Malware Analysis Guide v24

Guide to Performing Malware
Analysis in Content Analysis 2.4
CA Version 2.4
Symantec Content Analysis 2.4
Legal Notice
Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue
Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the
U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided
for informational purposes only and is not intended as advertising. All warranties relating to the information in
this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information
in this document is subject to change without notice.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS
AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE
HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL
DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS,
REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER
COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND
ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER
APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT
AFTER DELIVERY TO YOU.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
www.symantec.com
Wednesday, April 10, 2019
2 of 100
Contents
Contents
About On-Box Sandboxing 5

Use On-box Sandboxing 6
Prerequisites for On-Box Sandboxing 6
Procedure for Configuring On-Box Sandboxing 7
Enable On-Box Sandboxing on CA S400 and S500 7
Optimize Resources for On-Box Sandboxing 12
Additional Information 13
Add Windows ISO File 13
Add Windows Base Image 18
Troubleshooting Windows Image Upload/Download Issues 19
Add and Customize IVM Profiles 20
Add an IVM Profile 20
Customize an IVM Profile 21
Templates for Customizing a Windows 7 IVM Profile 23
Transfer Installation Files to an IVM 30
Specify Task Firewall Type 31
Configure the Dirty Line Network 31
Copy iVM Profiles onto Multiple Appliances 33
Malware Analysis 37
Perform Malware Analysis 37
Before you Begin 37
Perform Malware Analysis 37
Malware Analysis Overview Dashboard 38
Malware Analysis Processing Statistics 41
Submit a Sample File for Analysis 43
Submit a ZIP File Sample 43
Submit a URL for Analysis 44
Create a Task for a Sample 45
Configure Task Settings 47
Basic Options 48
Advanced Options 50
Detection Options 51
Basic Options 53
Advanced Options 53
Basic Options 54
Advanced Options 55
3 of 100
View Your Submitted Samples 56

Get Basic Sample Information 57
Change a Sample's Label 58
Get Sample Details 58
View All Samples 59
View Tasks You Have Created 61
View All Tasks 63
View Task Summary Results 65
Search Malware Analysis Tasks 74
About Patterns 81
Identify Malware Patterns 82
View Pattern Group Details 83
Filter the Pattern List 85
Update Detection Patterns 85
Pattern Group Prefixes 86
Advanced Malware Analysis Settings 88
Use Advanced On-Box Sandboxing Features 88
Use the Web Reputation Service 88
Activate the VirusTotal Service 89
About YARA 90
Apply YARA Rules 95
About HTTP Archive (HAR) 97
About IVM Plugins 99
4 of 100
Contents
About On-Box Sandboxing

Starting in Content Analysis 2.1, Malware Analysis is an integrated, on-box technology for detecting and analyzing
unknown, advanced, and targeted malware. This adaptive and customizable sandbox solution delivers
comprehensive malware detonation and analysis using a unique, dual-detection approach to quickly analyze
suspicious files and URLs, interact with running malware to reveal its complete behavior, and expose zero-day
threats and unknown malware.
Note that enabling the on-box sandboxing will decrease the throughput for the appliance, but will also increase
your detection capabilities.
Note: Content Analysis VA, CAS-S200, and AWS instances do not support on-box
sandboxing.
The on-box Malware Analysis dual-detection approach combines virtualization and emulation to capture more
malicious behavior across a wider range of custom environments.
n Emulation Sandbox: An instrumented, fully controlled, replicated PC computing environment emulates

Windows systems to detect malware that otherwise will not detonate within a virtualized environment.
Next-generation malware has the ability to evade detection and avoid being run in a virtual environments;
the emulated Windows environment tricks the malware into thinking it's running on a real machine.
n Virtualization Sandbox: Custom analysis profiles replicate Windows 7 and/or Windows 10 64-bit
production environments, including applications and browsers used. The sandbox can quickly spot
anomalies and behavioral differences that unveil anti-analysis, sleep, and other advanced evasion
techniques. A virtualized Android sandbox detects and analyzes mobile threats traversing enterprise
networks.
Multiple Detection Techniques Malware Analysis uses a combination of static and dynamic analysis techniques
that employ standard, custom, and open source YARA patterns to unmask cleverly disguised malware. It detects
packed malware and VM-aware samples that alter their behavior in an artificial environment, plus malware that
attempts to wait out any sandbox analysis using short or long sleeps.
Defeat Anti-Analysis at Many Levels Anti-analysis defeating tools – such as hook- based introspection, high-level
and low-level event capture, and detection in both kernel and user modes – intercept and convert behavior into
detailed forensic intelligence.
Interact with Running Malware A flexible plug-in architecture extends detection and processing by interacting
with running malware, clicking through dialog boxes and installers, and generating unique post-processing
analysis artifacts.
Generate More Relevant Results Virtual machine profiles replicate multiple custom production environments,
allowing security analysts to analyze threats across a range of operating systems and applications. They can
closely match their organizations’ desktop environments, gathering intelligence on malware targeting their
organizations directly or seeking to exploit specific application vulnerabilities.
5 of 100
Customize Detection and Risk Scoring Detection criteria, analysis parameters, firewall settings, and risk scoring
can all be customized to add flexibility, unique detection, and fast response capabilities when analyzing non-
traditional and targeted malware in unique production environments.
Adaptive Intelligence for Changing Threats Because Malware Analysis does not rely on static signatures, its
flexible detection patterns are designed to detect polymorphic files, single- use targeted malware, and fast-
changing website domains.
Detailed Forensics for Remediation Symantec sandboxing technology provides security defenders a
comprehensive map of the damage – including both host-based and network indicators of compromise – that
any malicious file or URL would cause to equivalently configured production machines without putting actual
computers or sensitive data at risk.
Share Threat Intelligence As unknown, advanced, or targeted malware and zero-day threats are exposed, the
previously unseen or uncategorized threats are shared across the security infrastructure with the Symantec
Global Intelligent Network, a network effect of our 300,000 customers worldwide.
Inoculation for Forward Defenses Malware Analysis turns unknown threats into known threats and shares
threat data with others across the global network, improving the effectiveness of front-line defenses such as
Symantec ProxySG secure web gateways by moving protection forward to the perimeter where blocking will take
place for subsequent attacks.
Use On-box Sandboxing

On-box sandboxing configuration is available on Services > Sandboxing > On-box Sandboxing.
The Content Analysis on-box sandboxing feature tests suspicious files in an emulated sandbox and/or in a
Windows 64-bit environment (Windows XP, Windows 7, or Windows 10) on a virtual machine.
Note: Content Analysis VA, Amazon Web Services instances, and CAS-S200 do not
support on-box sandboxing.
Prerequisites for On-Box Sandboxing

Before configuring the on-box sandboxing feature, make sure the following items are in place.
n Purchase the On-box Sandboxing license.
n Locate the Windows product key that came with your Windows ISO purchase; you will need the key to
activate your Windows license. Alternatively, you can specify a KMS server if you manage your product
keys with a Key Management Server.
n Set up a dirty line network for the IVMs to access the Internet during analysis. This connection should not
pass through your organization's security measures.
6 of 100
Contents
n Determine what additional applications you want to add to your IVM profile (such as commercial or
custom applications and web browsers).
Procedure for Configuring On-Box Sandboxing

To configure on-box sandboxing on CA S400 and S500 models:
1. "Enable On-Box Sandboxing on CA S400 and S500" below.
2. "Optimize Resources for On-Box Sandboxing" on page 12 (optional).
3. "Add Windows ISO File" on page 13 (if you didn't do this when enabling the license or if you want to add
more than one base image)
or
"Add Windows Base Image" on page 18 (if you are importing an image that was downloaded from another
appliance).
4. "Add and Customize IVM Profiles" on page 20 (optional).
5. "Specify Task Firewall Type" on page 31.
6. "Configure the Dirty Line Network" on page 31.
7. Perform Malware Analysis (see Guide for Performing Malware Analysis on Content Analysis).
Enable On-Box Sandboxing on CA S400 and S500

When you enable on-box sandboxing, you have the option of immediately adding the Windows ISO file so that
you can set up a virtualized Windows environment for sandboxing. After the activation process is complete, the
Windows ISO is converted to a base image that will be used in the on-box sandboxing IVM. Windows XP,
Windows 7, and Window 10 (64-bit versions) are supported. You can purchase the Windows license directly from
Symantec or Microsoft in the ISO format. You can use the standard Windows ISO or import an ISO that you have
customized with pre-installed applications. Make sure to have the Windows product key on hand or on a Key
Management Server, as you will need the key when installing the ISO image.
ISO Requirements
n Windows 7 and Windows XP ISO images without the service pack cannot be imported.
n The ISO import feature supports ISOs that include more than one edition of the operating system, for
example: Windows 7 Enterprise or Windows 10 Professional.
n Refer to release notes for the specific Windows versions and build numbers with which Symantec has
tested ISO installation.
7 of 100
Tip: Depending on your network, the upload process could take a while, so make
sure you have sufficient time before beginning.
1. Enable your On-box Sandboxing license.
a. Select System > Licensing.
b. Select the On-box Sandboxing check box.
c. Read the warning and click OK.
d. Click Save Changes. A Confirmation dialog asks if you want to create a Windows profile.
2. If you have time to install the Windows ISO file now, click Yes. The On-Box Sandboxing Configuration
dialog opens.
8 of 100
Contents
Note: The uploading, Windows installation, and activation process can take
quite some time. To perform this task later, click No and then refer to "Add
Windows ISO File" on page 13.
3. In the On-Box Sandboxing Configuration dialog, select one of the following:
n If you have purchased the Windows license from Symantec, choose Download from Symantec.
Click Next, select the Windows version and click Next again. Skip to the Windows licensing step
below.
Caution: Do not choose the Download from Symantec option if you

purchased the Windows license from Microsoft or if you are installing a
Windows XP ISO. This option is intended only for Windows licenses that
were purchased from Symantec.
n Upload from local file — Select this option if you have purchased the Windows license from
Microsoft and downloaded the ISO file to a local system. Windows XP is not available using this
option. Click Next, browse to the file, and click Next again.
n Download from URL — Select this option if you have purchased the Windows license from
Microsoft and the ISO file is on a web server. Click Next, enter the URL of the ISO file (for example,
http://webserver.test.com/windows10.iso), and click Next again.
9 of 100
Tip: URL download is the preferred option over uploading from a local file,
because the process of installing the ISO will happen in the background,
allowing you to perform other Content Analysis tasks without impacting the
installation. If you upload the ISO file from a local system, on the other hand,
you must stay on this page until the upload is complete.
4. For ISO Type, select Windows XP, Windows 7 64-bit, or Windows 10 64-bit.
5. If desired, modify the name of the base image; click Next.
6. Enter details on your Windows license:
a. Enter the Microsoft Windows Product Key. The product key is located on the Windows license
documentation you received from Microsoft. You may type the key in upper- or lowercase, but you
must include the dashes. Product keys are specific to the Windows version and edition.
or
If you purchased the Windows license from Microsoft and are managing your product keys with a
Key Management Service (KMS), enter the IP address or host name of your KMS Server. Note that
KMS is not an option for licenses purchased from Symantec.
KMS activations are valid for 180 days—the Activation Validity Interval. To remain activated, a KMS
client must renew its activation by connecting to the KMS server at least once every 180 days. By
default, a KMS client computer attempts to renew its activation every seven days. (The Renewal
Interval can be set on the client using slmgr /sri interval, but it will be overridden by the KMS server
setting.) If the client succeeds in reaching the KMS server at the Renewal Interval, the Activation
Validity period is reset and the activation is valid for another 180 days. If the client fails to reach the
KMS server, the system will watch for network changes or other qualifying events to trigger another
activation attempt. After 15 minutes, the system stops monitoring for qualifying events but still
attempts every Activation Interval (two hours by default).
b. Enter the IP address or host name of an NTP Server. This setting is required when using KMS (and
ignored when using product key activation).
c. Click Next.
7. Read the summary information and confirm that the details are correct. To modify any of the values, use
the Previous button. When you are ready to install the ISO, activate the Windows license, and build the
base image, click Create Base Image.
10 of 100
Contents
Caution: File uploads from Internet Explorer may fail due to the browser's file
upload size restrictions; 4GB is the maximum file size that can be uploaded in
IE 9–11.
8. You can monitor the download progress in the On-box Sandboxing Configuration dialog.
If you are installing a multi-edition ISO, you will be prompted after the download to select the specific
Windows version. Select the version and click Continue activation.
11 of 100
Content Analysis immediately begins installation of Windows in the IVM and shows snapshots of what is
taking place on the Windows desktop in the VM. Show screen..
Follow the on-screen activation instructions. When the activation process is complete, the Windows base
image is listed in the Base Images panel and the initial IntelliVM (IVM) profile is listed in the Scanning
Profiles panel. The Status column shows Ready.
If the base image failed to load or Windows didn't activate, the Status column will display a descriptive
error message such as Invalid product key or Activation failed; see "Troubleshooting Windows Image
Upload/Download Issues" on page 19.
Optimize Resources for On-Box Sandboxing

If you are using Content Analysis primarily for on-box sandboxing and performing malware analysis, you can
select a performance profile that allocates the majority of resources to on-box sandboxing and offers support for
additional IntelliVMs. Note that resources are scaled back for antivirus services when you select the sandboxing
performance profile, and for all intents and purposes, these services are disabled.
12 of 100
Contents
Note: You must have purchased and activated the On-box Sandboxing license in
order to select the Optimized for On-Box Sandboxing performance profile.
1. Select System > Resource Allocation.
2. Select Optimized for On-Box Sandboxing.
3. Click Save Changes.
Additional Information
n If the On-Box Sandboxing license is not activated, the Optimized for On-Box Sandboxing option is not
available and cannot be selected.
n If you subscribe to antivirus services, you should select the Balanced profile to allocate resources fairly
between AV and on-box sandboxing.
n If you want to deactivate the On-Box Sandboxing license, you must first choose the Balanced profile.
Add Windows ISO File

If you did not add a Windows base image while enabling the On-box Sandboxing license, you will need to do so
before you can proceed further with on-box sandboxing configuration. Windows XP SP3, Windows 7 SP1, and
Windows 10 (64-bit versions) are supported. You can purchase the Windows license directly from Symantec or
from Microsoft. (Microsoft is no longer issuing licenses for Windows XP.) If you purchase Windows licenses from
Microsoft, use a standard enterprise version of the ISO that Microsoft provides. Make sure to have the Windows
product key on hand or on a Key Management Server, as you will need the key when installing the ISO image.
13 of 100
ISO Requirements
n Windows 7 and Windows XP ISO images without the service pack cannot be imported.
n The ISO import feature supports ISOs that include more than one edition of the operating system, for
example: Windows 7 Enterprise or Windows 10 Professional.
n Refer to release notes for the specific Windows versions and build numbers with which Symantec has
tested ISO installation.
After the installation process is complete, the Windows ISO is converted to a base image that will be used in the
on-box sandboxing IntelliVM. Profiles are ready-to-run encapsulations of base images plus additional
customizations designed to replicate particular Windows environments. An initial profile is created when you
install the ISO file.
1. Select Services > Sandboxing > Symantec On-box Sandboxing.
2. Click Create base image from an ISO image. The On-box Sandboxing Configuration dialog opens.
3. In the On-Box Sandboxing Configuration dialog, select one of the following:
n If you have purchased the Windows license from Symantec, choose Download from Symantec.
Click Next, select the Windows version and click Next again. Skip to the Windows licensing step
below.
14 of 100
Contents
Caution: Do not choose the Download from Symantec option if you

purchased the Windows license from Microsoft or if you are installing a
Windows XP ISO. This option is intended only for Windows licenses that
were purchased from Symantec.
n Upload from local file — Select this option if you have purchased the Windows license from
Microsoft and downloaded the ISO file to a local system. Windows XP is not available using this
option. Click Next, browse to the file, and click Next again.
n Download from URL — Select this option if you have purchased the Windows license from
Microsoft and the ISO file is on a web server. Click Next, enter the URL of the ISO file (for example,
http://webserver.test.com/windows10.iso), and click Next again.
Tip: URL download is the preferred option over uploading from a local file,
because the process of installing the ISO will happen in the background,
allowing you to perform other Content Analysis tasks without impacting the
installation. If you upload the ISO file from a local system, on the other hand,
you must stay on this page until the upload is complete.
4. For ISO Type, select Windows XP, Windows 7 64-bit, or Windows 10 64-bit.
5. If desired, modify the name of the base image; click Next.
6. Enter details on your Windows license:
a. Enter the Microsoft Windows Product Key. The product key is located on the Windows license
documentation you received from Microsoft. You may type the key in upper- or lowercase, but you
must include the dashes. Product keys are specific to the Windows version and edition.
or
If you purchased the Windows license from Microsoft and are managing your product keys with a
Key Management Service (KMS), enter the IP address or host name of your KMS Server. Note that
KMS is not an option for licenses purchased from Symantec.
KMS activations are valid for 180 days—the Activation Validity Interval. To remain activated, a KMS
client must renew its activation by connecting to the KMS server at least once every 180 days. By
default, a KMS client computer attempts to renew its activation every seven days. (The Renewal
Interval can be set on the client using slmgr /sri interval, but it will be overridden by the KMS server
setting.) If the client succeeds in reaching the KMS server at the Renewal Interval, the Activation
Validity period is reset and the activation is valid for another 180 days. If the client fails to reach the
KMS server, the system will watch for network changes or other qualifying events to trigger another
activation attempt. After 15 minutes, the system stops monitoring for qualifying events but still
15 of 100
attempts every Activation Interval (two hours by default).
b. Enter the IP address or host name of an NTP Server. This setting is required when using KMS (and
ignored when using product key activation).
c. Click Next.
7. Read the summary information and confirm that the details are correct. To modify any of the values, use
the Previous button. When you are ready to install the ISO, activate the Windows license, and build the
base image, click Create Base Image.
Caution: File uploads from Internet Explorer may fail due to the browser's file
upload size restrictions; 4GB is the maximum file size that can be uploaded in
IE 9–11.
8. You can monitor the download progress in the On-box Sandboxing Configuration dialog.
If you are installing a multi-edition ISO, you will be prompted after the download to select the specific
Windows version. Select the version and click Continue activation.
16 of 100
Contents
Content Analysis immediately begins installation of Windows in the IVM and shows snapshots of what is
taking place on the Windows desktop in the VM. Show screen..
Follow the on-screen activation instructions. When the activation process is complete, the Windows base
image is listed in the Base Images panel and the initial IntelliVM (IVM) profile is listed in the Scanning
Profiles panel. The Status column shows Ready.
If the base image failed to load or Windows didn't activate, the Status column will display a descriptive
error message such as Invalid product key or Activation failed; see "Troubleshooting Windows Image
Upload/Download Issues" on page 19.
In addition to adding an initial profile when the base image is downloaded, Content Analysis creates a task. A task
is an execution of a sample file or URL in a defined environment (operating system profile + testing plugin script).
A plugin contains a specific set of actions or applications that are tested during sandbox evaluation. Tasks are
listed on the Malware Analysis tab; you can add, edit, or delete tasks as necessary.
17 of 100
Add Windows Base Image

If you have downloaded a Windows base image from a Content Analysis appliance or have a Windows base image
from CA 2.1 or 2.2, you can place the image on a local workstation or web server, and then transfer it to a CA
appliance running 2.3 or later. If you are adding a Windows ISO image, refer to "Add Windows ISO File" on
page 13 instead of this procedure.
1. Place the Windows base image on a local web server or system that the Content Analysis appliance can
access.
2. When uploading a file, make sure the Content Analysis web UI is running in a Chrome, Firefox, or Safari
browser. File uploads from IE 11 may fail due to the browser's file upload size restrictions.
4. Click Import previously exported base image. The On-box Sandboxing Configuration dialog opens.
5. Select one of the following:
If you have downloaded the image to a local system, click Upload from local file. Click Next, browse to
the file, and click Next again.
or
If the base image is on a web server, click Download from URL. Click Next, enter the URL to the file, and
click Next again.
18 of 100
Contents
If you want the connection to go through the configured HTTP proxy, select the Use System Proxy check
box. For internal web servers, you probably don't need to proxy the connection, although it depends on
your network setup.
Caution: Since the base image is a large file, it will take quite some time to add
to Content Analysis, even if it's downloading from the local network. File
uploads from Internet Explorer may fail due to the browser's file upload size
restrictions; 4GB is the maximum file size that can be uploaded in IE 9–11.
6. Verify that the image is listed in the Base Images panel and the Status column shows Ready.
7. After adding a Windows base image, you will probably want to import the IVM profile associated with the
image. You can import profiles using the ma-actions profiles command.
Caution: If the base image failed to load, the Status column will display a descriptive
error message; see "Troubleshooting Windows Image Upload/Download Issues"
below.
Once you have uploaded a base image the following settings are automatically enabled:
n The Sandbox Broker on System > Licensing
n The Symantec Malware Analysis service on Services > Sandboxing > General Settings
n The Local Instance server and the default task on Services > Sandboxing > Symantec Malware
Analysis
Troubleshooting Windows Image Upload/Download Issues

Here are some tips if you experience issues with adding a Windows ISO or base image.
19 of 100
n If you had a failed attempt to add an ISO or base image, you may need to remove the partial image before
you can proceed. Use the Manage button to remove the image.
n If you have trouble uploading a Windows base image or ISO file, make sure the Content Analysis web UI is
running in a Chrome, Firefox, or Safari browser. File uploads from Internet Explorer may fail due to the
browser's file upload size restrictions; 4GB is the maximum file size that can be uploaded in IE 9–11.
n When Content Analysis proxies through a ProxySG that is using Content Analysis for malware scanning,
adding a base image using URL download will fail because the base image file (~10GB) exceeds the file size
limit allowed on Content Analysis. There are few ways to work around this limitation. The recommended
method is to bypass ICAP/CA scanning for *.symantec.com as the files hosted on the Symantec site are
known good. Another workaround for this is to configure Content Analysis to serve (not block) the file if it
exceeds file size limit: Services > AV Scanning Behavior > maximum individual file size exceeded
> serve. Configure this setting before downloading the image, and if you like, set it back to block after the
download is complete. Alternatively, you can upload the base image from a file, instead of downloading
from a URL.
Add and Customize IVM Profiles

Base images include complete Windows operating systems along with a number of pre-installed applications or
components used to facilitate malware detection from various file types. Base images are not used to execute
malware analysis tasks within the Content Analysis appliance. Instead, they are used to create profiles which then
run tasks within the IntelliVM virtual machine framework.
Each base image can have one or more IntelliVM profiles, each with its own customizations designed to replicate a
particular Windows environment. These customizations may include commercial applications, custom
applications, additional web browsers, and patches to components. Note that only one profile is allowed per base
image when in trial mode.
Add an IVM Profile

2. In the On-box Sandboxing screen, click Add Profile. The Create Profile dialog opens.
20 of 100
Contents
3. From the Select Base list, select the base image you added.
4. For Profile Name, enter a meaningful name to identify the new profile, for example Win 7 Sales Profile.
5. Optional — For Profile Description, enter a detailed explanation of the unique characteristics of this
profile, such as browser version, custom applications included.
6. Click Add Profile.
Customize an IVM Profile

You can customize an IVM profile using a Remote Desktop connection. Once connected to the IVM profile, you
can add software, install patches, and change settings to precisely mirror your Windows environment. However,
the recommended best practice is to configure the IVM in the most vulnerable state, which maximizes detection
efficacy.
2. In the Scanning Profiles section, click the Manage button, and then click Customize Profile. It will take a
moment for the profile to enter customization mode.
21 of 100
3. Leave the Customize and Build window open.
4. Use an RDP client (such as Microsoft Remote Desktop) to RDP into port 3389 of the host system; this will
give you access to the VM that is in customization mode.
Caution: In the Password field, enter password.
5. Optional: Use the provided templates for quicker customization of a Windows 7 IVM profile. See
"Templates for Customizing a Windows 7 IVM Profile" on the facing page.
6. Add additional software, such as commercial or custom applications and web browsers. See "Transfer
Installation Files to an IVM" on page 30.
22 of 100
Contents
Tip: It is highly recommended to install a full version of Microsoft Office using

an Enterprise Volume License key. The full version of Office provides the ability
to execute and analyze macro-based content, a commonly seen threat,
whereas the Office Viewer doesn’t execute macros.
7. For any applications that are newly installed or for modifications made to existing applications, ensure
that auto-updating is disabled.
n Windows Update
n Microsoft Office
n Java
n Microsoft Silverlight
n Adobe Reader
n Browsers
8. When finished customizing the profile, it is a best practice to reboot the IVM, open the RDP session again,
and ensure the applications are operating as desired. Once that is confirmed, you can shutdown the IVM
within Windows (issue shutdown at a command prompt), wait a minute, and finally click Start >
Disconnect to terminate the Remote Desktop connection if it’s not closed automatically.
9. Return to Content Analysis and click the Build Profile button in the Customize and Build window.
It takes several minutes for the profile to build.
Tip: After you have customized the profile, you can duplicate it to other Content
Analysis appliances. See "Copy iVM Profiles onto Multiple Appliances" on page 33.
Templates for Customizing a Windows 7 IVM Profile

The Windows 7 profile templates are designed to dramatically reduce the time required to configure Microsoft
Office, EMET, Adobe Reader, and Internet Explorer 11 for maximum malware detection. The settings used in the
templates place the applications in the most vulnerable state in order to detect the most malware. Use the
templates along with these instructions for a more efficient IVM customization experience. These settings have
been tested with Windows 7 64-bit. It is recommended to use that as the basis for the exploitable profile.
1. Go to the Content Analysis 2.4 WebGuide to download the Win7_profile_templates.zip file.
2. Enter customization mode for your Windows 7 profile. See "Customize an IVM Profile" on page 21.
23 of 100
3. Copy the Win7_profile_templates.zip file to the IVM and extract the registry, settings, and batch files from
the archive. See "Transfer Installation Files to an IVM" on page 30.
4. Follow the procedures below to install applications and set the appropriate settings.
Office 2010 Installation
1. Because Office Viewer collides with the full version of Office, you need to uninstall the Office Viewer
applications. You can use either the GUI, enter commands at the command prompt, or run the attached
batch file. The recommended and easiest method is to the use the batch file.
Alternatives to using the batch file (CLI or GUI)
Execute the following commands from a command prompt:
wmic product "Compatibility Pack for the 2007 Office system" call uninstall
wmic product "Microsoft Office Excel Viewer" call uninstall
wmic product "Microsoft PowerPoint Viewer" call uninstall
wmic product "Microsoft Office Word Viewer 2003" call uninstall
Or, if using the GUI, uninstall the four applications from Programs and Features.
2. Run the installer for Microsoft Office 2010.
3. After it is complete, open Word, choose Don’t make changes, and then close Word.
24 of 100
Contents
4. Run Office2010-RegistryTemplate.reg.
5. Reboot the IVM from the command prompt with shutdown /r.
Adobe Reader X (10.0) Installation
1. Uninstall Adobe Reader 9.3 using either Programs and Features or execute the following from the
command prompt:
wmic product “Adobe Reader 9.3” call uninstall
2. Download and run the Adobe Reader X installer.
3. After the installer completes, run AdobeXReader-RegisteryTemplate.reg.
25 of 100
4. Restart the IVM from the command prompt by issuing shutdown /r.
5. RDP back into the profile after the reboot and open Adobe Reader X.
6. From the Start window or command prompt run:
explorer.exe %appdata%\Adobe\Acrobat\10.0\
7. Copy the TMDocs.sav and TMGrpPrm.sav files to the 10.0 folder. These particular settings make Adobe
Reader more vulnerable.
Internet Explorer 11
The IE registry template will place the web browser in a highly vulnerable state.
1. Download IE 11 and run the installer.
2. Reboot when prompted.
3. After reboot, open the browser and choose Don’t use recommended settings.
4. Run IE11-RegistryTemplate.reg.
26 of 100
Contents
5. Restart the IVM with a shutdown /r.
6. Open IE once after reboot, and then close the browser window.
Install EMET 5.5
1. Download and run the Dotnet Framework 4.5 installer prior to installing EMET 5.5.
2. Download and run the EMET 5.5 installer, choose Use Recommended Settings, and then close EMET.
3. Run EMET-registry-template.reg.
4. Restart the IVM with a shutdown /r from the command prompt.
Optional: Higher Resolution for IVM Console Screenshots
The default screen resolution on the IVM console is 1024x768. To increase the resolution so that you can see
27 of 100
more on the screen, you can use the resolution registry template.
1. Run Set-Resolution-RegistryTemplate.reg.
2. Reboot the IVM with a shutdown /r from the command prompt.
Note: Some screenshots may require the user to preview them in a new browser
tab. Due to the size, the picture navigation buttons are hidden from view.
Default 1024x768 screenshot:
1920x1080 screenshot:
28 of 100
Contents
29 of 100
Transfer Installation Files to an IVM

Your specific Remote Desktop client determines which resources are available and the various methods that you
can use to add software to an IVM profile. Specific procedures are beyond the scope of this guide.
1. To transfer application installation files to your IVM, use one of the following methods:
n Use Remote Desktop Sharing. In the Remote Desktop Connection window, go to Options > Local
Resources > More… > Local devices and resources. Select the location to map.
n From inside the IVM, map a shared network drive or folder.
n From inside the IVM, open a browser and connect to the Internet to download software from an
Internet resource or vendor site. (This connection is made through the Backend interface.)
n Copy and paste the file from the client environment through the RDP session. For example, copy a
file to the IVM Desktop from the client Desktop.
2. Copy the files across as required.
3. Install, license, and configure each application to resemble a typical computing environment at your
organization.
30 of 100
Contents
Caution: The customer is responsible for obtaining the appropriate licenses

for software installed on the IVMs. Contact each software vendor to obtain the
proper license type for the IVM.
4. When finished installing applications, return to IVM customization topic.
Specify Task Firewall Type

Content Analysis on-box sandboxing provides three task firewall options for the IntelliVM analysis environment.
Note that these firewall options are not to be confused with the firewall security system on your network.
n Isolated—No network connectivity
n Limited—Prevents communications on ports 25 (mail), 139 (NetBIOS), and 445 (SMB)
n Unlimited—Full network access
Which firewall setting to use depends on the tradeoffs you are willing to make, as well as your organization's
policies and risk tolerance. The more network access you allow, the better fidelity of test results because of the
wider range of network activities that are recorded. On the other hand, executing live malware samples carries
the risk that the sample will attempt to attack internal or external hosts. For maximum detection efficacy, use the
Unlimited firewall policy and ensure the dirty line is properly isolated from the production traffic. The default
firewall type is Isolated.
Tip: Which firewall option you choose also depends on whether you configure a
dirty line network. If you define a static dirty line network interface, you can safely
choose the Unlimited option.
To set the task firewall type:
2. In the Firewall section, choose the desired task firewall option: Isolated, Limited, or Unlimited. See
descriptions above for details.
Configure the Dirty Line Network

The IntelliVM profiles use the dirty line network to access the Internet during analysis. This connection should not
pass through your organization's security measures. You will need to set up this network before configuring it
31 of 100
below. Although Content Analysis can perform on-box sandboxing without a dirty line network, it is not
recommended.
1. In the On-box Sandboxing screen (Services > Sandboxing > Symantec On-box Sandboxing), locate
the Dirty Line Network panel.
2. If you don't have a separate dirty line network, choose Same as Backend for the IP Settings. This option
forces the IntelliVMs to use the Backend interface instead of the dirty line interface. The Backend interface
is connected to your organization's LAN and is used for the UI connection, system and pattern updates,
and base-image activation. This means that your organization's security measures will be applied to the
sample analysis and malicious traffic will potentially go through the primary interface.
3. To configure the dirty line interface:
a. Choose Static for the IP Settings.
b. For Network Interface, select the interface that your dirty line network is connected to (for
example, 1:1). See "Requirements for Dirty Line Interface" below below.
c. For Default Gateway, enter the IP address of the gateway for the dirty line network. Symantec
recommends that you use a separate Internet gateway than your primary ISP.
Requirements for Dirty Line Interface

When the IVM is in customize mode, traffic to and from the IVM is routed through the management interface.
When the profile is built and ready to execute tasks, it uses the dirty line interface for network traffic. Make sure
the dirty line interface meets the following requirements:
n The interface specified must be on a dedicated subnet, different from the management network.
n No other interfaces can be on the same subnet as the dirty line.
n The selected interface will be unavailable for management traffic.
32 of 100
Contents
Copy iVM Profiles onto Multiple Appliances

Rather than making the same manual customizations to IntelliVM (IVM) profiles on multiple Content Analysis
appliances, you can create a "golden image" profile on one appliance and then duplicate it onto other Content
Analysis appliances in the network. This method saves time and ensures that all appliances have the same
profiles.
Content Analysis offers two ways to duplicate IVM profiles onto multiple appliances. Both methods require that
you first prepare an export package of the profile you want to clone.
n Option 1: Import the export package and Windows base image directly. See "Import Directly from Another
Content Analysis Appliance" below.
n Option 2: Use an intermediate server to host the export package and Windows image. See "Download
from a Web Server" on the next page.
This operation requires that you enter CLI commands on each Content Analysis appliance (source and target
systems). It uses remote APIs to pull a profile export package and Windows base image off of a remote system
and place it on the current (target) system.
Requirements and Limitations

n The same Windows base image must be on the target appliance as the one used in the source profile. You
must import the base image from the target.
n Added or imported IVM profiles do not persist with a downgrade to pre-2.2 versions. For example, if you
downgrade to CA 2.1, you will lose any profiles that were imported from a different Content Analysis
appliance.
n If you will be using an intermediate server to host the export package, you will need:
o Network file storage for storing exported profiles
o Web server for serving exported profiles to be used for importing
n You cannot import Malware Analysis 4.x IVM profiles.
Import Directly from Another Content Analysis Appliance
The diagram below illustrates the process of preparing an export package on a source Content Analysis appliance
and then importing it on the target appliance.
33 of 100
1. On the source Content Analysis appliance, customize the IVM profile until you have the golden master you
want to duplicate on other appliances. See "Add and Customize IVM Profiles" on page 20.
2. Access the command-line interface of the source Content Analysis appliance.
3. Prepare an export package of the profile.
Example: ma-actions profiles exports export profile_ids 1
4. Record the export ID associated with the package. Use the ma-actions profiles exports status command
to find the ID.
5. Generate an API key and save the value in a text file; you will reference this key value when importing the
base image and IVM profile.
Example: ma-actions api-key create user apiuser role write-only
6. Look up the ID number of the Windows base image you want to import on the target appliance; you will
reference this ID when importing the image.
7. Access the CLI of a target Content Analysis appliance.
8. Import the Windows base image from the source Content Analysis appliance.
Example: ma-actions bases imports import remote_host 203.0.113.17 vmb_id 1 api_key ******
9. Import the export package.
Example: ma-actions profiles imports import remote_host 203.0.113.17 vme_id

05E8VHWCJXMN6BZT29J9SV3M1R api_key ******
10. Repeat Steps 7–9 for each target appliance.
Download from a Web Server
The diagram below illustrates an alternative way to import a Windows base image and export package: by putting
the them on a web server and then pulling them off the server and onto the target Content Analysis appliance.
Use this method if the direct method described above does not work properly.
34 of 100
Contents
1. On the source Content Analysis appliance, customize the IVM profile until you have the golden master you
want to duplicate on other appliances. See "Add and Customize IVM Profiles" on page 20.
2. Access the command-line interface of the source Content Analysis appliance.
3. Prepare an export package of the profile.
Example: ma-actions profiles exports export profile_ids 1
4. Record the export ID associated with the package. Use the ma-actions profiles exports status command
to find the ID.
5. Generate an API key and save the value in a text file.
Example: ma-actions api-key create user apiuser role write-only
6. Download the export package to an external system via RAPI. Use the curl command from an external
system:
curl -k -H "X-API-TOKEN:<API-key>" https://<CA-
IP>:8082/rapi/system/vm/profiles/export/<export-id>/bin > <filename>
For example, enter the following command from an external server:
curl -k -H "X-API-TOKEN:7a49af86645e4e3a9f24608636135f64"
https://203.0.113.17:8082/rapi/system/vm/profiles/export/05E8VHWCJXMN6BZT29J9SV3M1R/bin >
windows-7-64-bit.export.qcow2.bundle
In the above example, 7a49af86645e4e3a9f24608636135f64 is the API key you saved in Step 5, 203.0.113.17
is the IP address of the Content Analysis appliance containing the export package,
05E8VHWCJXMN6BZT29J9SV3M1R is the export ID you recorded in Step 4, and windows-7-64-
bit.export.qcow2.bundle is the export filename.
7. Download the Windows base image to an external system via RAPI. Use the curl command from an
external system:
35 of 100
curl -k -OJ -H "X-API-TOKEN:<API-key>" https://<CA-IP>:8082/rapi/system/vm/bases/<vmb_

id>/bin
For example, enter the following command from an external server:
curl -k -OJ -H "X-API-TOKEN:7a49af86645e4e3a9f24608636135f64"

https://203.0.113.17:8082/rapi/system/vm/bases/1/bin
In the above example, 7a49af86645e4e3a9f24608636135f64 is the API key you saved in Step 5, 203.0.113.17
is the IP address of the Content Analysis appliance containing the base image, and the base image ID is 1.
8. Place the export package and base image on a web server the target Content Analysis appliances can
access. (This step may not be necessary if the external system where you downloaded the package in Step
6 is a web server.)
9. Access the CLI of a target Content Analysis appliance.
10. Import the base image from the web server. For example:
ma-actions bases imports download url https://myserver.com/bases/filename
Alternatively, you can use the Content Analysis web UI to import a base image. See "Add Windows Base
Image" on page 18.
11. Import the profile export package from the web server. For example:
ma-actions profiles imports download url https://myserver.com/profiles/windows-7-64-
bit.export.qcow2.bundle
12. Repeat Steps 9–11 for each target appliance.
36 of 100
Contents
Malware Analysis
When Content Analysis is licensed for on-box sandboxing, you can perform in-depth malware analysis by
uploading samples, viewing detailed task result reports, and drilling down to view events that occurred during
detonation in the sandbox.
Perform Malware Analysis

When using the Content Analysis appliance to perform malware analysis, you will look at a variety of reports,
upload suspicious files and URLs for testing in an on-box sandbox, and interpret results of the analyzed files.
Advanced users can do further analysis and create custom patterns from information discovered during analysis.
Before you Begin

This process assumes you have:
n Configured Content Analysis for on-box sandboxing. See "Use On-box Sandboxing" on page 6.
n Set up users with analyst or super analyst roles.
Perform Malware Analysis

1. Log in as an Administrator, Super Analyst, or Analyst user.
2. Review reports to see what threats are being discovered by sandboxing:
n "Malware Analysis Overview Dashboard" on the next page
n "Malware Analysis Processing Statistics" on page 41
3. Upload a file, compressed (zip) file, or URL for analysis. Multiple files may be submitted. You will
automatically be prompted to create a task.
4. "Create a Task for a Sample" on page 45, selecting the sandbox environment (such as IVM Profile or
Apple) and configuring its details.
5. View the task results report.
a. Locate the task on the Malware Analysis > My Tasks list.
b. When the task has completed, click the ID to view the "View Task Summary Results" on page 65. It
presents a results overview. The Risk Score is the key piece of data, indicating whether the file is
malicious. Additional tabs present information on events and timelines.
37 of 100
6. Optionally, drill down deeper.
n View the Other Resources section on the Task Summary and the Resource list on the Sample
Details screen. If the sample dropped other files to disk when it detonated, those files will be
available for download.
Caution: Proceed with caution. These files are not encrypted and may be
malicious.
n View the Dynamic Event List to see what happened when the file executed. For example, FS_Create
event type means that a file was created.
n View the Static Event List for detailed information obtained during static analysis of the sample.
7. Advanced: Create a pattern from information discovered during analysis.
8. Super Analysts and Administrators only: Review tasks and samples created by other analysts.
Malware Analysis Overview Dashboard

Select Malware Analysis > Overview to quickly submit, search for, and view samples.
Access the Malware Analysis tab to analyze suspicious files.
Show screen...
38 of 100
Contents
View High Risk Tasks
This panel displays a list of the tasks that resulted in high risk scores, allowing you to quickly see items of concern
and drill down for more detail. Users with Admin or Super Analyst privileges see tasks created by all users; users
with Analyst privileges see only their own tasks.
Note: A task is an execution of a sample file or URL in a defined environment

(operating system profile + testing plugin script). A plugin contains a specific set of
actions or applications that are tested during sandbox evaluation. Tasks are defined
when a sample is uploaded or at any future time, as long as the sample binary is
present; see "Create a Task for a Sample" on page 45. The task runs after its created.
Display the "View Task Summary Results" on page 65 to view the task results (such
as its risk score).
The Latest 100 High Risk Tasks panel displays the following information for each task.
Task ID The numeric ID associated with the task. Click the ID to view the Task Report page.
Label The filename, URL, MD5 hash, or user-defined name of the sample
Source How the sample was submitted to on-box sandboxing:
n www: File or URL submission from the Malware Analysis tab
n CAS: [cas_ip]: Submitted by Content Analysis, where cas_ip is the IP address of the Content
Analysis appliance
n [hostname]: Sample submitted by an outside device, such as the Symantec Security Analytics
Note: If the sample was submitted via a remote API, the Source field will be blank unless a value was
entered for the source HTTP parameter.
Owner The user who created the task
Risk Score Risk score verdict, on a scale of 0 to 10
Date Added The date and time when the task was run
View Recently-Submitted Samples
Use the My Recent Samples section to view the most recent samples that have been submitted to on-box
sandboxing for analysis, either manually or automatically through Content Analysis. Users with Admin or Super
Analyst privileges see samples submitted by all users; users with Analyst privileges see only their own samples.
39 of 100
Note: A sample is any file or URL submitted to on-box sandboxing for analysis. It
can be any type of file; for example, a document, an image file, or a piece of code. To
manually submit a sample, see "Submit a Sample File for Analysis" on page 43 or
"Submit a URL for Analysis" on page 44. Tasks are defined when a sample is
uploaded; see "Create a Task for a Sample" on page 45.
View Sample Details
The My Recent Samples panel displays the following information for each sample.
Sample ID See the"Get Sample Details" on page 58
Label The filename, URL, or MD5 hash of the sample
Analysis appliance
n [hostname]: Sample submitted by an outside device, such as the Symantec Security

Analytics
entered for the source HTTP paramete
Owner The user who submitted the sample
Task Count Number of tasks that have been performed on this sample
Date Added The date and time when the sample was added
Get More Information
Click a button for shortcuts to related functions:
n View All My Samples: Displays a complete list of all of your samples (not just your recent ones) on the
My Samples window.
n Submit Samples: Opens the Upload samples window, where you can submit one or more files for
analysis.
n Submit URLs: Opens the Enter URLs window, where you can submit one or more URLs for analysis.
n Search: Perform an advanced search for samples. Only the samples that you are authorized to see will be
displayed.
Perform a Quick Analysis on a New Sample
In the Quick Analysis (Sandbox) section, click Add Files to browse, or drag and drop directly from your
40 of 100
Contents
computer to Add Files. All of the selected files are uploaded to on-box sandboxing, and the default task is run on
each sample in its proper environment as soon as the upload is completed.
Files are routed to the appropriate test environment. For example:
n Android files (APK) that are submitted via Quick Analysis are routed automatically to the MobileVM
environment.
n Apple files are routed automatically to the Apple Analyzer.
Click any task to go to its task results "Get Sample Details" on page 58 . These tasks and samples are also
available in the My Samples and My Tasks lists.
Find a Task or Sample
Perform fast searches based on known sample attributes. You will see only the results that you are authorized to
see.
n Search Task ID: Task IDs are unique numbers that are generated automatically when you create a task. If
you know the ID associated with the task you want to view, enter the number and click Search Task ID. A
successful match to an existing task takes you directly to the corresponding Task Report.
n Search MD5: Search for a sample by its complete MD5 hash.
n Search SHA256: Search for a sample by its complete SHA256 hash.
n Search Label: Search by the sample's label, which defaults to the filename of the sample unless it has
been changed by an authorized user.
View IVM Profile Histogram Information
Two histograms are displayed in the Processing Stats panel. Place your mouse over any data point for details.
IntelliVM Queue Size: Displays the number of tasks in the queue waiting for the on-box sandbox to analyze.
The chart shows the minimum, maximum, and average number of tasks in the queue for each hour.
Risk Score Bar Chart: View risk scores over time.
Malware Analysis Processing Statistics

Select four charts to view on a single screen. These charts show statistics, such as queue size and execution time,
for each type of task environment (IntelliVM, SandBox, Mobile IntelliVM, Apple Analyzer), as well as overall on-
box sandboxing statistics about risk scores, events, and completed tasks.
41 of 100
Tip: A useful chart selection is Tasks Complete, Risk Score Bar Chart, IntelliVM Queue
Size, and High Risk Score Bar Chart over the Last 24 hours.
1. Select Malware Analysis > Stats.
Or from the Malware Analysis > Overview page, click the title of one of the histogram charts.
The Processing Statistics report screen opens.
2. In each of the four chart areas, select which chart to display.
Chart Description
Risk Score Pie View the count of each risk score in a pie. Each risk score has its own color (green = low, red =
high)
Risk Score Bar Color coded risk scores are presented over the specified time.
Chart
High Risk Score Risk scores of 7 or higher are presented over the specified time.
Bar Chart
Event Count Count of events presented over the specified time.
Tasks Complete Count of completed tasks presented over the specified time.
IntelliVM Queue Displays the minimum and maximum number of tasks in the queue for that time as well as
Size how many tasks were actually in the queue.
Sandbox The time spent processing the sample in the virtual machine during the specified period.
Execution Time
Sandbox Total The time it took for the sample to be processed completely; includes time spent in the virtual
Execution Time machine, determining file reputation, processing the results, and running other services on
the task.
IntelliVM Displays the minimum, maximum, and average execution time for that time period as well as
Execution Time how long execution took in the specified period.
IntelliVM Total Displays the minimum, maximum, and average execution time for that time period as well as
Mobile IntelliVM Displays the minimum, maximum, and average execution time for that time period as well as
Mobile IntelliVM Displays the minimum, maximum, and average execution time for that time period as well as
Total Execution how long execution took in the specified period.
Time
Apple Analyzer Displays the minimum and maximum execution time for that time period as well as how long
Execution Time execution took in the specified period.
42 of 100
Contents
Chart Description
Apple Analyzer Displays the minimum, maximum, and average execution time for that time period as well as
Total Execution how long execution took in the specified period.
Time
3. For each chart, select a time period:
n Last Hour
n Last 24 Hours
n Last 7 days
n Last Month
n Custom: Follow up by selecting the From/To dates and time period in Hours, Days, or Months.
4. Hover over any data point for details.
Submit a Sample File for Analysis

To manually submit an uncompressed file to on-box sandboxing for analysis:
1. Click Malware Analysis > Submit > Submit Samples.

or
Click Malware Analysis > Overview, then select Submit Samples under My Recent Samples.
2. Click Add Files. The Choose File to Upload dialog opens.
3. Select one or more files and click Open. The file(s) are displayed in the list.
4. Click Continue. The Create Task window opens, where you will define and execute a task on the sample.
See "Create a Task for a Sample" on page 45.
Submit a ZIP File Sample
Note: This function is limited to unpacking ZIP archives; no other compression

formats (such as RAR) are supported.
To manually submit a compressed (zip) file to on-box sandboxing for analysis:
43 of 100
1. Select Malware Analysis > Submit > Upload and Unpack Zip.
2. If the file is encrypted, provide the Zip file password.
3. Click Add Files.
4. Browse and select a ZIP file. The file will be uploaded, then appear under Filename.
The Status provides extraction details.
5. Wait for the Status column to show "Upload completed" for each file.
6. Do one of the following:
n Click Add Files to add more files.
n Click Continue. The Create Tasks page is displayed, where you will define and execute a task on the
sample. See "Create a Task for a Sample" on the facing page.
Default task options are set by the Administrator. These settings apply to automatically submitted samples, and
are also displayed for manual task configuration, where they can be overridden, as desired.
Submit a URL for Analysis

To manually submit an Internet URL to on-box sandboxing for analysis:
1. Do one of the following:
n Select Malware Analysis > Submit > Submit URLs.
n Select Malware Analysis > Overview, then select Submit URLs under My Recent Samples.
44 of 100
Contents
2. Type in the list of URLs, one per line. All standard formats are allowed; however, it is recommended to
append http:// or https:// to the URI as sometimes the environment will not natively know how to handle a
URI string without proper syntax:
n https://www.symantec.com — Best practice
n www.symantec.com — Not recommended
n symantec.com — Not recommended
3. Click Add URLs.
4. The Create Task window opens, where you will define and execute a task on the URLs. See "Create a Task
for a Sample" below.
Create a Task for a Sample

A task is an execution of a sample file or URL in a defined environment (operating system profile + testing plugin
script). A plugin contains a specific set of actions or applications that are tested during sandbox evaluation. The
task runs after its created.
1. After uploading a sample file, ZIP, or URL, you have the option of creating a task for the sample. Click
Continue after the file submission is complete. (For URL submission, the Create URL Task screen
automatically displays.)
45 of 100
2. Or if you chose not to create the task at the time of sample submission, you can create the task for the
sample at any time:
a. Select Malware Analysis > My Samples or Malware Analysis > All Samples.
b. Click the ID or label of the sample you want to create a task for. The Sample Details screen opens.
c. Click the Create New Task button. The Create Task screen opens.
3. Select the Environment Type you want to run the sample in.
Note: For URL tasks, only IntelliVMs are available.
46 of 100
Contents
4. Configure the options for that environment.
5. Click Create Task to save the task. The task will run, and present the Task Summary where you can view
task results (such as risk score).
Configure Task Settings

Select Malware Analysis > Task Settings to set defaults for tasks that will run in a specific environment. These
settings also appear when you create a task.
For each environment type, specify default task settings to be used for automatic sample submission, as from
Content Analysis, Security Analytics, or Symantec Messaging Gateway, as well as for samples that are manually
submitted using the Malware Analysis tab or RAPI. Each environment has its own set of tasks and possible
defaults.
1. Select Malware Analysis > Task Settings.
2. For Environment Type, select one of the following.
n IntelliVM: Emulated Windows 7 or 10 64-bit operating systems
n SandBox: Simulated Windows environment
n MobileVM: Emulated Android operating system
n Apple Analyzer: Emulated Apple operating system
3. Configure the options for the selected environment.
Set the IntelliVM Task Options
47 of 100
Basic Options
Firewall
Content Analysis on-box sandboxing provides three task firewall options for the IntelliVM analysis
environment. Note that these firewall options are not to be confused with the firewall security system on
your network.
policies and risk tolerance. The more network access you allow, the better fidelity of test results because of
the wider range of network activities that are recorded. On the other hand, executing live malware samples
carries the risk that the sample will attempt to attack internal or external hosts. For maximum detection
efficacy, use the Unlimited firewall policy and ensure the dirty line is properly isolated from the production
traffic. The default firewall type is Isolated.
48 of 100
Contents
IntelliVM Options
n Specify the Execution time limit in seconds. 60 seconds is a good detection/throughput ratio. A
longer execution time increases detection but reduces throughput. A longer run is typically used to see
more details on a specific piece of malware.
n For Override file extension, specify a file extension for on-box sandboxing to use if the file types
and their extensions do not match.
Note: On-box sandboxing will detect the actual file type regardless of the
extension (for example, an EXE masquerading as a PDF) unless an entry is
made here. If entered, on-box sandboxing will treat the sample file(s) as the
type entered.
n Select Smart Detonation to prevent likely clean PDF files from being sent to the sandbox. This setting
is enabled by default. With Smart Detonation, Symantic IP scans PDF files to check for elements that
can be used for malicious purposes. Files that contain no potentially malicious elements are not sent to
the sandbox, thereby conserving resources.
n Select Get dropped files to preserve any files that the sample creates, deletes, or modifies during the
task. The files are saved as task resources and are automatically scanned by YARA rules. The files
appear under Other Resources on the Task Summary report.
Tip: Best practices are to disable the Get dropped files setting for bulk
analysis as ransomware samples can generate millions of dropped files. It
may be desirable to enable this setting during manual malware analysis
though.
Analytics Options
The HTTP Archive (HAR) contains a log of HTTP client/server conversations and can be used for additional
analysis of page loads, downloads, and timings. HAR files are generated from the PCAP file within each task,
providing the analyst with an additional valuable tool for further analysis.
n Create an HTTP Archive resource from the packet capture (HAR)
n Store body of HTTP requests in HAR
49 of 100
See "About HTTP Archive (HAR)" on page 97.
Advanced Options
Use Execution Arguments to control how the sample is launched. The default value is {sample}, which will
be replaced with the fully qualified path of the sample. You can also use this space to pass parameters into
IntelliVM plugins. For example:
n paint.exe {sample}: Opens the sample in paint.exe, regardless of file extension.
n {sample} --param1 [parameter1]: Passes values to the sample as it runs. (You would need to know
which values the sample requests and in what order.)
For Guest Path, type a file path to override the default, which is c:\Windows\temp.
For Event Collection, determine which events to capture:
n Drop all registry events: Filter out registry events.
n Drop all file system events: Filter out file system events. Recommended for debugging only.
Under Other Options, select one or more of the following:
50 of 100
Contents
n Enable task logging: Creates a task resource that contains debugging information about the task
execution.
n Save prefiltered event data: Creates a task resource that contains the raw, unfiltered event data as
a Google protocol buffer file (binary serialization).
Detection Options
Digital DNA is a memory analysis technology. In combination with on-box sandboxing's memory snapshots, it
automatically inspects memory images and examines code for potentially malicious behavioral traits and
threats. Digital DNA is able to detect zero-day attacks, rootkits, and other malware not detected by other
solutions.
This capability is possible because DDNA is able to examine the code and get insight into unexecuted code
paths. It looks beyond evasion techniques and even provides results when supporting malware components
are not available.
Note: This option increases the analysis time required for samples, effectively
reducing the overall throughput capacity of the appliance. In rare cases, it can also
lead to false positive detections.
Plugins
A plugin contains a specific set of actions or applications that are tested during sandbox evaluation.
51 of 100
Plugins allow the IntelliVM to run, perform analysis upon the sample, and generate results based upon
predefined criteria. Each sample can run exactly one plugin. Plugins are not available in the emulated SandBox
environment.
With plugins, you can achieve some of the benefits of forensic investigation and/or static analysis while taking
advantage of the automated dynamic analysis simultaneously. Plugins can interact before, during, and after
sample execution.
Select one of the IVM plugins, as desired.
n ghost_user_with_unpacker.py: Contains all the functionality of ghost_user.py with the additional

capability of inspecting and analyzing the contents of archive files. Supported archive types include: 7z,
XZ, BZIP2, GZIP, TAR, ZIP, WIM, AR, ARJ, CAB, CHM, CPIO, CramFS, DMG, EXT, FAT, GPT, HFS, IHEX, ISO,
LZH, LZMA, MBR, MSI, NSIS, NTFS, QCOW2, RAR, RPM, SquashFS, UDF, UEFI, VDI, VHD, VMDK, WIM,
XAR, Z, TNEF and ACE.
n ghost_user.py: Emulates advanced user interaction, including navigating dialogs and multi-screen
installers. The Ghost plugin supports some newer dialog box types, resulting in more accurate
automated input to user prompts. Symantec recommends enabling the ghost_user.py plugin when
performing bulk analysis.
n example1.py: Sample plugin that demonstrates the structure of a plugin
n run-iexplore.py: Script for loading a URL into Internet Explorer
Click View to see the plugin's code. Following the .py extension is the owner of the plugin and the timestamp
for the plugin's creation. See "About IVM Plugins" on page 99 for information on creating and customizing
plugins.
Set the SandBox Options
52 of 100
Contents
Basic Options
Specify the Maximum SandBox cycle count (in millions).
Note: There is no default runtime for a SandBox task. SandBox execution is

based upon clock cycles and CPU capabilities of the machine hosting the
appliance. Approximately 20 million clock cycles equals one (1) second using
modern hardware, where one instruction is processed within each cycle.
Select as many of the following event saving options as desired:
n Keep all SandBox summary events: Filter no events (show all).
n Keep the SandBox raw API events: Preserve the API trace log in raw format.
n Keep the SandBox text API events: Preserve the API trace log in text format.
n Generate SandBox PE Dump: Perform portable executable memory dump.
n Get dropped files: Preserve any files that the sample creates. The files are saved as task resources
that are automatically scanned by YARA rules.
Advanced Options
Event Collection
53 of 100
n Drop all registry events: Filter out registry events.
n Drop all file system events: Filter out file system events.
Other Options
execution.
a Google Protocol Buffer (GPB) file, a standard format for binary serialization.
Set Mobile IntelliVM Task Options
Basic Options
Firewall
Content Analysis on-box sandboxing provides three task firewall options for the IntelliVM analysis
environment. Note that these firewall options are not to be confused with the firewall security system on
your network.
54 of 100
Contents
policies and risk tolerance. The more network access you allow, the better fidelity of test results because of
the wider range of network activities that are recorded. On the other hand, executing live malware samples
carries the risk that the sample will attempt to attack internal or external hosts. For maximum detection
efficacy, use the Unlimited firewall policy and ensure the dirty line is properly isolated from the production
traffic. The default firewall type is Isolated.
Mobile IntelliVM Options
Specify the Execution time limit in seconds. 60 seconds is a good detection/throughput ratio. A longer
execution time increases detection but reduces throughput. A longer run is typically used to see more details
on a specific piece of malware.
Analytics
The HTTP Archive (HAR) contains a log of HTTP client/server conversations and can be used for additional
analysis of page loads, downloads, and timings. HAR files are generated from the PCAP file within each task,
providing the analyst with an additional valuable tool for further analysis.
n Create an HTTP Archive resource from the packet capture (HAR)
n Store body of HTTP requests in HAR
See "About HTTP Archive (HAR)" on page 97.
Advanced Options
execution.
Set Apple Analyzer Task Options
Set options for the Apple Analyzer environment type to analyze samples in an Apple iOS environment.
Supported formats:
n iOS: DEP, IPA files
n OSX: DMB, PKG, executable MachO for any Apple operating system or library
55 of 100
Advanced Options — Other Options

execution.
3. Click Save as Default. The configured settings will apply to tasks for that environment.
View Your Submitted Samples

View the samples you submitted in the Malware Analysis > My Samples list.
The My Samples tab presents information about all samples submitted by the currently logged-in user.
56 of 100
Contents
Get Basic Sample Information

View all on-box sandboxing samples submitted by the currently logged-in user. You can drill down to find out
more information about any of the samples, as well as create a task for the sample.
1. Select Malware Analysis > My Samples. The list of samples displays, with the following columns.
Sample Unique, system-assigned number.

ID
Label The filename, URL, MD5 hash, or user-defined name of the sample.
Analysis appliance
MD5 MD5 hash of the sample
File Precise file type, independent of the file extension

Type
Size Size in bytes
Date UTC timestamp for when the sample was submitted

Added
2. Click the ID or label to see the "Get Sample Details" on the next page or create a task for the sample.
3. Use the sort arrows on the column headings to sort a column in ascending or descending order.
57 of 100
Change a Sample's Label

1. Click Edit my sample list to edit the label (name) of any of the samples on your list.
2. Locate the sample whose label you want to edit.
3. Edit the label text.
4. Click Done editing list to save the changes.
Get Sample Details

Get detailed information on the sample file or URL, along with its resources and any tasks that have been run on
the sample.
1. SelectMalware Analysis > My Samples or Malware Analysis > All Samples.
2. Click the ID or label. The Sample Details screen opens.
Sample Details
View basic information about the sample.
Sample ID Unique integer automatically assigned to the sample
58 of 100
Contents
Sample basic: an uploaded sample file

Type URL: a submitted URL
Label Defaults to the filename; click edit to modify.
Owner The user who submitted the sample in the Malware Analysis tab, or a parameter set via the API
Added The date and time that the sample was submitted to the Malware Analysis (not the date the tasks were
run)
Comments Optional user entry; click edit to modify.
Tasks for this Sample

View a list of tasks run on the sample. If no task has been run, this is noted. Otherwise, you will see a list of the
tasks run. Click the ID to view the results on the Task Summary.
Click Create New Task to create and run a new task on this sample. See "Create a Task for a Sample" on
page 45.
Resource list
See artifacts and attributes that are related to the sample. This section is visible only if the sample is a file.
Resource Filename
File Yes unless the file has been deleted

Exists
Download A link to download the binary file of the sample
Note: The downloaded file—the actual sample—is not protected or zipped. Take care not to launch
malware into your organization's environment.
ID Unique integer automatically assigned to the sample resource
Date Date and time that the sample was created (not the date the sample was run)
Added
MD5 A 128-bit cryptographic hash corresponding to the Message Digest 5 algorithm
Size File size (in bytes)
SHA256: A 256-bit cryptographic hash corresponding to the Secure Hash Algorithm
View All Samples

Click Malware Analysis > All Samples to view samples submitted by all users.
View on-box sandboxing samples submitted by all entities and users (if logged-in user has an Admin or Super
Analyst role) or your own samples (if logged-in user has Analyst role).
59 of 100
The All Samples list shows samples submitted by any of the following methods: manual submission in the
Malware Analysis tab or remote API, automatic submission by Content Analysis or an outside device (such as
Security Analytics or Symantec Messaging Gateway) . You can drill down to find out more information about any
of the samples, as well as create a task for the sample.
60 of 100
Contents
1. Select Malware Analysis > All Samples. The list of samples displays, with the following columns.
Sample Unique, system-assigned number.

ID
Label The filename, URL, MD5 hash, or user-defined name of the sample.
Analysis appliance
or Messaging Gateway
MD5 MD5 hash of the sample
File Precise file type, independent of the file extension

Type
Size Size in bytes
Date UTC timestamp for when the sample was submitted

Added
2. Click the ID or label to see the "Get Sample Details" on page 58 or create a task for the sample.
3. Use the sort arrows on the column headings to sort a column in ascending or descending order.
View Tasks You Have Created

Click Malware Analysis > Tasks to view all on-box sandboxing tasks owned by the currently logged-in user.

Display the "View Task Summary Results" on page 65 to view the task results (such
as its risk score).
61 of 100
View all on-box sandboxing tasks created by the currently logged-in user. This list is useful for finding out the
status of a task (whether it is in the queue, being processed, or has been completed) and the results of a task (its
risk score).
62 of 100
Contents
1. Select Malware Analysis > Tasks. The list of tasks displays, with the following columns.
ID Unique, system-assigned number. Click the ID to view the Task Summary report.
Label The filename, URL, MD5 hash, or user-defined name of the sample. Click the label to view the
Task Summary report.
Task Status Current task status, such as Queued, Processing, or Complete
Details Additional information if applicable
Environment Profile type: IntelliVM (Windows 7 64-bit), IntelliVM (Windows 10 64-bit), Mobile IntelliVM, Apple
Analyzer
n CAS: [cas_ip]: Submitted by Content Analysis, where cas_ip is the IP address of the
Content Analysis appliance

Analytics
Note: If the sample was submitted via a remote API, the Source field will be blank unless a value
was entered for the source HTTP parameter.
Created UTC timestamp for when the user created the task
Analysis UTC timestamp for when the task was started

Started
Risk Score Risk score value

Note: Risk score results returns all tasks with the specified risk score, or above, which also
includes at least one exact pattern hit.
2. Has on-box sandboxing completed the analysis of a task? Look at the Task Status column to determine
whether a task is in the queue, being processed, or has been completed.
3. Did malware analysis conclude that the sample is a threat? Look at the Risk Score column to determine
the results of a task. High risk scores are highlighted in red.
4. To drill down into details on the task analysis, click the task ID or label. See "View Task Summary Results"
on page 65.
View All Tasks

Select Malware Analysis > All Tasks to view all Malware Analysis on-box sandboxing tasks.
63 of 100
View on-box sandboxing tasks created by all users (if logged-in user has an Admin or Super Analyst role) or your
own tasks (if logged-in user has Analyst role). This list is useful for finding out the status of a task (whether it is in
the queue, being processed, or has been completed) and the results of a task (its risk score).

Display the "View Task Summary Results" on the facing page to view the task results
(such as its risk score).
64 of 100
Contents
1. Select Malware Analysis > All Tasks. The list of tasks displays, with the following columns.
ID Unique, system-assigned number. Click the ID to view the Task Summary report.
Label The filename, URL, MD5 hash, or user-defined name of the sample. Click the label to view the
Task Summary report.
Owner User who created the task
Details Additional information if applicable
Environment Profile type: IntelliVM (Windows 7 64-bit), IntelliVM (Windows 10 64-bit), Mobile IntelliVM, Apple
Analyzer

Analytics
Created UTC timestamp for when the user created the task
Analysis UTC timestamp for when the task was started

Started
Risk Score Risk score value.
Note: Risk score results returns all tasks with the specified risk score, or above, which also
includes at least one exact pattern hit.
2. Has on-box sandboxing completed the analysis of a task? Look at the Task Status column to determine
whether a task is in the queue, being processed, or has been completed.
3. Did malware analysis conclude that the sample is a threat? Look at the Risk Score column to determine
the results of a task. High risk scores are highlighted in red.
4. To drill down into details on the task analysis, click the task ID or label. See "View Task Summary Results"
below.
View Task Summary Results

The Task Summary provides detailed information concerning the task execution and events generated by the
sample. View detailed information on the sample file or URL, along with its resources (such as a log file or the EXE
65 of 100
itself) and any tasks that have been run on the sample using a SandBox, IntelliVM, Apple, or MobileVM
environment.
1. Select Malware Analysis > Tasks or Malware Analysis > All Tasks. The list of tasks displays.
2. Click the task ID number or label to access the results report for a task. The Task Summary opens.
66 of 100
Contents
3. Study the different sections of the screen to find out details about the task, sample, patterns that
triggered, and so forth.
4. Where available click the filter icon to pivot to the "Search Malware Analysis Tasks" on page 74 page.
5. See below for more information on each section of the screen.
Task Details
The Task Details section shows basic information about the task.
Risk Level Numeric value from 0 to 10, automatically assigned by on-box sandboxing, determined by the patterns
that triggered during the sample execution. See Malware Analysis Risk Scores.
Note: The pattern with the highest risk score determines the overall risk level assigned to the sample.
Analyzed The time that processing began for the task
Profile The name of the IntelliVM profile assigned to the task
Processing The time spent processing the task

Time
Environment IntelliVM, SandBox, Apple, or MobileVM.
Execution The arguments or parameters that were invoked when the sample was executed
Arguments
Properties The task settings that were selected for the task execution, such as the plugin, firewall mode, and
timeout value
Recreate Rerun the current task with current settings. See "Create a Task for a Sample" on page 45.
Task
Recreate Rerun the current task with no events filtered. See "Create a Task for a Sample" on page 45.
Task with
Detailed Note: It may be useful to recreate the task if the previous task analysis was run a long time ago or if the
Capture IntelliVM environment has changed. Recreating a task can also take advantage of new plugins, different
firewall settings, and different execution arguments. Furthermore, some malware is time-sensitive or
date-sensitive, and recreating the task might yield additional behaviors that did not manifest
themselves in the original task run.
PCAP Files This section may contain a packet capture (PCAP) file if network activity was generated by both URLs
and files in the IntelliVM or MobileVM environments. The PCAP's beginning timestamp begins at the
same time as sample processing and concludes just prior to the end of task processing.
Pattern Matching Results
The Pattern Matching Results section lists the specific patterns that "triggered," based on behavior observed
67 of 100
during the sample task run, along with the risk score of each pattern. For example, pattern matching results
might include Connects to possibly malicious URL with a risk level of 7, Connects to site associated with Web
Advertisements with a risk level of 5, or Leaks PI with a risk level of 3.
Patterns are matched at the time that a user or API retrieves a task report. This may cause the risk level for the
sample to change based on patterns that existed at that time, or to reflect changes to the pattern risk levels.
Sample Details
The Sample Details section lists following details about the sample used in the task.
ID Unique integer automatically assigned to the sample

Analytics
File Exists Yes unless the file has been deleted
Download A link to download the binary file of the sample
Received Date and time that the sample was created (not the date the sample was run)
Label Defaults to the filename; click edit to modify.
MD5 A 128-bit cryptographic hash corresponding to the Message Digest 5 algorithm
SHA256 A 256-bit cryptographic hash corresponding to the Secure Hash Algorithm
Filetype Precise file type, independent of the file extension
Filesize File size (in bytes)
Sample Comments Optional comment field
Note: The downloaded file—the actual sample—is not protected or zipped. Take
care not to launch malware into your organization's environment.
Other Resources
The Other Resources section lists task resources that were either generated by or used by the sample. The task
68 of 100
Contents
settings that produce items in the Other Resources section are:
n Get dropped files
n Create an HTTP Archive resource from the packet capture (HAR). See "About HTTP Archive (HAR)" on
page 97.
n Enable task logging
n Save prefiltered event data
n Activity by the plugins
Most resources are available for further analysis by clicking the link to download the resource to your
workstation. You may also choose to run these resources through on-box sandboxing to generate additional
intelligence concerning malicious activity that is associated with the sample or its resources.
Event Distribution Chart
The pie chart shows the occurrence of events in proportion to total events.
69 of 100
Screenshots
The Screenshots section contains screenshot thumbnails of the desktop if any changes were detected at task
completion. Click a thumbnail to view the screen shot full-sized.
Activity Report
The Activity Report summarizes event data grouped by type (static events, process/thread events, file system
events, mobile events) to aid in analysis and remediation efforts. Events that trigger pattern matches are
highlighted.
70 of 100
Contents
Next Steps
View further results:
n Dynamic Event List
n Static Event List
n Event Timeline
View Task Behaviors in the Dynamic Event List

A malware analysis event is an artifact of analysis. Dynamic events are observed during dynamic analysis—when
the sample is executing inside the IVM environment. An example of a dynamic event is FS_Create (creation of a
file). Static events, on the other hand, are identified during static analysis processing of the sample (such as Yara
scanning); see " View Static Task Events" on the next page.
For further malware analysis, view the Dynamic Event List to see behaviors exhibited during analysis. The list
shows task events in the order that they executed during analysis. You can click an item to see further
information, including details about the sample.
1. Select Malware Analysis > Tasks or All Tasks. The list of tasks displays.
2. Click the ID number or label for the task you want to analyze. The Task Summary opens.
3. Click the Dynamic Event List tab. The events associated with the task are listed in the order that they
were executed during analysis.
71 of 100
4. Review the events. The following information is provided for each event:
PID Numerical ID of the process within the operating system that was responsible for generating
the event in the analyzed sample
TID Numerical ID of the thread within the operating system that was responsible for generating the
event in the analyzed sample
Type The event that occurred while the sample was executed in the IVM environment. For example,
FS_Create is file creation.
Summary Additional information about the event such as the name of the file that was created or
modified
5. Click an item to see further information, including details about the sample.
6. (Optional) Use the Filter results field to narrow down the events displayed on the list.
Tip: If you find a number of similar behaviors, you can use that information to help
create new patterns.
View Static Task Events

A malware analysis event is an artifact of analysis. Static events are identified during a static analysis process of
the sample (such as Yara scanning). An example of a static event is FMD_FileResource (a file reputation lookup).
Dynamic events, on the other hand, are observed during dynamic analysis—when the sample is executing inside
the IVM environment; see "View Task Behaviors in the Dynamic Event List" on the previous page.
72 of 100
Contents
Click the task ID number on a task to access the Static Event List results report for a task. View task events by
provider and type. Static events are observed about the sample by viewing it with assorted tools. Static analysis
does not occur while the task is running per say.
3. Click the Static Event List tab. The events associated with the task are listed.
4. Review the events. The following information is provided for each event:
Provider An internal code that indicates which analysis component created the event
Type The event that occurred while the sample was executed in the IVM environment. For example
FMD_FileResource is a file reputation lookup.
Summary Additional information about the event
5. Click an item to see further information, including details about the sample.
6. (Optional) Use the Filter results field to narrow down the events displayed on the list.
View Task Events over Time

The event timeline shows a histogram of events plotted against a temporal axis. This visual tool aids the analyst
by showing how the sample behaves over time.
3. Click the Event Timeline tab. The events associated with the task are listed.
73 of 100
4. Use the controls under the chart to select which events to display. The available choices depend on which
object, registry, IP, and file-system events were found.
Search Malware Analysis Tasks

On Malware Analysis > Search you can search through completed tasks using dozens of filter attributes. The
search bar employs Lucene query syntax.
Note: Only tasks that were created in versions 2.4.1 and later can be searched using
this function.
Search Query
Build queries in the Search Query field using one of these methods:
n Type "Filter Attributes" on page 78 directly; begin typing to auto-complete the terms.
n Use the Add filter to query dialog.
n Click a filter icon on the Task Results page or in expanded entries on this page.
Results Summary
On the bottom right of the page is the Result Summary section, which displays:
n Two histograms: Risk Scores and Tasks Run
n Two lists: Top 5 Pattern Hits and Top 5 IP Addresses
74 of 100
Contents
Use the Add Filter to Query Dialog

Click Add filter to query to open the Add Filter dialog. Show screen …
1. Select the filter attribute from the drop-down list.
2. Select the operator:
n : contains
n :~ fuzzy match
n :> is greater than
n :< is less than
3. Enter the value for the attribute in the last field.
Query String Restrictions and Requirements

n In the values, special characters such as quotation marks, slashes, and colons must be escaped with a
backslash (\) or enclosed in double quotes. The colon (:) must always be escaped. For example, to specify
the query string "c:\windows\temp\sample.exe", enter \"c\:\\windows\\temp\\sample.exe\". The
special characters that must be escaped are:
75 of 100
+ - && || ! ( ) { } [ ] ^ " ~ * ? : \ / and the space.
n Wildcard symbols (* or ?) cannot be the first character of a query string.
Combining Search Criteria
You can combine multiple search criteria together with Boolean operators (AND, OR, NOT). The Boolean
operators are not case-sensitive. If the Boolean is omitted it defaults to AND.
Examples
risk_score:>3 NOT risk_score:5 — tasks resulting in risk scores of 3, 4, 6, 7, 8, 9, 10
pattern_hits_name:sleep AND risk_score:6 — tasks that have patterns with "sleep" in the name and with a
risk score of 6
risk_score:6 OR risk_score:1 — tasks that result in a risk score of 1 or 6
Creating Search Hierarchy
Enclose search criteria in nested parentheses to specify the order in which the criteria should be applied.
Example
((file_magic:PE32\:win32\:gui) AND pattern_hits_name:"Packer\: UPX") AND pattern_hits_name:"PE\:
Nonstandard section"
In this query file_magic:PE32:win32:gui is applied first, then to those results pattern_hits_name:"Packer: UPX"
is applied, and then to those results pattern_hits_name:"PE: Nonstandard section" is applied. Removing the
parentheses would return far more results.
Wildcards
The Malware Analysis task search feature allows you to specify standard wildcards in query strings:
n To perform a single-character wildcard search, use the ? symbol.

Example: te?t matches "text" or "test"
n To perform a multiple character wildcard search use the * symbol at the end or middle of a search string.
Example: sleep* matches sleep, sleeps, or sleeping.
n If you aren't sure of the spelling of a single-word string, use the fuzzy-search symbol (~) after the word.
Example: slep~ matches words with similar spellings, such as sleep.
Dates
Use the following guidelines to perform searches on date fields:
n The date fields support ISO date/time format (ISO 8601) as well as the Unix epoch.
Example: added:>2019-02-01 or added:>1549047497 finds tasks added on February 1, 2019 or later.
n Valid operators for date queries > < >= <= and : (contains)
76 of 100
Contents
n To specify a range of dates, enclose the range in square brackets.

Example: added:[2019-02-01 TO 2019-02-28] finds tasks added in the month of February, 2019.
n The date fields also supports date math as documented here:

https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math
Example: added:>now-1w finds tasks added in the last week.
Add Search Filters from the Web UI
On the Task Summary page some of the items have a search icon . Click the icon to add the filter to the
search query field. For example, clicking an item in the Pattern Matching Results section pivots to the Malware
Analysis > Search page with pattern_hits_uuid:<UUID> as the search query.
In the results you can see all of the tasks that match the filter.
Click the arrow at the right of the ID to view details about the item and to add more filters using the filter icon.
77 of 100
Filter Attributes
n ctx = context, which refers to the origin of the sample. Valid only when the sample was sent via ICAP.
Filter Description Example Query
added The date when the task report was made added:>2019-02-06
searchable added:1549047497
Format: YYYY-MM-DD or Unix epoch
anomalies Anomaly found during static analysis of the anomalies:pe.has_tls_clbs

sample
Example anomalies: pe.has_virtual_section,

pe.imports_not_in_file, pe.zeroindosstub,
pe.has_unknown_section
ctx_client_ip Context client IP ctx_client_ip:10.10.10*
ctx_generic_ Context user agent ctx_generic_user_agent:mozilla

user_agent
ctx_product Context product name
ctx_sg_tenant_ Context ProxySG tenant ID

id
ctx_sg_url Context ProxySG URL ctx_sg_url:proxy2.company.com
ctx_sg_user Context ProxySG user
ctx_sg_user_ip Context user IP ctx_sg_user_ip:203.0.113.17
ctx_transport Context transport
ctx_tx_id Context transaction ID
ctx_version Context product version ctx_version:10.3.7
description Sample description
domains Domains contacted during task execution, domains:google.com

colon-delimited. domains:google
The domain can be entered with or without the

top-level domain.
environment Type of environment the task was executed in: environment:ivm
ivm =IntelliVM
sbx =SandBox
exec_args Execution arguments given to the environment exec_

args:\"c\:\\windows\\temp\\sample.exe\"
78 of 100
Contents
exec_time Task execution duration (in ms) exec_time:>1000
exploits Exploits found during static analysis of the

sample
file_magic Sample file magic, split by escaped colon. file_magic:PE32\:win32\:gui
file_size Sample size in bytes file_size:>100000
file_type File type identified by static analysis of the file_type:zip

sample
fs_paths File system paths accessed during task

execution, split by sub path
hashes_md5 MD5 hash of files seen during task execution. hashes_

Alias of md5. md5:0798307542afe0436658a9b4799db9cc
hashes_sha256 SHA256 hash of files seen during task hashes_

execution. Alias of sha256. sha256:c58ed596d28656d99283bee27fff136
8f499bbbb081ca18d2863afe2d8905bec
id Task ULIDs (upper-level IDs) are unique id:21

numbers that are generated automatically
when you create a task. Use this search filter if
you know the ID associated with the task you
want to analyze.
ips IP addresses contacted during task execution ips:127.0.0.1
label Sample label tokenized label:0798307542afe0436658a9b4799db9cc
md5 MD5 hash of sample. Alias of hashes_md5. md5:0798307542afe0436658a9b4799db9cc
modified Last time the task report was updated. modified:>2019-02-27

modified:<1549047497
Format: YYYY-MM-DD or Unix epoch
named_objects Mutexes (mutual exclusion objects), events, and named_objects:*

semaphores created or opened during task
execution. List all tasks with named objects or
list all tasks with a specific object name.
owner Owner of the task/sample (the CA user who owner:admin

created the task)
packers Packers found in patterns during static analysis packers:*

of the sample. NOT packers:*
packers:upx
pattern_def_ Pattern definition version used the last time pattern_def_version:982

version patterns were applied
79 of 100
pattern_hits_ Names of patterns that hit task events pattern_hits_name:"Long sleep detected"
name
pattern_hits_name:opens*
pattern_hits_ Risk scores of patterns that hit task events pattern_hits_risk_score:5

risk_score pattern_hits_risk_score:>4
pattern_hits_ Tags of pattern that hit task events pattern_hits_tag:

tag
pattern_hits_ UUIDs of patterns that hit task events pattern_hits_uuid:ca85d911-35cb-4e32-

uuid 9dfd-b96fa64fdaab
pattern_time Time spent applying patterns on task results (in pattern_time:<200

ms)
product_version Product version at the time the task was product_version:14.2.6

executed
profile_local_ Profile ID, if environment was IVM. Corresponds profile_local_id:4

id to the ID shown in the scanning profiles table on
Services > Sandboxing > Symantec On-box
Sandboxing.
profile_name Profile name profile_name:Win7SP3
reg_keys Windows registry keys and values accessed reg_keys:open*

during task execution, split by sub key
return_code Return code of the task execution
risk_score Total risk score, with global patterns only, risk_score:>4

during last pattern matching
sample_local_id Sample local ID sample_local_id:10
sample_name Sample name sample_name:hook*
sample_source Source of sample, such as web, Content sample source:www

Analysis appliance, Security Analytics
appliance.
Valid input: www , url , CAS:<ip> ,

SA:<hostname>
sample_ Date/time the sample was added to the system sample_submitted:>2019-02-26

submitted
sample_type Type of sample sample_type:url
Valid input: basic , url
sample_url Sample URL, executed instead of a file sample_url:google.com
80 of 100
Contents
serial_number Hardware serial number used to identify a

system
sha256 SHA256 hash of sample. Alias of hashes_ sha256:c58ed596d28656d99283bee27fff136

sha256. 8f499bbbb081ca18d2863afe2d8905bec
system_hash Hash of the hardware serial number
system_serial_ Alias of serial_number

number
task_local_id Local task ID task_local_id:436
task_start Date/time of task start task_start:>2019-02-26
tlds Top-level domains contacted during task tlds:edu

execution
yara_hits YARA rules that hit during task
About Patterns
A pattern is a sequence of IP addresses, domain names, file headers, or strings that can be used to identify
potential malicious or otherwise interesting activity. Patterns form the basis of the on-box sandboxing's
embedded intelligence. Symantec's pattern matching engine compares the events generated during sample
analysis to an expansive library of behavioral-detection patterns to identify potential malicious activity. On-box
sandboxing conducts analysis of suspect samples, looking for indicators of malicious activity by matching against
a large and growing library of behavioral classification patterns.
Patterns range from generic suspicious activity—creating and terminating processes, changing registry keys—to
campaign-specific behaviors with highly unique characteristics. They reveal threat-classification indicators
including Trojans, spyware, worms, ransomware, and more. On-box sandboxing allows both global (SYSTEM) and
user-specific patterns. Patterns can detect targeted and single-use malware and do not rely on signature-based
detection methodologies.
A pattern will match if all of its conditions are met during a task run. A sample may trigger any number of pattern-
matches.
A pattern is typically a pattern group: a top-level pattern containing several subpatterns. See "Identify Malware
Patterns " on the next page. The risk score you provide when you define a pattern group indicates the intensity
of the correlation. For example, you might want to identify bitcoin miners, or detect activity directed to internal
server addresses, or any other specific confidential information.
Tip: To report false positives visit this link: https://submit.symantec.com/false_

positive/
81 of 100
Identify Malware Patterns

View the Malware Analysis > Patterns > Pattern Groups screen to see patterns.
Note: A pattern is a sequence of IP addresses, domain names, file headers, or strings

that can be used to identify potential malicious or otherwise interesting activity.
The Patterns screen displays all pattern groups known to the system. Patterns are typically downloaded from the
Symantec Global Intelligence Network (GIN). Content Analysis queries GIN to see if a file is known malicious. To
update patterns, see "Update Detection Patterns" on page 85.
A pattern will match if all of its conditions are met during a task run. A sample may trigger any number of pattern-
matches.

positive/
Create a New Pattern Group for Pattern Identification

If you have identified a malicious pattern that is not currently in the pattern database, you can create a
customized pattern group.
1. Select Malware Analysis > Patterns > Pattern Groups.
2. Click Add Pattern.
3. On the Add New Pattern Group dialog, specify a name for the new pattern, then click New pattern group.
4. Set the following pattern attributes:
n Global: Make the pattern available to all Content Analysis users; otherwise, it is available only to
you.
n Enabled: Enable the pattern for detection. Deselect to not detect the pattern.
n Risk Score: Select the risk score (or risk level) for the pattern: 10 is the most severe.
n Description: Free-form text explaining details concerning the logic or purpose of the pattern
82 of 100
Contents
5. Add the pattern conditions, which are based on a series of events that are linked by "any of" and "all of"
connectors:
n Any of: Boolean OR
n All of: Boolean AND
Note: You can right-click the Boolean to switch mode between Any of and All
of.
6. To add a pattern, right-click the Boolean and select Add pattern.
7. From the Add pattern list, select a pattern. See "Pattern Group Prefixes" on page 86 for more
information.
8. Select Any of or All of for the next pattern.
9. Click Save.
10. Right-click the pattern and select Add sub pattern.
11. Enter the triggering criteria for the pattern on the new Add sub pattern dialog, and click Save.
The sub pattern options depend on the pattern selected. For example, a PageFaults pattern will offer sub
patterns of end_address and start_address (among others), with corresponding is/is not options,
whereas an IP_Connect pattern has sub patterns including local_port and remote_port, with the
additional address definition options.
12. The pattern and its sub pattern are displayed. Click Save Changes to finalize the pattern or Undo to
cancel.
The pattern is displayed in the Pattern Groups list.
Patterns are mapped to events in analysis reports (the Dynamic and Static events lists in the report tabs).
View Pattern Group Details

Click a pattern name on the Pattern Groups page to reveal that pattern's details and triggering conditions.
83 of 100
The pattern name displays at the top of the dialog, followed by detailed information on the pattern.
Column Description
Name Name of the pattern group
Global Yes = Pattern is visible to all on-box sandboxing users.

No = Pattern is visible to the pattern's creator only.
Enabled Yes = Pattern will be used by on-box sandboxing for detection.

No = Pattern will not be used by on-box sandboxing.
Risk Score Indicator of potential maliciousness; risk scores on system-owned patterns cannot be modified.
Owner The creator of the pattern; patterns owned by system are considered "external" patterns
Description Optional field
Created Date the pattern was created on Content Analysis
Modified Date the pattern was last modified on Content Analysis
UUID The Universal Unique Identifier for the pattern
Pattern Number assigned to the pattern group by the appliance

Group ID
Revision Version number for that pattern, whether provided on Content Analysis or created by the user locally.
Each time the pattern group is modified, the revision number is incremented.
The pattern and subpattern triggers are displayed below the dividing line.
In some cases a pattern contains two (2) distinct matching conditions, both of which must be detected for the
pattern to trigger. These distinct matching conditions are also the patterns and sub patterns.
The final outcome of the pattern group depends on the conditions met at the sub pattern level (such as equals,
startswith, and so on), and subsequently at the pattern level (such as, all-off, any-off), and the pattern group
itself (all-off the patterns, or any of the patterns).
84 of 100
Contents
Filter the Pattern List

Because there are over 1000 patterns in the system, in addition to the ones you may have created, Malware
Analysis offers a facility for filtering the pattern list.

positive/
1. Select Malware Analysis > Patterns > Pattern Groups.
2. Locate the Filter patterns field.
3. Enter a text string in the filter pattern field to locate patterns for the specified criteria. The string can be
part of a pattern name, its description, or its definition. If you enter more than one string, the list will be
filtered by patterns that contain all of the specified strings. For example: enter ransomware event.
As you type the search string, the list automatically filters to the patterns that meet your criteria.
4. Use the Next button to view additional pages of results.
Update Detection Patterns
Note: This section is not applicable to Content Analysis VA, CAS-S200, or Amazon
Web Services instances, because these models do not support on-box sandboxing.
Patterns are used for detecting malware. See "About Patterns" on page 81 for more information on patterns.
1. In the On-box Sandboxing screen (Services > Sandboxing > Symantec On-box Sandboxing), locate
the Detection Patterns panel.
85 of 100
2. Patterns are updated regularly automatically. However, if you want to perform a manual update, click
Update patterns now. The button becomes inaccessible as the patterns update, then returns to normal
after the update process completes.
Pattern Group Prefixes

Because the pattern groups are periodically updated, it is not practical to list every pattern group here. Some of
the prefixes for commonly used pattern groups are shown here for your convenience.
These prefixes also appear as event names in reports.
Prefix Definition
DBG_ Debug
FMD_ File Reputation lookup
EXP_ Exploit
FS_ File System
IP_ Internet Protocol
MOB_ Mobile
NET_ Network
NSE_ NSEsoftware analytics
OBJ_ Object
86 of 100
Contents
Prefix Definition
REG_ Windows Registry
RK_ Root Kit
SBX_ SandBox
SYS_ System
UMF_ Events from user mode framework
87 of 100
Advanced Malware Analysis Settings

Experienced analysts may want to adjust the advanced malware analysis settings.
Use Advanced On-Box Sandboxing Features 88

Use the Web Reputation Service 88
Activate the VirusTotal Service 89
About YARA 90
Apply YARA Rules 95
About HTTP Archive (HAR) 97
Use Advanced On-Box Sandboxing Features

Select Malware Analysis > Other Settings > Advanced Features.
Enhanced Stealth mode enables additional techniques, making it even harder for malware to detect the presence
of a sandbox. It is enabled by default. Using Enhanced Stealth mode provides a higher success rate on samples
that have advanced evasion and sandbox detection capabilities. There is a low probability of impact on the
stability of packed malware, which may decrease the success rate when using behavioral based detection.
Enhanced stealth mode is enabled by default. To disable this feature:
1. Select Malware Analysis > Other Settings > Advanced Features.
2. Click Disable Stealth Mode.
Use the Web Reputation Service

Select Malware Analysis > Other Settings > Reputation to enable or disable the Web Reputation Service.
The Web Reputation Service integrates with the Symantec Global Intelligence Network (GIN) and requires that
the appliance have Internet access on port 443.
The Web Reputation Service leverages an online database, which contains ratings for millions of websites. The
rating system includes informational categories such as Education, Art/Culture, and Humor/Jokes as well as
potentially malicious categories such as Malicious Outbound Data/Botnets, Phishing, and Spam.
Web Reputation is enabled by default.
88 of 100
Activate the VirusTotal Service

Select Malware Analysis > Other Settings > VirusTotal to activate the VirusTotal service.
VirusTotal is a virus, malware, and URL online scanning service. If you have signed up for the VirusTotal
Community, you can locate your personal API key in your Community profile. You will need this key to activate
VirusTotal in Content Analysis's on-box sandboxing.
Note: Obtaining a VirusTotal API key is the responsibility of the user.
1. Select Malware Analysis > Other Settings > Virus Total.
2. Enter or paste your API key in the text box.
3. Click Update VirusTotal Key.
Disclaimer: This feature is provided on an AS-IS basis. Symantec has no control of, and is not responsible for,
information and content provided (or not) by VirusTotal. Customer is obligated to comply with all terms of use
regarding the foregoing, including quotas that may be imposed by VirusTotal. Symantec shall not be liable for any
discontinuance, availability or functionality of the features described herein.
89 of 100
About YARA
YARA is a tool that helps malware researchers to identify and classify malware families. A malware family is
defined as a set of files related by objective criteria derived from the files themselves. With YARA, researchers can
create descriptions of malware families based on textual or binary information contained within representative
samples. These descriptions are encapsulated as rules consisting of patterns and logic based on Boolean
expressions. Rules can be applied to static files or to running processes to determine if a sample belongs to a
particular malware family.
YARA leverages rules based on logical operators and integrates easily with Python.
Official YARA information and documentation is located here: http://plusvic.github.io/yara/
Here are some examples of how YARA is used in security practice:
n Access the binary assembly code and perform static analysis based on common or unique indicators.
n Dissect RATs (Poison Ivy, Dark Comet, Ghost Rat, Extreme Rat) and common utilities used by attackers.
n Detect packed binaries, look for common passwords, bank domains, attempts at terminating AV services.
n Look for indicators of VM-aware samples.
n Specify byte-level rules and quickly analyze suspicious objects for threats specific to the organization.
n Identify likely malicious objects as well as objects previously classified as malicious.
n Trigger alerts and automated downstream processes whenever YARA rules "hit."
n Scanning packed samples for initial static indicators before the malware has been executed.
n Scanning memory dumps for additional malicious indicators at the conclusion of behavioral analysis
processes.
YARA Rules
Each YARA rule consists of a set of strings, regular expressions, and other binary patterns combined with Boolean
logical operators using a rich, fully documented syntax. Rules are applicable to files or memory artifacts (memory
dumps), and can be processed by tools that will recursively scan those files or analyze those memory images.
YARA rules look for static indicators — not behavioral dynamics — that provide telltale indicators of
maliciousness.
n Strings that appear in malicious files — Unique configuration items; commands used by remote
access tools
n Resources that are stored in malicious files — Distinctive icons; configuration information; other file
references
90 of 100
n Bytes implementing functions called by the malicious program — Indicative of the overall
character of the malware
Content Analysis is preloaded with a set of YARA rules, but you can add your own custom rules. To enable/disable
YARA, create rules, and manage your custom rules, select Malware Analysis > Other Settings > YARA. See
"Apply YARA Rules" on page 95.
Example 1
rule BadBoy
{
strings:
$a = "win.exe"
$b = "http://foo.com/badfile1.exe"
$c = "http://bar.com/badfile2.exe"
condition:
$a and ($b or $c)
}
Any file or process containing the string win.exe and either of the specified URLs must be reported as BadBoy.
Example 2
rule TextOrHex
{
strings:
$text_string = "text here"
$hex_string = { E2 34 A1 C8 23 FB }
condition:
$text_string or $hex_string
}
Any file or process containing the specified text_string or the hex_string must be reported as TextOrHex.
Conditions
Conditions are Boolean expressions such as those used in IF statements in common programming languages.
They can contain typical Boolean operators AND, OR, NOT, and relational operators >=, <=, <, >, ==, and !=.
For numerical expressions, you can also use arithmetic (+, -, *, \, %) and bitwise operators (&, |, <<, >>, ~, ^).
View YARA Risk Score Results
To view YARA risk score results, select Malware Analysis > Patterns. On the resulting Pattern Groups page,
type yara in the Filter patterns field. All patterns that contain YARA_hit are displayed.
91 of 100
Click a pattern to see its characteristics.
Perform YARA Scans
Once YARA functionality has been enabled by Administrators or Super Analysts, YARA scans are performed on the
primary sample by default. You can select additional YARA scanning as follows:
Scan Dropped Files
To perform YARA scans on any additional files that are "dropped" (that is, downloaded, extracted) by the primary
sample, select the Get dropped files check box on the Basic Options tab for IVMs and SandBox environments.
See "Configure Task Settings" on page 47.
Scan Memory Dumps
Memory dumps (also known as memory images and memory artifacts) can be created during a task by enabling
the procdump.py plugin on the Plugins tab for the IntelliVM environment. Selecting the procdump.py plugin
performs YARA scans on the monitored processes of the virtual machine at the conclusion of the IntelliVM
analysis, focusing on memory sections frequently targeted by malware authors.
Scan Files Submitted via the RAPI
A task can be created and submitted via the Remote API as follows:
curl -X POST -d "sample_id=<sample_ID>&env=ivm" http://<CA-host>/rapi/tasks
The task properties below are all set to 1 (enabled) by default, but can be set to 0 to disable that specific feature:
tp_ANALYTICS.YARA.SCAN_SAMPLE
tp_ANALYTICS.YARA.SCAN_DROPPED
tp_ANALYTICS.YARA.SCAN_MEMDUMP
The tp_IVM.GET_DROPPED_FILES flag can be set to 1 so that YARA scans any dropped files.
Example
curl -X POST -d "sample_id=<sample_ID>&env=ivm" http://<CA-host>/rapi/tasks
curl -X POST -d "sample_id=<sample_ID>&env=ivm& tp_IVM.GET_DROPPED_FILES=1" http://<CA-
host>/rapi/tasks
YARA Detection
Each YARA pattern includes a risk score that ranges from 0 (harmless) to 10 (most malicious). Risk scores are
92 of 100
obtained directly from YARA rules and any number of YARA rules may trigger pattern matches during a task
analysis.
Risk Scores in the YARA Rules
Description: Alerts on functions that are executing within a loop
rule SpyEye : Banking

{
meta:
author = "Symantec"
info = "Banking malware"
risk_score = 10
strings:
$a1 = "SpyEye_Init"
$a2 = "notafter"
$a3 = "urlmask"
condition:
all of them
}
YARA Results
YARA results are integrated into existing Malware Analysis resources. No additional analysis artifacts are created.
View Results in the Malware Analysis Tab
YARA results are prominently displayed in the Task Report's Activity Report under Static Events.
n A YARA rule has detected that the Armadillo packer is contained in this sample.
n The File Reputation service has recognized the executable as known malware.
93 of 100
n The YARA rule hit scores only one, because the Armadillo packer is not by itself evidence of malware.
n The File Reputation Service returns the verdict "Malware," so Content Analysis assigned the risk score 9.
The highest risk score determines the overall risk score for the task: therefore, this task scores 9.
View Results in the RAPI
After a task has been created, task results — including YARA events — may be retrieved via the Remote API.
curl -X GET http://<CA-host>/rapi/tasks/<task_id>
Use this command to view the specific events generated during the analysis:
curl -X GET http://<CA-host>/rapi/tasks/<task_id>/events
Under the YARA section in the events JSON, the specific YARA rules that were triggered are clearly visible. In Event
6, the rule named EXE was triggered, which has a risk score of 0. In Event 7, the TravNet rule was triggered, which
has a risk score of 10.
"YARA": {
…
"6": {
"YARA_Hit": {
"header": {
"YARA_StaticEventHeader": {
"event_number": 6
}
},
"is_main_sample": false,
"resource_id": 7,
"risk_score": 0,
"rule_has_risk_score": true,
"rule_name": "EXE",
"tag": "FileID",
"type": 2
}
},
"7": {
"YARA_Hit": {
"header": {
"YARA_StaticEventHeader": {
"event_number": 7
}
},
"is_main_sample": false,
"resource_id": 7,
"risk_score": 10,
"rule_has_risk_score": true,
"rule_name": "TravNet",
94 of 100
"tag": "APT",
"type": 2
}
}
}
},
Apply YARA Rules

Select Malware Analysis > Other Settings > YARA to access YARA features.
YARA is a tool that helps malware researchers to identify and classify malware families. YARA rules can be applied
to static files or to running processes during on-box sandboxing to determine if a sample belongs to a particular
malware family. See YARA results under Static Events.
n Official YARA documentation and updates are located at plusvic.github.io/yara/.
n YARA is enabled by default.
The appliance is preloaded with a set of YARA rules. You can add your own rules, but you cannot modify the built-
in rules.
95 of 100
1. Select Malware Analysis > Other Settings > YARA.
2. To enable YARA, click Enable YARA. Or to disable, click Disable YARA.
3. To modify the current set of YARA rules, select from the following operations:
n Upload New YARA file: Select a new YAR file to overwrite the current file.
n Append to YARA file: Select a YAR file to add its rules to the current file.
n Download YARA file: Download the yara_rules.yar file to your workstation. This file contains any
rules you or other users have manually added; it does not contain the default set of rules that come
on the system. Edit the file according to YARA syntax, then click Upload New YARA file to upload
the edited file.
96 of 100
n Delete YARA file: This operation deletes all YARA rules. No YARA hits will occur until a new YARA file
is uploaded.
About HTTP Archive (HAR)

The HTTP Archive (HAR) contains a log of HTTP client/server conversations and can be used for additional analysis
of page loads, downloads, and timings. HAR files are generated from the PCAP file within each task, providing the
analyst with an additional valuable tool for further analysis.
You can enable HAR while creating a task for the IVM or MobileVM environments. The option, Create an HTTP
Archive resource from the packet capture (HAR), is in the Basic Options tab. See "Configure Task Settings"
on page 47 for more information.
Upon task completion, the HAR resources are accessible in the Other Resources section of the task report.
Note that, if no HTTP traffic was generated during the task execution, HAR resources are not available. See "View
Task Summary Results" on page 65.
To view the raw HAR data, click the HTTP Archive link. Or, click HAR Viewer to display the HAR data in chart and
histogram form. Click a URL to display the HTTP headers associated with it. Click a request/response to see
details on the header.
97 of 100
Access HAR via the Remote API
The HTTP Archive is also accessible through the Remote API. To determine the resource ID for the HAR, use the
following curl command:
# curl -X GET http://<CA-host>/rapi/tasks/<task_ID>/resources
Look for the following values in the results:
resources_magic_magic — txt:har identifies this record as the HTTP archive.

task_resources_resource_id — Displays the resource ID.
Note that HAR uses JSON formatting.
"api_version": 4,
"exec_time": 0.0064,
"request": "GET /tasks/38/resources",
"results": [
{
...
},
{
"resource_magic_extension": null,
"resource_magic_magic": "txt:har",
"resource_magic_magic_id": 12,
"task_resources_file_name": "bj1ITl-HTTP Archive",
"task_resources_magic_id": 12,
"task_resources_md5": "d5000fcd6b6215d7d022c200f9416158",
"task_resources_resource_id": 93,
"task_resources_task_id": 38
},
{
...
Using task_resources_resource_id 93, the following request will retrieve the HAR resource binary:
98 of 100
# curl -X GET lhttp://<CA-host>/rapi/resources/93/bin
For more information on using RAPI, see the API Guide for Content Analysis and Malware Analysis.
About IVM Plugins

Plugins are a way to interact with an IntelliVM or sample during execution. Each sample can run exactly one
plugin. Plugins allows the IntelliVM to run, perform analysis upon the sample, and generate results based upon
predefined criteria.
With the IVM plugin capability, you can also achieve some of the benefits of forensic investigation and/or static
analysis while taking advantage of the automated dynamic analysis simultaneously. IVM plugins are Python
scripts that can interact with the IntelliVMs. They can interact before, during, and after sample execution, and are
limited only to what a particular analyst can program. Such features as memory dumping, hook detection, and
DLL injection are already present as plugins; when run as part of a dynamic analysis, they provide the relevant
information as resources available for download when the automated analysis finishes, typically after about sixty
seconds.
Plugin Structure
Plugins are written in Python. Out of the box, any standard Python library can be used for processing. Additional
libraries can be installed during the customization process using the standard Python method.
There are three callbacks in a plugin:
def guest_pre_exec():
pass
def guest_exec():
pass
def guest_post_exec():
pass
guest_pre_exec()
This is called before the main guest_exec function. This callback could be used to initialize or set up the guest
environment (for example, proxy settings, debugger hooks, software configuration).
Note: The execution context is a service account rather than the Admin user; keep
this in mind when setting HKCU/* keys and changing other settings.
guest_exec()
This is called after guest_pre_exec. This callback should first invoke the event listener START_MONITOR and then
execute the target sample. The default technique is to use the built-in function SHELLEXECUTE. guest_exec must
return quickly; therefore, the method used to execute the target sample must return immediately.
subprocess.call("calc.exe") # BAD, blocks until process exits

subprocess.Popen("calc.exe") # GOOD, process forks
99 of 100
SHELLEXECUTE("calc.exe") # GOOD, command is injected into explorer.exe
guest_post_exec()
This is called after either the timeout value has been reached, or all tainted processes have exited. If the timeout
value has been reached, the target process may still be running. This callback could be used to inspect memory,
collect dropped files or perform any additional post-processing.
General Example
This is a basic "hello world" script that shows part of what can be done. In the guest_pre_exec() callback, data is
written to a text file and then Notepad is started. The call to ANTIVMTRICKS() modifies the VM to avoid some of
the more common ways of doing virtual environment detection.
import os, sys

import subprocess
def guest_pre_exec():
ANTIVMTRICKS()
with open('c:\\hello.txt', 'w') as f:
f.write('Hello from guest_pre_exec')
SHELLEXECUTE('notepad c:\\hello.txt')
def guest_exec():
START_MONITOR(EXEC_ARGS)
SHELLEXECUTE(EXEC_ARGS)
def guest_post_exec():
ADD_RESOURCE('c:\\hello.txt')
Add a Plugin
Plugins can be added via the remote API. Plugins are considered sample resources and must be added as such.
Note: The plugin integer ID will be updated with each import. If you call this plugin
from scripts you will need to update them after changing the plugin. No changes are
needed in the UI.
If you wish to do this manually, review the RAPI documentation for the POST /rapi/samples/resources REST call.
The following example command remotely uploads the ghost_user_with_unpacker.py plugin:
curl -k -X POST --form upload=@ghost_user_with_unpacker.py --form owner=_SYSTEM_ --form

resource_magic=system:plugin:ivm -H 'X-API-TOKEN: ed670ba8025d4f3ea99cc480ed690169'
https://203.0.113.17/rapi/samples/resources
Example command to remotely upload an .egg archive file:
curl -k -X POST --form upload=@archive_unpacker.egg --form owner=_SYSTEM_ --form resource_

magic=system:archive:egg -H 'X-API-TOKEN: ed670ba8025d4f3ea99cc480ed690169'
https://203.0.113.17/rapi/samples/resources
100 of 100

Malware Analysis Guide v24

Uploaded by

Copyright:

Available Formats

Malware Analysis Guide v24

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Malware Analysis Guide v24

Uploaded by

Copyright:

Available Formats

What is the purpose of the document?

What is the purpose of the document?

What are the main components discussed for configuring on-box sandboxing?

What are the main components discussed for configuring on-box sandboxing?

Guide to Performing Malware

Analysis in Content Analysis 2.4

Wednesday, April 10, 2019

About On-Box Sandboxing 5

View Your Submitted Samples 56

About On-Box Sandboxing

n Emulation Sandbox: An instrumented, fully controlled, replicated PC computing environment emulates

Use On-box Sandboxing

Prerequisites for On-Box Sandboxing

n Purchase the On-box Sandboxing license.

Procedure for Configuring On-Box Sandboxing

1. "Enable On-Box Sandboxing on CA S400 and S500" below.

2. "Optimize Resources for On-Box Sandboxing" on page 12 (optional).

4. "Add and Customize IVM Profiles" on page 20 (optional).

5. "Specify Task Firewall Type" on page 31.

6. "Configure the Dirty Line Network" on page 31.

Enable On-Box Sandboxing on CA S400 and S500

1. Enable your On-box Sandboxing license.

a. Select System > Licensing.

b. Select the On-box Sandboxing check box.

c. Read the warning and click OK.

3. In the On-Box Sandboxing Configuration dialog, select one of the following:

Caution: Do not choose the Download from Symantec option if you

5. If desired, modify the name of the base image; click Next.

6. Enter details on your Windows license:

Optimize Resources for On-Box Sandboxing

1. Select System > Resource Allocation.

2. Select Optimized for On-Box Sandboxing.

3. Click Save Changes.

Add Windows ISO File

1. Select Services > Sandboxing > Symantec On-box Sandboxing.

3. In the On-Box Sandboxing Configuration dialog, select one of the following:

Caution: Do not choose the Download from Symantec option if you

5. If desired, modify the name of the base image; click Next.

6. Enter details on your Windows license:

attempts every Activation Interval (two hours by default).

Add Windows Base Image

3. Select Services > Sandboxing > Symantec On-box Sandboxing.

5. Select one of the following:

n The Sandbox Broker on System > Licensing

Troubleshooting Windows Image Upload/Download Issues

Add and Customize IVM Profiles

Add an IVM Profile

6. Click Add Profile.

Customize an IVM Profile

1. Select Services > Sandboxing > Symantec On-box Sandboxing.

3. Leave the Customize and Build window open.

Caution: In the Password field, enter password.

Tip: It is highly recommended to install a full version of Microsoft Office using

It takes several minutes for the profile to build.

Templates for Customizing a Windows 7 IVM Profile

1. Go to the Content Analysis 2.4 WebGuide to download the Win7_profile_templates.zip file.

Office 2010 Installation

Alternatives to using the batch file (CLI or GUI)

Execute the following commands from a command prompt: