Overview

The Malware Analysis appliance performs deep forensic analysis against a host of advanced malware, including zero-day and targeted Advanced Persistent Threat (APT) attacks. The Malware Analysis appliance uses the Multi-Vector Virtual Execution (MVX) engine to dynamically generate detailed reports on the malicious executables, files, binaries, and URLs embedded in Web-based and email-based attacks. The Malware Analysis appliance also uses the MVX engine to inspect single files or batches of files for malware and tracks outbound connection attempts across multiple protocols. The Malware Analysis appliance uses a preconfigured test environment to discover the malware attack profiles, callback destinations, and communication protocol characteristics that compose modern threats. Security analysts use the test beds provided by the MVX engine to examine malware in a controlled virtual environment.

The Malware Analysis appliance can automatically share malware forensics data with other managed appliances through the CM Series appliance.

Malware Analysis

The malware analysis settings define how potential malware is examined by the appliance.

The appliance supports two types of malware analysis—sandbox and live. Both types of analysis run on the same appliance. Malware runs on the virtual machine and its effects are analyzed and reported. Researchers can examine the execution path of the file types that are accepted by the appliance.

Sandbox malware analysis reports the effects of malware in a closed environment. The appliance uses the MVX engine as a secure virtual test environment to analyze malware without allowing it to communicate with other external sources. This is the default configuration. Sandbox malware analysis supports unattended mode. The advantage of this mode is that researchers can perform further forensics on a malware file or location that has already been identified by another appliance or method. This mode also allows the appliance to perform malware analysis on suspicious files that are stored in a dedicated network share. When configured to run an unattended analysis, the appliance polls the repository at regular intervals to analyze potential malware and sort it in to malicious and non-malicious source directories.

If your network requires a proxy, it uses a sandbox Web proxy. You configure those settings to retrieve files from local network locations. This proxy is not used to access the Server Message Block (SMB) or Internet File System (CIFS) share that is configured for unattended mode. For details about unattended mode, see Malware Repository.

Live malware analysis is an open analysis environment in which the appliance is connected to the outside, allowing the malware to make callbacks and perform malicious activities. You can track callbacks and analyze malicious URLs and control analysis settings. The advantage of this mode is that the appliance can gather additional information that is not accessible in a sandbox environment. The appliance can accept binaries, PDFs, Microsoft Office documents, URLs, and other objects for analysis.

Malware Repository

The malware repository is a network share where files are stored for sandbox malware analysis.

In unattended mode, the Malware Analysis appliance polls the source directory at regular intervals. The appliance automatically retrieves the batched files and analyzes them within each guest image.

NOTE: The default SMB version is version 2. To modify the malware repository, see the CLI Reference Guide.

Each guest image in the MVX engine has three directories in the malware repository. Files are retrieved from the malware repository source (src) directory. Analyzed files that are determined to be malicious are automatically moved to the malware repository bad directory. Non-malicious files are moved to the malware repository good directory.