continues to be available in the Sandbox Analyzer Results (Deprecated) report.

Note

This report will continue to be supported only for a limited amount of time.

Manual submission

From Sandbox Analyzer > Manual Submission you can send samples of suspicious objects to Sandbox Analyzer, to determine whether they are threats or harmless files.

You can also access the Manual Submission page by clicking the Submit a sample button at the upper-right side of the filtering area in the Sandbox Analyzer page.

Note

To send objects to Sandbox Analyzer, log in to Control Center using any other supported web browser specified in Connecting to Control Center.

sandbox-analyzer-manual-submission-upload-on-premises.png

To submit samples to Sandbox Analyzer:

In the Upload page, under Samples, select the object type:
- Files - Click the Browse button to select the objects you want to submit for behavioral analysis. In case of password-protected archives, you can define one password per upload session in a dedicated field. During the analysis process, Sandbox Analyzer applies the specified password to all submitted archives.
- URL - Fill in the corresponding field with any URL you want to analyze. You can submit only one URL per session.
Under Detonation settings, configure the analysis parameters for the current session:
- The Sandbox Analyzer instance you want to use. You can select either the Cloud instance or a Sandbox Analyzer instance installed locally.
  If choosing to use a local Sandbox Analyzer instance, you can select multiple virtual machines where you can send the sample at once.
- The Sandbox Analyzer instance you want to use. You can select multiple virtual machines where you can send the sample at once.
- Command-line arguments Add as many command-line arguments as you want, separated by spaces, to alter the operation of certain programs, such as executables. The command-line arguments apply to all submitted samples during analysis.
- Detonate samples individually. Select the check box to have the files from bundle analyzed one by one.
Under Detonation profile, adjust the complexity level of behavioral analysis, while affecting the Sandbox Analyzer throughput.
For example, if set to High, Sandbox Analyzer would perform a more accurate analysis on fewer samples, in the same interval, than on Medium or Low.
In the General settings page, you can make configurations that apply to all manual submissions, regardless of session:
- Time limit for sample detonation (minutes) - Allocate a fixed amount of time to complete the sample analysis. The default value is 4 minutes, but sometimes the analysis may take more time. At the end of the configured interval, Sandbox Analyzer interrupts the analysis and generates a report based on the data collected up to that moment. If interrupted when incomplete, the analysis may contain inaccurate results.
- Number of reruns allowed - In case of unexpected errors, Sandbox Analyzer tries to detonate the sample as configured until completes the analysis. The default value is 2. That means Sandbox Analyzer will try two more times to detonate the sample in case of error.
- Prefiltering - Select this option to exclude from detonation samples already analyzed.
- Internet access during detonation - During analysis, some samples require internet connection to complete the analysis. For best result, it is recommended to keep this option enabled.
- Click Save to retain the changes.
Go back to the Upload page.
Click Submit.
A progress bar indicates the submission status.
After submission, the Sandbox Analyzer page displays a new card. When the analysis is complete, the card provides the verdict and the corresponding details.

Note

To manually submit samples to Sandbox Analyzer you must have Manage networks rights.

Managing the Sandbox Analyzer infrastructure

In the Sandbox Analyzer > Infrastructure section, you can do the following actions related to the Sandbox Analyzer instance installed locally:

Checking the Sandbox Analyzer status

After deploying and configuring the Sandbox Analyzer Virtual Appliance on the ESXi hypervisor, you can obtain information about the local Sandbox Analyzer instance from the Status page.

The table provides you the following details:

Sandbox Analyzer instance name - Each name corresponds to a Sandbox Analyzer instance installed on one ESXi hypervisor. You can install Sandbox Analyzer on multiple ESXi hypervisors.
Detonated samples - The value indicates the number of samples analyzed since the Sandbox Analyzer instance has been licensed for first time.
Disk usage - The percentage indicates the amount of the disk space consumed by Sandbox Analyzer on datastore.
Status - In this column, you see whether the Sandbox Analyzer instance is online, offline, not installed, the installation is ongoing or the installation has failed.
Maximum concurrent detonations - The value represents the maximum number of virtual machines that Sandbox Analyzer can create to detonate samples. At a given time, one virtual machine can perform one detonation.
The number of virtual machines is determined by the amount of hardware resources available on ESXi.
Configured concurrent detonations - This is the actual number of virtual machines created based on the available license.

Configuring concurrent detonations

In the Status page, you can configure concurrent detonations, representing the number of virtual machines that can simultaneously run and detonate samples on a Sandbox Analyzer instance. The number of concurrent detonations depend on hardware resources and the license slots distribution across multiple Sandbox Analyzer instances.

To configure concurrent detonations:

Click the number or the Edit icon in the Configured Concurrent Detonations column.
In the new window, specify in the corresponding field the number of concurrent detonations you want to allocate to the Sandbox Analyzer instance.
Click Save.

Checking the VM images status

Sandbox Analyzer uses virtual machine images as detonation environments to perform behavioral analysis on submitted samples. You can check the status of the virtual machines in the Image Management page.

The table provides you the following details:

Name of the available virtual machine images, as specified in the Sandbox Analyzer appliance console. Multiple virtual machine images are grouped under the same Sandbox Analyzer instance.
Operating system, as specified in the Sandbox Analyzer appliance console.
The time when the virtual machine image was added.
Status - In this column, you find out whether a virtual machine image is new and can be prepared for detonation, is ready for detonation or the preparation process has failed.
Actions - In this column, you find out what you can do with the virtual machine images, depending on their status: building images for detonation, setting them as default detonation environment, or deleting them.

Configuring and managing VM images

Building detonation virtual machines

To detonate samples using the local Sandbox Analyzer instance, you need to build dedicated virtual machines. The Image Management page allows you to create detonation virtual machines, provided you have added VM images in the Sandbox Analyzer appliance console.

Note

To learn how to add VM images in the Sandbox Analyzer appliance console, refer to Deploy Sandbox Analyzer virtual appliance (Security Appliance Sandbox).

To build detonation virtual machines, in the Actions column, click the Build image option for VM images having the status: New – Requires build. Building a virtual machine typically requires between 15 and 30 minutes, depending on its size. When the build is complete, the virtual machines status changes to Ready.

Configuring a default virtual machine

A Sandbox Analyzer instance can have multiple images installed and configured as detonation virtual machines. In case of automatic submissions, Sandbox Analyzer will use the first built VM image to detonate samples.

You can change this behavior by configuring a default VM image. To do so, click the Set as default option for the preferred VM image.

Deleting virtual machines

To delete a virtual machine image from the Image Management page, click Delete in the Actions column. In the confirmation window, click Delete image.

In this section:

ON PREMISES SOLUTIONS