Malware Analysis

The malware analysis settings define how potential malware is examined by the appliance.

The Malware Analysis appliance supports two types of malware analysis—sandbox and live. Both types of malware analysis run on the same appliance; malware runs on the virtual machine; its effects are analyzed and reported; researchers can examine the execution path; the file types that the appliance accepts.

Sandbox malware analysis reports the effects of malware in a closed environment. The appliance uses the MVX engine as a secure virtual test environment to analyze malware without allowing it to communicate with other external sources. This is the default configuration. Sandbox malware analysis supports unattended mode. The advantage of this mode is that researchers can perform further forensics on a malware file or location that has already been identified by another appliance or method. This mode also allows the appliance to perform malware analysis on suspicious files that are stored in a dedicated network share. When configured to run an unattended analysis, the appliance polls the repository at regular intervals to analyze potential malware and sort it in to malicious and nonmalicious source directories.

If your network requires a proxy, it uses a sandbox Web proxy. You configure those settings to retrieve files from local network locations. This proxy is not used to access the Server Message Block (SMB) or Internet File System (CIFS) share that is configured for unattended mode. For details about unattended mode, see Malware Repository.

Live malware analysis is an open analysis environment in which the appliance is connected to the outside, allowing the malware to make callbacks and perform malicious activities. You can track callbacks and analyze malicious URLs and control analysis settings. The advantage of this mode is that the appliance can gather additional information that is not accessible in a sandbox environment. The appliance can accept binaries, PDFs, Microsoft Office documents, URLs, run-time code, Java scripts, memory dumps and other artifacts for analysis.

The malware artifact extraction mechanism reliably extracts file artifacts from malware samples submitted for both sandbox and live malware analysis. Some examples of file artifacts that can be extracted are dropped script files and memory dumps. You can set optional malware file artifact extraction parameters by running the analysis extract-artifact configuration wizard.

Task List for Managing Malware Analysis

Complete the steps for managing malware analysis in the following order:

  1. Determine the type of analysis that you want to configure.
  2. Log in to the Web UI or CLI to configure the settings for malware analysis.
  3. Verify the settings for your malware analysis configuration.
  4. Obtain malicious URLs.
  5. Submit the malware to the virtual machine for analysis. The Web UI can also be used to manually submit the malware URL to the MVX engine for analysis.
  6. Verify the results of the completed malware analysis.