Malware Analysis Guide v24
Malware Analysis Guide v24
Malware Analysis Guide v24
CA Version 2.4
Symantec Content Analysis 2.4
Legal Notice
Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue
Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the
U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided
for informational purposes only and is not intended as advertising. All warranties relating to the information in
this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information
in this document is subject to change without notice.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS
AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE
HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL
DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS,
REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER
COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND
ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER
APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT
AFTER DELIVERY TO YOU.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
www.symantec.com
2 of 100
Contents
Contents
Malware Analysis 37
Perform Malware Analysis 37
Before you Begin 37
Perform Malware Analysis 37
Malware Analysis Overview Dashboard 38
Malware Analysis Processing Statistics 41
Submit a Sample File for Analysis 43
Submit a ZIP File Sample 43
Submit a URL for Analysis 44
Create a Task for a Sample 45
Configure Task Settings 47
Basic Options 48
Advanced Options 50
Detection Options 51
Basic Options 53
Advanced Options 53
Basic Options 54
Advanced Options 55
3 of 100
Symantec Content Analysis 2.4
4 of 100
Contents
Note that enabling the on-box sandboxing will decrease the throughput for the appliance, but will also increase
your detection capabilities.
Note: Content Analysis VA, CAS-S200, and AWS instances do not support on-box
sandboxing.
The on-box Malware Analysis dual-detection approach combines virtualization and emulation to capture more
malicious behavior across a wider range of custom environments.
n Virtualization Sandbox: Custom analysis profiles replicate Windows 7 and/or Windows 10 64-bit
production environments, including applications and browsers used. The sandbox can quickly spot
anomalies and behavioral differences that unveil anti-analysis, sleep, and other advanced evasion
techniques. A virtualized Android sandbox detects and analyzes mobile threats traversing enterprise
networks.
Multiple Detection Techniques Malware Analysis uses a combination of static and dynamic analysis techniques
that employ standard, custom, and open source YARA patterns to unmask cleverly disguised malware. It detects
packed malware and VM-aware samples that alter their behavior in an artificial environment, plus malware that
attempts to wait out any sandbox analysis using short or long sleeps.
Defeat Anti-Analysis at Many Levels Anti-analysis defeating tools – such as hook- based introspection, high-level
and low-level event capture, and detection in both kernel and user modes – intercept and convert behavior into
detailed forensic intelligence.
Interact with Running Malware A flexible plug-in architecture extends detection and processing by interacting
with running malware, clicking through dialog boxes and installers, and generating unique post-processing
analysis artifacts.
Generate More Relevant Results Virtual machine profiles replicate multiple custom production environments,
allowing security analysts to analyze threats across a range of operating systems and applications. They can
closely match their organizations’ desktop environments, gathering intelligence on malware targeting their
organizations directly or seeking to exploit specific application vulnerabilities.
5 of 100
Symantec Content Analysis 2.4
Customize Detection and Risk Scoring Detection criteria, analysis parameters, firewall settings, and risk scoring
can all be customized to add flexibility, unique detection, and fast response capabilities when analyzing non-
traditional and targeted malware in unique production environments.
Adaptive Intelligence for Changing Threats Because Malware Analysis does not rely on static signatures, its
flexible detection patterns are designed to detect polymorphic files, single- use targeted malware, and fast-
changing website domains.
Detailed Forensics for Remediation Symantec sandboxing technology provides security defenders a
comprehensive map of the damage – including both host-based and network indicators of compromise – that
any malicious file or URL would cause to equivalently configured production machines without putting actual
computers or sensitive data at risk.
Share Threat Intelligence As unknown, advanced, or targeted malware and zero-day threats are exposed, the
previously unseen or uncategorized threats are shared across the security infrastructure with the Symantec
Global Intelligent Network, a network effect of our 300,000 customers worldwide.
Inoculation for Forward Defenses Malware Analysis turns unknown threats into known threats and shares
threat data with others across the global network, improving the effectiveness of front-line defenses such as
Symantec ProxySG secure web gateways by moving protection forward to the perimeter where blocking will take
place for subsequent attacks.
The Content Analysis on-box sandboxing feature tests suspicious files in an emulated sandbox and/or in a
Windows 64-bit environment (Windows XP, Windows 7, or Windows 10) on a virtual machine.
Note: Content Analysis VA, Amazon Web Services instances, and CAS-S200 do not
support on-box sandboxing.
n Locate the Windows product key that came with your Windows ISO purchase; you will need the key to
activate your Windows license. Alternatively, you can specify a KMS server if you manage your product
keys with a Key Management Server.
n Set up a dirty line network for the IVMs to access the Internet during analysis. This connection should not
pass through your organization's security measures.
6 of 100
Contents
n Determine what additional applications you want to add to your IVM profile (such as commercial or
custom applications and web browsers).
3. "Add Windows ISO File" on page 13 (if you didn't do this when enabling the license or if you want to add
more than one base image)
or
"Add Windows Base Image" on page 18 (if you are importing an image that was downloaded from another
appliance).
7. Perform Malware Analysis (see Guide for Performing Malware Analysis on Content Analysis).
ISO Requirements
n Windows 7 and Windows XP ISO images without the service pack cannot be imported.
n The ISO import feature supports ISOs that include more than one edition of the operating system, for
example: Windows 7 Enterprise or Windows 10 Professional.
n Refer to release notes for the specific Windows versions and build numbers with which Symantec has
tested ISO installation.
7 of 100
Symantec Content Analysis 2.4
Tip: Depending on your network, the upload process could take a while, so make
sure you have sufficient time before beginning.
d. Click Save Changes. A Confirmation dialog asks if you want to create a Windows profile.
2. If you have time to install the Windows ISO file now, click Yes. The On-Box Sandboxing Configuration
dialog opens.
8 of 100
Contents
Note: The uploading, Windows installation, and activation process can take
quite some time. To perform this task later, click No and then refer to "Add
Windows ISO File" on page 13.
n If you have purchased the Windows license from Symantec, choose Download from Symantec.
Click Next, select the Windows version and click Next again. Skip to the Windows licensing step
below.
n Upload from local file — Select this option if you have purchased the Windows license from
Microsoft and downloaded the ISO file to a local system. Windows XP is not available using this
option. Click Next, browse to the file, and click Next again.
n Download from URL — Select this option if you have purchased the Windows license from
Microsoft and the ISO file is on a web server. Click Next, enter the URL of the ISO file (for example,
http://webserver.test.com/windows10.iso), and click Next again.
9 of 100
Symantec Content Analysis 2.4
Tip: URL download is the preferred option over uploading from a local file,
because the process of installing the ISO will happen in the background,
allowing you to perform other Content Analysis tasks without impacting the
installation. If you upload the ISO file from a local system, on the other hand,
you must stay on this page until the upload is complete.
4. For ISO Type, select Windows XP, Windows 7 64-bit, or Windows 10 64-bit.
a. Enter the Microsoft Windows Product Key. The product key is located on the Windows license
documentation you received from Microsoft. You may type the key in upper- or lowercase, but you
must include the dashes. Product keys are specific to the Windows version and edition.
or
If you purchased the Windows license from Microsoft and are managing your product keys with a
Key Management Service (KMS), enter the IP address or host name of your KMS Server. Note that
KMS is not an option for licenses purchased from Symantec.
KMS activations are valid for 180 days—the Activation Validity Interval. To remain activated, a KMS
client must renew its activation by connecting to the KMS server at least once every 180 days. By
default, a KMS client computer attempts to renew its activation every seven days. (The Renewal
Interval can be set on the client using slmgr /sri interval, but it will be overridden by the KMS server
setting.) If the client succeeds in reaching the KMS server at the Renewal Interval, the Activation
Validity period is reset and the activation is valid for another 180 days. If the client fails to reach the
KMS server, the system will watch for network changes or other qualifying events to trigger another
activation attempt. After 15 minutes, the system stops monitoring for qualifying events but still
attempts every Activation Interval (two hours by default).
b. Enter the IP address or host name of an NTP Server. This setting is required when using KMS (and
ignored when using product key activation).
c. Click Next.
7. Read the summary information and confirm that the details are correct. To modify any of the values, use
the Previous button. When you are ready to install the ISO, activate the Windows license, and build the
base image, click Create Base Image.
10 of 100
Contents
Caution: File uploads from Internet Explorer may fail due to the browser's file
upload size restrictions; 4GB is the maximum file size that can be uploaded in
IE 9–11.
8. You can monitor the download progress in the On-box Sandboxing Configuration dialog.
If you are installing a multi-edition ISO, you will be prompted after the download to select the specific
Windows version. Select the version and click Continue activation.
11 of 100
Symantec Content Analysis 2.4
Content Analysis immediately begins installation of Windows in the IVM and shows snapshots of what is
taking place on the Windows desktop in the VM. Show screen..
Follow the on-screen activation instructions. When the activation process is complete, the Windows base
image is listed in the Base Images panel and the initial IntelliVM (IVM) profile is listed in the Scanning
Profiles panel. The Status column shows Ready.
If the base image failed to load or Windows didn't activate, the Status column will display a descriptive
error message such as Invalid product key or Activation failed; see "Troubleshooting Windows Image
Upload/Download Issues" on page 19.
12 of 100
Contents
Note: You must have purchased and activated the On-box Sandboxing license in
order to select the Optimized for On-Box Sandboxing performance profile.
Additional Information
n If the On-Box Sandboxing license is not activated, the Optimized for On-Box Sandboxing option is not
available and cannot be selected.
n If you subscribe to antivirus services, you should select the Balanced profile to allocate resources fairly
between AV and on-box sandboxing.
n If you want to deactivate the On-Box Sandboxing license, you must first choose the Balanced profile.
13 of 100
Symantec Content Analysis 2.4
ISO Requirements
n Windows 7 and Windows XP ISO images without the service pack cannot be imported.
n The ISO import feature supports ISOs that include more than one edition of the operating system, for
example: Windows 7 Enterprise or Windows 10 Professional.
n Refer to release notes for the specific Windows versions and build numbers with which Symantec has
tested ISO installation.
After the installation process is complete, the Windows ISO is converted to a base image that will be used in the
on-box sandboxing IntelliVM. Profiles are ready-to-run encapsulations of base images plus additional
customizations designed to replicate particular Windows environments. An initial profile is created when you
install the ISO file.
2. Click Create base image from an ISO image. The On-box Sandboxing Configuration dialog opens.
n If you have purchased the Windows license from Symantec, choose Download from Symantec.
Click Next, select the Windows version and click Next again. Skip to the Windows licensing step
below.
14 of 100
Contents
n Upload from local file — Select this option if you have purchased the Windows license from
Microsoft and downloaded the ISO file to a local system. Windows XP is not available using this
option. Click Next, browse to the file, and click Next again.
n Download from URL — Select this option if you have purchased the Windows license from
Microsoft and the ISO file is on a web server. Click Next, enter the URL of the ISO file (for example,
http://webserver.test.com/windows10.iso), and click Next again.
Tip: URL download is the preferred option over uploading from a local file,
because the process of installing the ISO will happen in the background,
allowing you to perform other Content Analysis tasks without impacting the
installation. If you upload the ISO file from a local system, on the other hand,
you must stay on this page until the upload is complete.
4. For ISO Type, select Windows XP, Windows 7 64-bit, or Windows 10 64-bit.
a. Enter the Microsoft Windows Product Key. The product key is located on the Windows license
documentation you received from Microsoft. You may type the key in upper- or lowercase, but you
must include the dashes. Product keys are specific to the Windows version and edition.
or
If you purchased the Windows license from Microsoft and are managing your product keys with a
Key Management Service (KMS), enter the IP address or host name of your KMS Server. Note that
KMS is not an option for licenses purchased from Symantec.
KMS activations are valid for 180 days—the Activation Validity Interval. To remain activated, a KMS
client must renew its activation by connecting to the KMS server at least once every 180 days. By
default, a KMS client computer attempts to renew its activation every seven days. (The Renewal
Interval can be set on the client using slmgr /sri interval, but it will be overridden by the KMS server
setting.) If the client succeeds in reaching the KMS server at the Renewal Interval, the Activation
Validity period is reset and the activation is valid for another 180 days. If the client fails to reach the
KMS server, the system will watch for network changes or other qualifying events to trigger another
activation attempt. After 15 minutes, the system stops monitoring for qualifying events but still
15 of 100
Symantec Content Analysis 2.4
b. Enter the IP address or host name of an NTP Server. This setting is required when using KMS (and
ignored when using product key activation).
c. Click Next.
7. Read the summary information and confirm that the details are correct. To modify any of the values, use
the Previous button. When you are ready to install the ISO, activate the Windows license, and build the
base image, click Create Base Image.
Caution: File uploads from Internet Explorer may fail due to the browser's file
upload size restrictions; 4GB is the maximum file size that can be uploaded in
IE 9–11.
8. You can monitor the download progress in the On-box Sandboxing Configuration dialog.
If you are installing a multi-edition ISO, you will be prompted after the download to select the specific
Windows version. Select the version and click Continue activation.
16 of 100
Contents
Content Analysis immediately begins installation of Windows in the IVM and shows snapshots of what is
taking place on the Windows desktop in the VM. Show screen..
Follow the on-screen activation instructions. When the activation process is complete, the Windows base
image is listed in the Base Images panel and the initial IntelliVM (IVM) profile is listed in the Scanning
Profiles panel. The Status column shows Ready.
If the base image failed to load or Windows didn't activate, the Status column will display a descriptive
error message such as Invalid product key or Activation failed; see "Troubleshooting Windows Image
Upload/Download Issues" on page 19.
In addition to adding an initial profile when the base image is downloaded, Content Analysis creates a task. A task
is an execution of a sample file or URL in a defined environment (operating system profile + testing plugin script).
A plugin contains a specific set of actions or applications that are tested during sandbox evaluation. Tasks are
listed on the Malware Analysis tab; you can add, edit, or delete tasks as necessary.
17 of 100
Symantec Content Analysis 2.4
1. Place the Windows base image on a local web server or system that the Content Analysis appliance can
access.
2. When uploading a file, make sure the Content Analysis web UI is running in a Chrome, Firefox, or Safari
browser. File uploads from IE 11 may fail due to the browser's file upload size restrictions.
4. Click Import previously exported base image. The On-box Sandboxing Configuration dialog opens.
If you have downloaded the image to a local system, click Upload from local file. Click Next, browse to
the file, and click Next again.
or
If the base image is on a web server, click Download from URL. Click Next, enter the URL to the file, and
click Next again.
18 of 100
Contents
If you want the connection to go through the configured HTTP proxy, select the Use System Proxy check
box. For internal web servers, you probably don't need to proxy the connection, although it depends on
your network setup.
Caution: Since the base image is a large file, it will take quite some time to add
to Content Analysis, even if it's downloading from the local network. File
uploads from Internet Explorer may fail due to the browser's file upload size
restrictions; 4GB is the maximum file size that can be uploaded in IE 9–11.
6. Verify that the image is listed in the Base Images panel and the Status column shows Ready.
7. After adding a Windows base image, you will probably want to import the IVM profile associated with the
image. You can import profiles using the ma-actions profiles command.
Caution: If the base image failed to load, the Status column will display a descriptive
error message; see "Troubleshooting Windows Image Upload/Download Issues"
below.
Once you have uploaded a base image the following settings are automatically enabled:
n The Symantec Malware Analysis service on Services > Sandboxing > General Settings
n The Local Instance server and the default task on Services > Sandboxing > Symantec Malware
Analysis
19 of 100
Symantec Content Analysis 2.4
n If you had a failed attempt to add an ISO or base image, you may need to remove the partial image before
you can proceed. Use the Manage button to remove the image.
n If you have trouble uploading a Windows base image or ISO file, make sure the Content Analysis web UI is
running in a Chrome, Firefox, or Safari browser. File uploads from Internet Explorer may fail due to the
browser's file upload size restrictions; 4GB is the maximum file size that can be uploaded in IE 9–11.
n When Content Analysis proxies through a ProxySG that is using Content Analysis for malware scanning,
adding a base image using URL download will fail because the base image file (~10GB) exceeds the file size
limit allowed on Content Analysis. There are few ways to work around this limitation. The recommended
method is to bypass ICAP/CA scanning for *.symantec.com as the files hosted on the Symantec site are
known good. Another workaround for this is to configure Content Analysis to serve (not block) the file if it
exceeds file size limit: Services > AV Scanning Behavior > maximum individual file size exceeded
> serve. Configure this setting before downloading the image, and if you like, set it back to block after the
download is complete. Alternatively, you can upload the base image from a file, instead of downloading
from a URL.
Each base image can have one or more IntelliVM profiles, each with its own customizations designed to replicate a
particular Windows environment. These customizations may include commercial applications, custom
applications, additional web browsers, and patches to components. Note that only one profile is allowed per base
image when in trial mode.
2. In the On-box Sandboxing screen, click Add Profile. The Create Profile dialog opens.
20 of 100
Contents
3. From the Select Base list, select the base image you added.
4. For Profile Name, enter a meaningful name to identify the new profile, for example Win 7 Sales Profile.
5. Optional — For Profile Description, enter a detailed explanation of the unique characteristics of this
profile, such as browser version, custom applications included.
2. In the Scanning Profiles section, click the Manage button, and then click Customize Profile. It will take a
moment for the profile to enter customization mode.
21 of 100
Symantec Content Analysis 2.4
4. Use an RDP client (such as Microsoft Remote Desktop) to RDP into port 3389 of the host system; this will
give you access to the VM that is in customization mode.
5. Optional: Use the provided templates for quicker customization of a Windows 7 IVM profile. See
"Templates for Customizing a Windows 7 IVM Profile" on the facing page.
6. Add additional software, such as commercial or custom applications and web browsers. See "Transfer
Installation Files to an IVM" on page 30.
22 of 100
Contents
7. For any applications that are newly installed or for modifications made to existing applications, ensure
that auto-updating is disabled.
n Windows Update
n Microsoft Office
n Java
n Microsoft Silverlight
n Adobe Reader
n Browsers
8. When finished customizing the profile, it is a best practice to reboot the IVM, open the RDP session again,
and ensure the applications are operating as desired. Once that is confirmed, you can shutdown the IVM
within Windows (issue shutdown at a command prompt), wait a minute, and finally click Start >
Disconnect to terminate the Remote Desktop connection if it’s not closed automatically.
9. Return to Content Analysis and click the Build Profile button in the Customize and Build window.
Tip: After you have customized the profile, you can duplicate it to other Content
Analysis appliances. See "Copy iVM Profiles onto Multiple Appliances" on page 33.
2. Enter customization mode for your Windows 7 profile. See "Customize an IVM Profile" on page 21.
23 of 100
Symantec Content Analysis 2.4
3. Copy the Win7_profile_templates.zip file to the IVM and extract the registry, settings, and batch files from
the archive. See "Transfer Installation Files to an IVM" on page 30.
4. Follow the procedures below to install applications and set the appropriate settings.
1. Because Office Viewer collides with the full version of Office, you need to uninstall the Office Viewer
applications. You can use either the GUI, enter commands at the command prompt, or run the attached
batch file. The recommended and easiest method is to the use the batch file.
wmic product "Compatibility Pack for the 2007 Office system" call uninstall
wmic product "Microsoft Office Excel Viewer" call uninstall
wmic product "Microsoft PowerPoint Viewer" call uninstall
wmic product "Microsoft Office Word Viewer 2003" call uninstall
Or, if using the GUI, uninstall the four applications from Programs and Features.
3. After it is complete, open Word, choose Don’t make changes, and then close Word.
24 of 100
Contents
4. Run Office2010-RegistryTemplate.reg.
5. Reboot the IVM from the command prompt with shutdown /r.
1. Uninstall Adobe Reader 9.3 using either Programs and Features or execute the following from the
command prompt:
25 of 100
Symantec Content Analysis 2.4
4. Restart the IVM from the command prompt by issuing shutdown /r.
5. RDP back into the profile after the reboot and open Adobe Reader X.
explorer.exe %appdata%\Adobe\Acrobat\10.0\
7. Copy the TMDocs.sav and TMGrpPrm.sav files to the 10.0 folder. These particular settings make Adobe
Reader more vulnerable.
Internet Explorer 11
The IE registry template will place the web browser in a highly vulnerable state.
3. After reboot, open the browser and choose Don’t use recommended settings.
4. Run IE11-RegistryTemplate.reg.
26 of 100
Contents
6. Open IE once after reboot, and then close the browser window.
1. Download and run the Dotnet Framework 4.5 installer prior to installing EMET 5.5.
2. Download and run the EMET 5.5 installer, choose Use Recommended Settings, and then close EMET.
3. Run EMET-registry-template.reg.
The default screen resolution on the IVM console is 1024x768. To increase the resolution so that you can see
27 of 100
Symantec Content Analysis 2.4
more on the screen, you can use the resolution registry template.
1. Run Set-Resolution-RegistryTemplate.reg.
Note: Some screenshots may require the user to preview them in a new browser
tab. Due to the size, the picture navigation buttons are hidden from view.
1920x1080 screenshot:
28 of 100
Contents
29 of 100
Symantec Content Analysis 2.4
1. To transfer application installation files to your IVM, use one of the following methods:
n Use Remote Desktop Sharing. In the Remote Desktop Connection window, go to Options > Local
Resources > More… > Local devices and resources. Select the location to map.
n From inside the IVM, open a browser and connect to the Internet to download software from an
Internet resource or vendor site. (This connection is made through the Backend interface.)
n Copy and paste the file from the client environment through the RDP session. For example, copy a
file to the IVM Desktop from the client Desktop.
3. Install, license, and configure each application to resemble a typical computing environment at your
organization.
30 of 100
Contents
Which firewall setting to use depends on the tradeoffs you are willing to make, as well as your organization's
policies and risk tolerance. The more network access you allow, the better fidelity of test results because of the
wider range of network activities that are recorded. On the other hand, executing live malware samples carries
the risk that the sample will attempt to attack internal or external hosts. For maximum detection efficacy, use the
Unlimited firewall policy and ensure the dirty line is properly isolated from the production traffic. The default
firewall type is Isolated.
Tip: Which firewall option you choose also depends on whether you configure a
dirty line network. If you define a static dirty line network interface, you can safely
choose the Unlimited option.
2. In the Firewall section, choose the desired task firewall option: Isolated, Limited, or Unlimited. See
descriptions above for details.
31 of 100
Symantec Content Analysis 2.4
below. Although Content Analysis can perform on-box sandboxing without a dirty line network, it is not
recommended.
1. In the On-box Sandboxing screen (Services > Sandboxing > Symantec On-box Sandboxing), locate
the Dirty Line Network panel.
2. If you don't have a separate dirty line network, choose Same as Backend for the IP Settings. This option
forces the IntelliVMs to use the Backend interface instead of the dirty line interface. The Backend interface
is connected to your organization's LAN and is used for the UI connection, system and pattern updates,
and base-image activation. This means that your organization's security measures will be applied to the
sample analysis and malicious traffic will potentially go through the primary interface.
b. For Network Interface, select the interface that your dirty line network is connected to (for
example, 1:1). See "Requirements for Dirty Line Interface" below below.
c. For Default Gateway, enter the IP address of the gateway for the dirty line network. Symantec
recommends that you use a separate Internet gateway than your primary ISP.
n The interface specified must be on a dedicated subnet, different from the management network.
32 of 100
Contents
Content Analysis offers two ways to duplicate IVM profiles onto multiple appliances. Both methods require that
you first prepare an export package of the profile you want to clone.
n Option 1: Import the export package and Windows base image directly. See "Import Directly from Another
Content Analysis Appliance" below.
n Option 2: Use an intermediate server to host the export package and Windows image. See "Download
from a Web Server" on the next page.
This operation requires that you enter CLI commands on each Content Analysis appliance (source and target
systems). It uses remote APIs to pull a profile export package and Windows base image off of a remote system
and place it on the current (target) system.
n Added or imported IVM profiles do not persist with a downgrade to pre-2.2 versions. For example, if you
downgrade to CA 2.1, you will lose any profiles that were imported from a different Content Analysis
appliance.
n If you will be using an intermediate server to host the export package, you will need:
The diagram below illustrates the process of preparing an export package on a source Content Analysis appliance
and then importing it on the target appliance.
33 of 100
Symantec Content Analysis 2.4
1. On the source Content Analysis appliance, customize the IVM profile until you have the golden master you
want to duplicate on other appliances. See "Add and Customize IVM Profiles" on page 20.
4. Record the export ID associated with the package. Use the ma-actions profiles exports status command
to find the ID.
5. Generate an API key and save the value in a text file; you will reference this key value when importing the
base image and IVM profile.
6. Look up the ID number of the Windows base image you want to import on the target appliance; you will
reference this ID when importing the image.
8. Import the Windows base image from the source Content Analysis appliance.
Example: ma-actions bases imports import remote_host 203.0.113.17 vmb_id 1 api_key ******
The diagram below illustrates an alternative way to import a Windows base image and export package: by putting
the them on a web server and then pulling them off the server and onto the target Content Analysis appliance.
Use this method if the direct method described above does not work properly.
34 of 100
Contents
1. On the source Content Analysis appliance, customize the IVM profile until you have the golden master you
want to duplicate on other appliances. See "Add and Customize IVM Profiles" on page 20.
4. Record the export ID associated with the package. Use the ma-actions profiles exports status command
to find the ID.
6. Download the export package to an external system via RAPI. Use the curl command from an external
system:
curl -k -H "X-API-TOKEN:<API-key>" https://<CA-
IP>:8082/rapi/system/vm/profiles/export/<export-id>/bin > <filename>
curl -k -H "X-API-TOKEN:7a49af86645e4e3a9f24608636135f64"
https://203.0.113.17:8082/rapi/system/vm/profiles/export/05E8VHWCJXMN6BZT29J9SV3M1R/bin >
windows-7-64-bit.export.qcow2.bundle
In the above example, 7a49af86645e4e3a9f24608636135f64 is the API key you saved in Step 5, 203.0.113.17
is the IP address of the Content Analysis appliance containing the export package,
05E8VHWCJXMN6BZT29J9SV3M1R is the export ID you recorded in Step 4, and windows-7-64-
bit.export.qcow2.bundle is the export filename.
7. Download the Windows base image to an external system via RAPI. Use the curl command from an
external system:
35 of 100
Symantec Content Analysis 2.4
In the above example, 7a49af86645e4e3a9f24608636135f64 is the API key you saved in Step 5, 203.0.113.17
is the IP address of the Content Analysis appliance containing the base image, and the base image ID is 1.
8. Place the export package and base image on a web server the target Content Analysis appliances can
access. (This step may not be necessary if the external system where you downloaded the package in Step
6 is a web server.)
10. Import the base image from the web server. For example:
ma-actions bases imports download url https://myserver.com/bases/filename
Alternatively, you can use the Content Analysis web UI to import a base image. See "Add Windows Base
Image" on page 18.
11. Import the profile export package from the web server. For example:
ma-actions profiles imports download url https://myserver.com/profiles/windows-7-64-
bit.export.qcow2.bundle
36 of 100
Contents
Malware Analysis
When Content Analysis is licensed for on-box sandboxing, you can perform in-depth malware analysis by
uploading samples, viewing detailed task result reports, and drilling down to view events that occurred during
detonation in the sandbox.
n Configured Content Analysis for on-box sandboxing. See "Use On-box Sandboxing" on page 6.
3. Upload a file, compressed (zip) file, or URL for analysis. Multiple files may be submitted. You will
automatically be prompted to create a task.
4. "Create a Task for a Sample" on page 45, selecting the sandbox environment (such as IVM Profile or
Apple) and configuring its details.
b. When the task has completed, click the ID to view the "View Task Summary Results" on page 65. It
presents a results overview. The Risk Score is the key piece of data, indicating whether the file is
malicious. Additional tabs present information on events and timelines.
37 of 100
Symantec Content Analysis 2.4
n View the Other Resources section on the Task Summary and the Resource list on the Sample
Details screen. If the sample dropped other files to disk when it detonated, those files will be
available for download.
Caution: Proceed with caution. These files are not encrypted and may be
malicious.
n View the Dynamic Event List to see what happened when the file executed. For example, FS_Create
event type means that a file was created.
n View the Static Event List for detailed information obtained during static analysis of the sample.
8. Super Analysts and Administrators only: Review tasks and samples created by other analysts.
Show screen...
38 of 100
Contents
This panel displays a list of the tasks that resulted in high risk scores, allowing you to quickly see items of concern
and drill down for more detail. Users with Admin or Super Analyst privileges see tasks created by all users; users
with Analyst privileges see only their own tasks.
The Latest 100 High Risk Tasks panel displays the following information for each task.
Task ID The numeric ID associated with the task. Click the ID to view the Task Report page.
Label The filename, URL, MD5 hash, or user-defined name of the sample
n CAS: [cas_ip]: Submitted by Content Analysis, where cas_ip is the IP address of the Content
Analysis appliance
n [hostname]: Sample submitted by an outside device, such as the Symantec Security Analytics
Note: If the sample was submitted via a remote API, the Source field will be blank unless a value was
entered for the source HTTP parameter.
Date Added The date and time when the task was run
Use the My Recent Samples section to view the most recent samples that have been submitted to on-box
sandboxing for analysis, either manually or automatically through Content Analysis. Users with Admin or Super
Analyst privileges see samples submitted by all users; users with Analyst privileges see only their own samples.
39 of 100
Symantec Content Analysis 2.4
Note: A sample is any file or URL submitted to on-box sandboxing for analysis. It
can be any type of file; for example, a document, an image file, or a piece of code. To
manually submit a sample, see "Submit a Sample File for Analysis" on page 43 or
"Submit a URL for Analysis" on page 44. Tasks are defined when a sample is
uploaded; see "Create a Task for a Sample" on page 45.
The My Recent Samples panel displays the following information for each sample.
n CAS: [cas_ip]: Submitted by Content Analysis, where cas_ip is the IP address of the Content
Analysis appliance
Note: If the sample was submitted via a remote API, the Source field will be blank unless a value was
entered for the source HTTP paramete
Task Count Number of tasks that have been performed on this sample
Date Added The date and time when the sample was added
n View All My Samples: Displays a complete list of all of your samples (not just your recent ones) on the
My Samples window.
n Submit Samples: Opens the Upload samples window, where you can submit one or more files for
analysis.
n Submit URLs: Opens the Enter URLs window, where you can submit one or more URLs for analysis.
n Search: Perform an advanced search for samples. Only the samples that you are authorized to see will be
displayed.
In the Quick Analysis (Sandbox) section, click Add Files to browse, or drag and drop directly from your
40 of 100
Contents
computer to Add Files. All of the selected files are uploaded to on-box sandboxing, and the default task is run on
each sample in its proper environment as soon as the upload is completed.
n Android files (APK) that are submitted via Quick Analysis are routed automatically to the MobileVM
environment.
Click any task to go to its task results "Get Sample Details" on page 58 . These tasks and samples are also
available in the My Samples and My Tasks lists.
Perform fast searches based on known sample attributes. You will see only the results that you are authorized to
see.
n Search Task ID: Task IDs are unique numbers that are generated automatically when you create a task. If
you know the ID associated with the task you want to view, enter the number and click Search Task ID. A
successful match to an existing task takes you directly to the corresponding Task Report.
n Search Label: Search by the sample's label, which defaults to the filename of the sample unless it has
been changed by an authorized user.
Two histograms are displayed in the Processing Stats panel. Place your mouse over any data point for details.
IntelliVM Queue Size: Displays the number of tasks in the queue waiting for the on-box sandbox to analyze.
The chart shows the minimum, maximum, and average number of tasks in the queue for each hour.
41 of 100
Symantec Content Analysis 2.4
Tip: A useful chart selection is Tasks Complete, Risk Score Bar Chart, IntelliVM Queue
Size, and High Risk Score Bar Chart over the Last 24 hours.
Or from the Malware Analysis > Overview page, click the title of one of the histogram charts.
Chart Description
Risk Score Pie View the count of each risk score in a pie. Each risk score has its own color (green = low, red =
high)
Risk Score Bar Color coded risk scores are presented over the specified time.
Chart
High Risk Score Risk scores of 7 or higher are presented over the specified time.
Bar Chart
Tasks Complete Count of completed tasks presented over the specified time.
IntelliVM Queue Displays the minimum and maximum number of tasks in the queue for that time as well as
Size how many tasks were actually in the queue.
Sandbox The time spent processing the sample in the virtual machine during the specified period.
Execution Time
Sandbox Total The time it took for the sample to be processed completely; includes time spent in the virtual
Execution Time machine, determining file reputation, processing the results, and running other services on
the task.
IntelliVM Displays the minimum, maximum, and average execution time for that time period as well as
Execution Time how long execution took in the specified period.
IntelliVM Total Displays the minimum, maximum, and average execution time for that time period as well as
Execution Time how long execution took in the specified period.
Mobile IntelliVM Displays the minimum, maximum, and average execution time for that time period as well as
Execution Time how long execution took in the specified period.
Mobile IntelliVM Displays the minimum, maximum, and average execution time for that time period as well as
Total Execution how long execution took in the specified period.
Time
Apple Analyzer Displays the minimum and maximum execution time for that time period as well as how long
Execution Time execution took in the specified period.
42 of 100
Contents
Chart Description
Apple Analyzer Displays the minimum, maximum, and average execution time for that time period as well as
Total Execution how long execution took in the specified period.
Time
n Last Hour
n Last 24 Hours
n Last 7 days
n Last Month
n Custom: Follow up by selecting the From/To dates and time period in Hours, Days, or Months.
3. Select one or more files and click Open. The file(s) are displayed in the list.
4. Click Continue. The Create Task window opens, where you will define and execute a task on the sample.
See "Create a Task for a Sample" on page 45.
43 of 100
Symantec Content Analysis 2.4
1. Select Malware Analysis > Submit > Upload and Unpack Zip.
4. Browse and select a ZIP file. The file will be uploaded, then appear under Filename.
5. Wait for the Status column to show "Upload completed" for each file.
n Click Continue. The Create Tasks page is displayed, where you will define and execute a task on the
sample. See "Create a Task for a Sample" on the facing page.
Default task options are set by the Administrator. These settings apply to automatically submitted samples, and
are also displayed for manual task configuration, where they can be overridden, as desired.
n Select Malware Analysis > Overview, then select Submit URLs under My Recent Samples.
44 of 100
Contents
2. Type in the list of URLs, one per line. All standard formats are allowed; however, it is recommended to
append http:// or https:// to the URI as sometimes the environment will not natively know how to handle a
URI string without proper syntax:
4. The Create Task window opens, where you will define and execute a task on the URLs. See "Create a Task
for a Sample" below.
1. After uploading a sample file, ZIP, or URL, you have the option of creating a task for the sample. Click
Continue after the file submission is complete. (For URL submission, the Create URL Task screen
automatically displays.)
45 of 100
Symantec Content Analysis 2.4
2. Or if you chose not to create the task at the time of sample submission, you can create the task for the
sample at any time:
a. Select Malware Analysis > My Samples or Malware Analysis > All Samples.
b. Click the ID or label of the sample you want to create a task for. The Sample Details screen opens.
c. Click the Create New Task button. The Create Task screen opens.
3. Select the Environment Type you want to run the sample in.
46 of 100
Contents
5. Click Create Task to save the task. The task will run, and present the Task Summary where you can view
task results (such as risk score).
For each environment type, specify default task settings to be used for automatic sample submission, as from
Content Analysis, Security Analytics, or Symantec Messaging Gateway, as well as for samples that are manually
submitted using the Malware Analysis tab or RAPI. Each environment has its own set of tasks and possible
defaults.
47 of 100
Symantec Content Analysis 2.4
Basic Options
Firewall
Content Analysis on-box sandboxing provides three task firewall options for the IntelliVM analysis
environment. Note that these firewall options are not to be confused with the firewall security system on
your network.
Which firewall setting to use depends on the tradeoffs you are willing to make, as well as your organization's
policies and risk tolerance. The more network access you allow, the better fidelity of test results because of
the wider range of network activities that are recorded. On the other hand, executing live malware samples
carries the risk that the sample will attempt to attack internal or external hosts. For maximum detection
efficacy, use the Unlimited firewall policy and ensure the dirty line is properly isolated from the production
traffic. The default firewall type is Isolated.
48 of 100
Contents
Tip: Which firewall option you choose also depends on whether you configure a
dirty line network. If you define a static dirty line network interface, you can safely
choose the Unlimited option.
IntelliVM Options
n Specify the Execution time limit in seconds. 60 seconds is a good detection/throughput ratio. A
longer execution time increases detection but reduces throughput. A longer run is typically used to see
more details on a specific piece of malware.
n For Override file extension, specify a file extension for on-box sandboxing to use if the file types
and their extensions do not match.
Note: On-box sandboxing will detect the actual file type regardless of the
extension (for example, an EXE masquerading as a PDF) unless an entry is
made here. If entered, on-box sandboxing will treat the sample file(s) as the
type entered.
n Select Smart Detonation to prevent likely clean PDF files from being sent to the sandbox. This setting
is enabled by default. With Smart Detonation, Symantic IP scans PDF files to check for elements that
can be used for malicious purposes. Files that contain no potentially malicious elements are not sent to
the sandbox, thereby conserving resources.
n Select Get dropped files to preserve any files that the sample creates, deletes, or modifies during the
task. The files are saved as task resources and are automatically scanned by YARA rules. The files
appear under Other Resources on the Task Summary report.
Tip: Best practices are to disable the Get dropped files setting for bulk
analysis as ransomware samples can generate millions of dropped files. It
may be desirable to enable this setting during manual malware analysis
though.
Analytics Options
The HTTP Archive (HAR) contains a log of HTTP client/server conversations and can be used for additional
analysis of page loads, downloads, and timings. HAR files are generated from the PCAP file within each task,
providing the analyst with an additional valuable tool for further analysis.
49 of 100
Symantec Content Analysis 2.4
Advanced Options
Use Execution Arguments to control how the sample is launched. The default value is {sample}, which will
be replaced with the fully qualified path of the sample. You can also use this space to pass parameters into
IntelliVM plugins. For example:
n {sample} --param1 [parameter1]: Passes values to the sample as it runs. (You would need to know
which values the sample requests and in what order.)
For Guest Path, type a file path to override the default, which is c:\Windows\temp.
n Drop all file system events: Filter out file system events. Recommended for debugging only.
50 of 100
Contents
n Enable task logging: Creates a task resource that contains debugging information about the task
execution.
n Save prefiltered event data: Creates a task resource that contains the raw, unfiltered event data as
a Google protocol buffer file (binary serialization).
Detection Options
Digital DNA is a memory analysis technology. In combination with on-box sandboxing's memory snapshots, it
automatically inspects memory images and examines code for potentially malicious behavioral traits and
threats. Digital DNA is able to detect zero-day attacks, rootkits, and other malware not detected by other
solutions.
This capability is possible because DDNA is able to examine the code and get insight into unexecuted code
paths. It looks beyond evasion techniques and even provides results when supporting malware components
are not available.
Note: This option increases the analysis time required for samples, effectively
reducing the overall throughput capacity of the appliance. In rare cases, it can also
lead to false positive detections.
Plugins
A plugin contains a specific set of actions or applications that are tested during sandbox evaluation.
51 of 100
Symantec Content Analysis 2.4
Plugins allow the IntelliVM to run, perform analysis upon the sample, and generate results based upon
predefined criteria. Each sample can run exactly one plugin. Plugins are not available in the emulated SandBox
environment.
With plugins, you can achieve some of the benefits of forensic investigation and/or static analysis while taking
advantage of the automated dynamic analysis simultaneously. Plugins can interact before, during, and after
sample execution.
n ghost_user.py: Emulates advanced user interaction, including navigating dialogs and multi-screen
installers. The Ghost plugin supports some newer dialog box types, resulting in more accurate
automated input to user prompts. Symantec recommends enabling the ghost_user.py plugin when
performing bulk analysis.
Click View to see the plugin's code. Following the .py extension is the owner of the plugin and the timestamp
for the plugin's creation. See "About IVM Plugins" on page 99 for information on creating and customizing
plugins.
52 of 100
Contents
Basic Options
n Keep the SandBox raw API events: Preserve the API trace log in raw format.
n Keep the SandBox text API events: Preserve the API trace log in text format.
n Get dropped files: Preserve any files that the sample creates. The files are saved as task resources
that are automatically scanned by YARA rules.
Advanced Options
Event Collection
53 of 100
Symantec Content Analysis 2.4
n Drop all file system events: Filter out file system events.
Other Options
n Enable task logging: Creates a task resource that contains debugging information about the task
execution.
n Save prefiltered event data: Creates a task resource that contains the raw, unfiltered event data as
a Google Protocol Buffer (GPB) file, a standard format for binary serialization.
Basic Options
Firewall
Content Analysis on-box sandboxing provides three task firewall options for the IntelliVM analysis
environment. Note that these firewall options are not to be confused with the firewall security system on
your network.
54 of 100
Contents
Which firewall setting to use depends on the tradeoffs you are willing to make, as well as your organization's
policies and risk tolerance. The more network access you allow, the better fidelity of test results because of
the wider range of network activities that are recorded. On the other hand, executing live malware samples
carries the risk that the sample will attempt to attack internal or external hosts. For maximum detection
efficacy, use the Unlimited firewall policy and ensure the dirty line is properly isolated from the production
traffic. The default firewall type is Isolated.
Tip: Which firewall option you choose also depends on whether you configure a
dirty line network. If you define a static dirty line network interface, you can safely
choose the Unlimited option.
Mobile IntelliVM Options
Specify the Execution time limit in seconds. 60 seconds is a good detection/throughput ratio. A longer
execution time increases detection but reduces throughput. A longer run is typically used to see more details
on a specific piece of malware.
Analytics
The HTTP Archive (HAR) contains a log of HTTP client/server conversations and can be used for additional
analysis of page loads, downloads, and timings. HAR files are generated from the PCAP file within each task,
providing the analyst with an additional valuable tool for further analysis.
Advanced Options
n Enable task logging: Creates a task resource that contains debugging information about the task
execution.
n Save prefiltered event data: Creates a task resource that contains the raw, unfiltered event data as
a Google protocol buffer file (binary serialization).
Set options for the Apple Analyzer environment type to analyze samples in an Apple iOS environment.
Supported formats:
n OSX: DMB, PKG, executable MachO for any Apple operating system or library
55 of 100
Symantec Content Analysis 2.4
n Save prefiltered event data: Creates a task resource that contains the raw, unfiltered event data as
a Google protocol buffer file (binary serialization).
3. Click Save as Default. The configured settings will apply to tasks for that environment.
The My Samples tab presents information about all samples submitted by the currently logged-in user.
Note: A sample is any file or URL submitted to on-box sandboxing for analysis. It
can be any type of file; for example, a document, an image file, or a piece of code. To
manually submit a sample, see "Submit a Sample File for Analysis" on page 43 or
"Submit a URL for Analysis" on page 44. Tasks are defined when a sample is
uploaded; see "Create a Task for a Sample" on page 45.
56 of 100
Contents
1. Select Malware Analysis > My Samples. The list of samples displays, with the following columns.
Label The filename, URL, MD5 hash, or user-defined name of the sample.
n CAS: [cas_ip]: Submitted by Content Analysis, where cas_ip is the IP address of the Content
Analysis appliance
n [hostname]: Sample submitted by an outside device, such as the Symantec Security Analytics
Note: If the sample was submitted via a remote API, the Source field will be blank unless a value was
entered for the source HTTP parameter.
2. Click the ID or label to see the "Get Sample Details" on the next page or create a task for the sample.
3. Use the sort arrows on the column headings to sort a column in ascending or descending order.
57 of 100
Symantec Content Analysis 2.4
Note: A sample is any file or URL submitted to on-box sandboxing for analysis. It
can be any type of file; for example, a document, an image file, or a piece of code. To
manually submit a sample, see "Submit a Sample File for Analysis" on page 43 or
"Submit a URL for Analysis" on page 44. Tasks are defined when a sample is
uploaded; see "Create a Task for a Sample" on page 45.
Sample Details
View basic information about the sample.
58 of 100
Contents
Owner The user who submitted the sample in the Malware Analysis tab, or a parameter set via the API
Added The date and time that the sample was submitted to the Malware Analysis (not the date the tasks were
run)
Click Create New Task to create and run a new task on this sample. See "Create a Task for a Sample" on
page 45.
Resource list
See artifacts and attributes that are related to the sample. This section is visible only if the sample is a file.
Resource Filename
Note: The downloaded file—the actual sample—is not protected or zipped. Take care not to launch
malware into your organization's environment.
Date Date and time that the sample was created (not the date the sample was run)
Added
View on-box sandboxing samples submitted by all entities and users (if logged-in user has an Admin or Super
Analyst role) or your own samples (if logged-in user has Analyst role).
59 of 100
Symantec Content Analysis 2.4
Note: A sample is any file or URL submitted to on-box sandboxing for analysis. It
can be any type of file; for example, a document, an image file, or a piece of code. To
manually submit a sample, see "Submit a Sample File for Analysis" on page 43 or
"Submit a URL for Analysis" on page 44. Tasks are defined when a sample is
uploaded; see "Create a Task for a Sample" on page 45.
The All Samples list shows samples submitted by any of the following methods: manual submission in the
Malware Analysis tab or remote API, automatic submission by Content Analysis or an outside device (such as
Security Analytics or Symantec Messaging Gateway) . You can drill down to find out more information about any
of the samples, as well as create a task for the sample.
60 of 100
Contents
1. Select Malware Analysis > All Samples. The list of samples displays, with the following columns.
Label The filename, URL, MD5 hash, or user-defined name of the sample.
n CAS: [cas_ip]: Submitted by Content Analysis, where cas_ip is the IP address of the Content
Analysis appliance
n [hostname]: Sample submitted by an outside device, such as the Symantec Security Analytics
or Messaging Gateway
Note: If the sample was submitted via a remote API, the Source field will be blank unless a value was
entered for the source HTTP parameter.
2. Click the ID or label to see the "Get Sample Details" on page 58 or create a task for the sample.
3. Use the sort arrows on the column headings to sort a column in ascending or descending order.
61 of 100
Symantec Content Analysis 2.4
View all on-box sandboxing tasks created by the currently logged-in user. This list is useful for finding out the
status of a task (whether it is in the queue, being processed, or has been completed) and the results of a task (its
risk score).
62 of 100
Contents
1. Select Malware Analysis > Tasks. The list of tasks displays, with the following columns.
ID Unique, system-assigned number. Click the ID to view the Task Summary report.
Label The filename, URL, MD5 hash, or user-defined name of the sample. Click the label to view the
Task Summary report.
Environment Profile type: IntelliVM (Windows 7 64-bit), IntelliVM (Windows 10 64-bit), Mobile IntelliVM, Apple
Analyzer
n CAS: [cas_ip]: Submitted by Content Analysis, where cas_ip is the IP address of the
Content Analysis appliance
Note: If the sample was submitted via a remote API, the Source field will be blank unless a value
was entered for the source HTTP parameter.
Created UTC timestamp for when the user created the task
2. Has on-box sandboxing completed the analysis of a task? Look at the Task Status column to determine
whether a task is in the queue, being processed, or has been completed.
3. Did malware analysis conclude that the sample is a threat? Look at the Risk Score column to determine
the results of a task. High risk scores are highlighted in red.
4. To drill down into details on the task analysis, click the task ID or label. See "View Task Summary Results"
on page 65.
63 of 100
Symantec Content Analysis 2.4
View on-box sandboxing tasks created by all users (if logged-in user has an Admin or Super Analyst role) or your
own tasks (if logged-in user has Analyst role). This list is useful for finding out the status of a task (whether it is in
the queue, being processed, or has been completed) and the results of a task (its risk score).
64 of 100
Contents
1. Select Malware Analysis > All Tasks. The list of tasks displays, with the following columns.
ID Unique, system-assigned number. Click the ID to view the Task Summary report.
Label The filename, URL, MD5 hash, or user-defined name of the sample. Click the label to view the
Task Summary report.
Environment Profile type: IntelliVM (Windows 7 64-bit), IntelliVM (Windows 10 64-bit), Mobile IntelliVM, Apple
Analyzer
n CAS: [cas_ip]: Submitted by Content Analysis, where cas_ip is the IP address of the
Content Analysis appliance
Note: If the sample was submitted via a remote API, the Source field will be blank unless a value
was entered for the source HTTP parameter.
Created UTC timestamp for when the user created the task
Note: Risk score results returns all tasks with the specified risk score, or above, which also
includes at least one exact pattern hit.
2. Has on-box sandboxing completed the analysis of a task? Look at the Task Status column to determine
whether a task is in the queue, being processed, or has been completed.
3. Did malware analysis conclude that the sample is a threat? Look at the Risk Score column to determine
the results of a task. High risk scores are highlighted in red.
4. To drill down into details on the task analysis, click the task ID or label. See "View Task Summary Results"
below.
65 of 100
Symantec Content Analysis 2.4
itself) and any tasks that have been run on the sample using a SandBox, IntelliVM, Apple, or MobileVM
environment.
1. Select Malware Analysis > Tasks or Malware Analysis > All Tasks. The list of tasks displays.
2. Click the task ID number or label to access the results report for a task. The Task Summary opens.
66 of 100
Contents
3. Study the different sections of the screen to find out details about the task, sample, patterns that
triggered, and so forth.
4. Where available click the filter icon to pivot to the "Search Malware Analysis Tasks" on page 74 page.
Task Details
The Task Details section shows basic information about the task.
Risk Level Numeric value from 0 to 10, automatically assigned by on-box sandboxing, determined by the patterns
that triggered during the sample execution. See Malware Analysis Risk Scores.
Note: The pattern with the highest risk score determines the overall risk level assigned to the sample.
Execution The arguments or parameters that were invoked when the sample was executed
Arguments
Properties The task settings that were selected for the task execution, such as the plugin, firewall mode, and
timeout value
Recreate Rerun the current task with current settings. See "Create a Task for a Sample" on page 45.
Task
Recreate Rerun the current task with no events filtered. See "Create a Task for a Sample" on page 45.
Task with
Detailed Note: It may be useful to recreate the task if the previous task analysis was run a long time ago or if the
Capture IntelliVM environment has changed. Recreating a task can also take advantage of new plugins, different
firewall settings, and different execution arguments. Furthermore, some malware is time-sensitive or
date-sensitive, and recreating the task might yield additional behaviors that did not manifest
themselves in the original task run.
PCAP Files This section may contain a packet capture (PCAP) file if network activity was generated by both URLs
and files in the IntelliVM or MobileVM environments. The PCAP's beginning timestamp begins at the
same time as sample processing and concludes just prior to the end of task processing.
The Pattern Matching Results section lists the specific patterns that "triggered," based on behavior observed
67 of 100
Symantec Content Analysis 2.4
during the sample task run, along with the risk score of each pattern. For example, pattern matching results
might include Connects to possibly malicious URL with a risk level of 7, Connects to site associated with Web
Advertisements with a risk level of 5, or Leaks PI with a risk level of 3.
Patterns are matched at the time that a user or API retrieves a task report. This may cause the risk level for the
sample to change based on patterns that existed at that time, or to reflect changes to the pattern risk levels.
Sample Details
The Sample Details section lists following details about the sample used in the task.
n CAS: [cas_ip]: Submitted by Content Analysis, where cas_ip is the IP address of the
Content Analysis appliance
Note: If the sample was submitted via a remote API, the Source field will be blank unless a value
was entered for the source HTTP parameter.
Received Date and time that the sample was created (not the date the sample was run)
Note: The downloaded file—the actual sample—is not protected or zipped. Take
care not to launch malware into your organization's environment.
Other Resources
The Other Resources section lists task resources that were either generated by or used by the sample. The task
68 of 100
Contents
n Create an HTTP Archive resource from the packet capture (HAR). See "About HTTP Archive (HAR)" on
page 97.
Most resources are available for further analysis by clicking the link to download the resource to your
workstation. You may also choose to run these resources through on-box sandboxing to generate additional
intelligence concerning malicious activity that is associated with the sample or its resources.
The pie chart shows the occurrence of events in proportion to total events.
69 of 100
Symantec Content Analysis 2.4
Screenshots
The Screenshots section contains screenshot thumbnails of the desktop if any changes were detected at task
completion. Click a thumbnail to view the screen shot full-sized.
Activity Report
The Activity Report summarizes event data grouped by type (static events, process/thread events, file system
events, mobile events) to aid in analysis and remediation efforts. Events that trigger pattern matches are
highlighted.
70 of 100
Contents
Next Steps
View further results:
n Event Timeline
For further malware analysis, view the Dynamic Event List to see behaviors exhibited during analysis. The list
shows task events in the order that they executed during analysis. You can click an item to see further
information, including details about the sample.
1. Select Malware Analysis > Tasks or All Tasks. The list of tasks displays.
2. Click the ID number or label for the task you want to analyze. The Task Summary opens.
3. Click the Dynamic Event List tab. The events associated with the task are listed in the order that they
were executed during analysis.
71 of 100
Symantec Content Analysis 2.4
4. Review the events. The following information is provided for each event:
PID Numerical ID of the process within the operating system that was responsible for generating
the event in the analyzed sample
TID Numerical ID of the thread within the operating system that was responsible for generating the
event in the analyzed sample
Type The event that occurred while the sample was executed in the IVM environment. For example,
FS_Create is file creation.
Summary Additional information about the event such as the name of the file that was created or
modified
5. Click an item to see further information, including details about the sample.
6. (Optional) Use the Filter results field to narrow down the events displayed on the list.
Tip: If you find a number of similar behaviors, you can use that information to help
create new patterns.
72 of 100
Contents
Click the task ID number on a task to access the Static Event List results report for a task. View task events by
provider and type. Static events are observed about the sample by viewing it with assorted tools. Static analysis
does not occur while the task is running per say.
1. Select Malware Analysis > Tasks or All Tasks. The list of tasks displays.
2. Click the ID number or label for the task you want to analyze. The Task Summary opens.
3. Click the Static Event List tab. The events associated with the task are listed.
4. Review the events. The following information is provided for each event:
Provider An internal code that indicates which analysis component created the event
Type The event that occurred while the sample was executed in the IVM environment. For example
FMD_FileResource is a file reputation lookup.
5. Click an item to see further information, including details about the sample.
6. (Optional) Use the Filter results field to narrow down the events displayed on the list.
1. Select Malware Analysis > Tasks or All Tasks. The list of tasks displays.
2. Click the ID number or label for the task you want to analyze. The Task Summary opens.
3. Click the Event Timeline tab. The events associated with the task are listed.
73 of 100
Symantec Content Analysis 2.4
4. Use the controls under the chart to select which events to display. The available choices depend on which
object, registry, IP, and file-system events were found.
Note: Only tasks that were created in versions 2.4.1 and later can be searched using
this function.
Search Query
Build queries in the Search Query field using one of these methods:
n Type "Filter Attributes" on page 78 directly; begin typing to auto-complete the terms.
n Click a filter icon on the Task Results page or in expanded entries on this page.
Results Summary
On the bottom right of the page is the Result Summary section, which displays:
74 of 100
Contents
n : contains
n :~ fuzzy match
75 of 100
Symantec Content Analysis 2.4
You can combine multiple search criteria together with Boolean operators (AND, OR, NOT). The Boolean
operators are not case-sensitive. If the Boolean is omitted it defaults to AND.
Examples
pattern_hits_name:sleep AND risk_score:6 — tasks that have patterns with "sleep" in the name and with a
risk score of 6
Enclose search criteria in nested parentheses to specify the order in which the criteria should be applied.
Example
((file_magic:PE32\:win32\:gui) AND pattern_hits_name:"Packer\: UPX") AND pattern_hits_name:"PE\:
Nonstandard section"
In this query file_magic:PE32:win32:gui is applied first, then to those results pattern_hits_name:"Packer: UPX"
is applied, and then to those results pattern_hits_name:"PE: Nonstandard section" is applied. Removing the
parentheses would return far more results.
Wildcards
The Malware Analysis task search feature allows you to specify standard wildcards in query strings:
n To perform a multiple character wildcard search use the * symbol at the end or middle of a search string.
Example: sleep* matches sleep, sleeps, or sleeping.
n If you aren't sure of the spelling of a single-word string, use the fuzzy-search symbol (~) after the word.
Example: slep~ matches words with similar spellings, such as sleep.
Dates
n The date fields support ISO date/time format (ISO 8601) as well as the Unix epoch.
Example: added:>2019-02-01 or added:>1549047497 finds tasks added on February 1, 2019 or later.
n Valid operators for date queries > < >= <= and : (contains)
76 of 100
Contents
On the Task Summary page some of the items have a search icon . Click the icon to add the filter to the
search query field. For example, clicking an item in the Pattern Matching Results section pivots to the Malware
Analysis > Search page with pattern_hits_uuid:<UUID> as the search query.
In the results you can see all of the tasks that match the filter.
Click the arrow at the right of the ID to view details about the item and to add more filters using the filter icon.
77 of 100
Symantec Content Analysis 2.4
Filter Attributes
n ctx = context, which refers to the origin of the sample. Valid only when the sample was sent via ICAP.
added The date when the task report was made added:>2019-02-06
searchable added:1549047497
ivm =IntelliVM
sbx =SandBox
78 of 100
Contents
79 of 100
Symantec Content Analysis 2.4
pattern_hits_ Names of patterns that hit task events pattern_hits_name:"Long sleep detected"
name
pattern_hits_name:opens*
80 of 100
Contents
About Patterns
A pattern is a sequence of IP addresses, domain names, file headers, or strings that can be used to identify
potential malicious or otherwise interesting activity. Patterns form the basis of the on-box sandboxing's
embedded intelligence. Symantec's pattern matching engine compares the events generated during sample
analysis to an expansive library of behavioral-detection patterns to identify potential malicious activity. On-box
sandboxing conducts analysis of suspect samples, looking for indicators of malicious activity by matching against
a large and growing library of behavioral classification patterns.
Patterns range from generic suspicious activity—creating and terminating processes, changing registry keys—to
campaign-specific behaviors with highly unique characteristics. They reveal threat-classification indicators
including Trojans, spyware, worms, ransomware, and more. On-box sandboxing allows both global (SYSTEM) and
user-specific patterns. Patterns can detect targeted and single-use malware and do not rely on signature-based
detection methodologies.
A pattern will match if all of its conditions are met during a task run. A sample may trigger any number of pattern-
matches.
A pattern is typically a pattern group: a top-level pattern containing several subpatterns. See "Identify Malware
Patterns " on the next page. The risk score you provide when you define a pattern group indicates the intensity
of the correlation. For example, you might want to identify bitcoin miners, or detect activity directed to internal
server addresses, or any other specific confidential information.
81 of 100
Symantec Content Analysis 2.4
The Patterns screen displays all pattern groups known to the system. Patterns are typically downloaded from the
Symantec Global Intelligence Network (GIN). Content Analysis queries GIN to see if a file is known malicious. To
update patterns, see "Update Detection Patterns" on page 85.
A pattern will match if all of its conditions are met during a task run. A sample may trigger any number of pattern-
matches.
3. On the Add New Pattern Group dialog, specify a name for the new pattern, then click New pattern group.
n Global: Make the pattern available to all Content Analysis users; otherwise, it is available only to
you.
n Enabled: Enable the pattern for detection. Deselect to not detect the pattern.
n Risk Score: Select the risk score (or risk level) for the pattern: 10 is the most severe.
n Description: Free-form text explaining details concerning the logic or purpose of the pattern
82 of 100
Contents
5. Add the pattern conditions, which are based on a series of events that are linked by "any of" and "all of"
connectors:
Note: You can right-click the Boolean to switch mode between Any of and All
of.
7. From the Add pattern list, select a pattern. See "Pattern Group Prefixes" on page 86 for more
information.
9. Click Save.
11. Enter the triggering criteria for the pattern on the new Add sub pattern dialog, and click Save.
The sub pattern options depend on the pattern selected. For example, a PageFaults pattern will offer sub
patterns of end_address and start_address (among others), with corresponding is/is not options,
whereas an IP_Connect pattern has sub patterns including local_port and remote_port, with the
additional address definition options.
12. The pattern and its sub pattern are displayed. Click Save Changes to finalize the pattern or Undo to
cancel.
Patterns are mapped to events in analysis reports (the Dynamic and Static events lists in the report tabs).
83 of 100
Symantec Content Analysis 2.4
The pattern name displays at the top of the dialog, followed by detailed information on the pattern.
Column Description
Risk Score Indicator of potential maliciousness; risk scores on system-owned patterns cannot be modified.
Owner The creator of the pattern; patterns owned by system are considered "external" patterns
Revision Version number for that pattern, whether provided on Content Analysis or created by the user locally.
Each time the pattern group is modified, the revision number is incremented.
The pattern and subpattern triggers are displayed below the dividing line.
In some cases a pattern contains two (2) distinct matching conditions, both of which must be detected for the
pattern to trigger. These distinct matching conditions are also the patterns and sub patterns.
The final outcome of the pattern group depends on the conditions met at the sub pattern level (such as equals,
startswith, and so on), and subsequently at the pattern level (such as, all-off, any-off), and the pattern group
itself (all-off the patterns, or any of the patterns).
84 of 100
Contents
3. Enter a text string in the filter pattern field to locate patterns for the specified criteria. The string can be
part of a pattern name, its description, or its definition. If you enter more than one string, the list will be
filtered by patterns that contain all of the specified strings. For example: enter ransomware event.
As you type the search string, the list automatically filters to the patterns that meet your criteria.
Note: This section is not applicable to Content Analysis VA, CAS-S200, or Amazon
Web Services instances, because these models do not support on-box sandboxing.
Patterns are used for detecting malware. See "About Patterns" on page 81 for more information on patterns.
1. In the On-box Sandboxing screen (Services > Sandboxing > Symantec On-box Sandboxing), locate
the Detection Patterns panel.
85 of 100
Symantec Content Analysis 2.4
2. Patterns are updated regularly automatically. However, if you want to perform a manual update, click
Update patterns now. The button becomes inaccessible as the patterns update, then returns to normal
after the update process completes.
Prefix Definition
DBG_ Debug
EXP_ Exploit
MOB_ Mobile
NET_ Network
OBJ_ Object
86 of 100
Contents
Prefix Definition
SBX_ SandBox
SYS_ System
87 of 100
Advanced Malware Analysis Settings
Enhanced Stealth mode enables additional techniques, making it even harder for malware to detect the presence
of a sandbox. It is enabled by default. Using Enhanced Stealth mode provides a higher success rate on samples
that have advanced evasion and sandbox detection capabilities. There is a low probability of impact on the
stability of packed malware, which may decrease the success rate when using behavioral based detection.
The Web Reputation Service integrates with the Symantec Global Intelligence Network (GIN) and requires that
the appliance have Internet access on port 443.
The Web Reputation Service leverages an online database, which contains ratings for millions of websites. The
rating system includes informational categories such as Education, Art/Culture, and Humor/Jokes as well as
potentially malicious categories such as Malicious Outbound Data/Botnets, Phishing, and Spam.
88 of 100
Symantec Content Analysis 2.4
VirusTotal is a virus, malware, and URL online scanning service. If you have signed up for the VirusTotal
Community, you can locate your personal API key in your Community profile. You will need this key to activate
VirusTotal in Content Analysis's on-box sandboxing.
Disclaimer: This feature is provided on an AS-IS basis. Symantec has no control of, and is not responsible for,
information and content provided (or not) by VirusTotal. Customer is obligated to comply with all terms of use
regarding the foregoing, including quotas that may be imposed by VirusTotal. Symantec shall not be liable for any
discontinuance, availability or functionality of the features described herein.
89 of 100
Advanced Malware Analysis Settings
About YARA
YARA is a tool that helps malware researchers to identify and classify malware families. A malware family is
defined as a set of files related by objective criteria derived from the files themselves. With YARA, researchers can
create descriptions of malware families based on textual or binary information contained within representative
samples. These descriptions are encapsulated as rules consisting of patterns and logic based on Boolean
expressions. Rules can be applied to static files or to running processes to determine if a sample belongs to a
particular malware family.
YARA leverages rules based on logical operators and integrates easily with Python.
n Access the binary assembly code and perform static analysis based on common or unique indicators.
n Dissect RATs (Poison Ivy, Dark Comet, Ghost Rat, Extreme Rat) and common utilities used by attackers.
n Detect packed binaries, look for common passwords, bank domains, attempts at terminating AV services.
n Specify byte-level rules and quickly analyze suspicious objects for threats specific to the organization.
n Trigger alerts and automated downstream processes whenever YARA rules "hit."
n Scanning packed samples for initial static indicators before the malware has been executed.
n Scanning memory dumps for additional malicious indicators at the conclusion of behavioral analysis
processes.
YARA Rules
Each YARA rule consists of a set of strings, regular expressions, and other binary patterns combined with Boolean
logical operators using a rich, fully documented syntax. Rules are applicable to files or memory artifacts (memory
dumps), and can be processed by tools that will recursively scan those files or analyze those memory images.
YARA rules look for static indicators — not behavioral dynamics — that provide telltale indicators of
maliciousness.
n Strings that appear in malicious files — Unique configuration items; commands used by remote
access tools
n Resources that are stored in malicious files — Distinctive icons; configuration information; other file
references
90 of 100
Symantec Content Analysis 2.4
n Bytes implementing functions called by the malicious program — Indicative of the overall
character of the malware
Content Analysis is preloaded with a set of YARA rules, but you can add your own custom rules. To enable/disable
YARA, create rules, and manage your custom rules, select Malware Analysis > Other Settings > YARA. See
"Apply YARA Rules" on page 95.
Example 1
rule BadBoy
{
strings:
$a = "win.exe"
$b = "http://foo.com/badfile1.exe"
$c = "http://bar.com/badfile2.exe"
condition:
$a and ($b or $c)
}
Any file or process containing the string win.exe and either of the specified URLs must be reported as BadBoy.
Example 2
rule TextOrHex
{
strings:
$text_string = "text here"
$hex_string = { E2 34 A1 C8 23 FB }
condition:
$text_string or $hex_string
}
Any file or process containing the specified text_string or the hex_string must be reported as TextOrHex.
Conditions
Conditions are Boolean expressions such as those used in IF statements in common programming languages.
They can contain typical Boolean operators AND, OR, NOT, and relational operators >=, <=, <, >, ==, and !=.
For numerical expressions, you can also use arithmetic (+, -, *, \, %) and bitwise operators (&, |, <<, >>, ~, ^).
To view YARA risk score results, select Malware Analysis > Patterns. On the resulting Pattern Groups page,
type yara in the Filter patterns field. All patterns that contain YARA_hit are displayed.
91 of 100
Advanced Malware Analysis Settings
Once YARA functionality has been enabled by Administrators or Super Analysts, YARA scans are performed on the
primary sample by default. You can select additional YARA scanning as follows:
To perform YARA scans on any additional files that are "dropped" (that is, downloaded, extracted) by the primary
sample, select the Get dropped files check box on the Basic Options tab for IVMs and SandBox environments.
See "Configure Task Settings" on page 47.
Memory dumps (also known as memory images and memory artifacts) can be created during a task by enabling
the procdump.py plugin on the Plugins tab for the IntelliVM environment. Selecting the procdump.py plugin
performs YARA scans on the monitored processes of the virtual machine at the conclusion of the IntelliVM
analysis, focusing on memory sections frequently targeted by malware authors.
A task can be created and submitted via the Remote API as follows:
The task properties below are all set to 1 (enabled) by default, but can be set to 0 to disable that specific feature:
tp_ANALYTICS.YARA.SCAN_SAMPLE
tp_ANALYTICS.YARA.SCAN_DROPPED
tp_ANALYTICS.YARA.SCAN_MEMDUMP
The tp_IVM.GET_DROPPED_FILES flag can be set to 1 so that YARA scans any dropped files.
Example
curl -X POST -d "sample_id=<sample_ID>&env=ivm" http://<CA-host>/rapi/tasks
curl -X POST -d "sample_id=<sample_ID>&env=ivm& tp_IVM.GET_DROPPED_FILES=1" http://<CA-
host>/rapi/tasks
YARA Detection
Each YARA pattern includes a risk score that ranges from 0 (harmless) to 10 (most malicious). Risk scores are
92 of 100
Symantec Content Analysis 2.4
obtained directly from YARA rules and any number of YARA rules may trigger pattern matches during a task
analysis.
YARA Results
YARA results are integrated into existing Malware Analysis resources. No additional analysis artifacts are created.
YARA results are prominently displayed in the Task Report's Activity Report under Static Events.
n A YARA rule has detected that the Armadillo packer is contained in this sample.
n The File Reputation service has recognized the executable as known malware.
93 of 100
Advanced Malware Analysis Settings
n The YARA rule hit scores only one, because the Armadillo packer is not by itself evidence of malware.
n The File Reputation Service returns the verdict "Malware," so Content Analysis assigned the risk score 9.
The highest risk score determines the overall risk score for the task: therefore, this task scores 9.
After a task has been created, task results — including YARA events — may be retrieved via the Remote API.
Use this command to view the specific events generated during the analysis:
Under the YARA section in the events JSON, the specific YARA rules that were triggered are clearly visible. In Event
6, the rule named EXE was triggered, which has a risk score of 0. In Event 7, the TravNet rule was triggered, which
has a risk score of 10.
"YARA": {
…
"6": {
"YARA_Hit": {
"header": {
"YARA_StaticEventHeader": {
"event_number": 6
}
},
"is_main_sample": false,
"resource_id": 7,
"risk_score": 0,
"rule_has_risk_score": true,
"rule_name": "EXE",
"tag": "FileID",
"type": 2
}
},
"7": {
"YARA_Hit": {
"header": {
"YARA_StaticEventHeader": {
"event_number": 7
}
},
"is_main_sample": false,
"resource_id": 7,
"risk_score": 10,
"rule_has_risk_score": true,
"rule_name": "TravNet",
94 of 100
Symantec Content Analysis 2.4
"tag": "APT",
"type": 2
}
}
}
},
YARA is a tool that helps malware researchers to identify and classify malware families. YARA rules can be applied
to static files or to running processes during on-box sandboxing to determine if a sample belongs to a particular
malware family. See YARA results under Static Events.
The appliance is preloaded with a set of YARA rules. You can add your own rules, but you cannot modify the built-
in rules.
95 of 100
Advanced Malware Analysis Settings
3. To modify the current set of YARA rules, select from the following operations:
n Upload New YARA file: Select a new YAR file to overwrite the current file.
n Append to YARA file: Select a YAR file to add its rules to the current file.
n Download YARA file: Download the yara_rules.yar file to your workstation. This file contains any
rules you or other users have manually added; it does not contain the default set of rules that come
on the system. Edit the file according to YARA syntax, then click Upload New YARA file to upload
the edited file.
96 of 100
Symantec Content Analysis 2.4
n Delete YARA file: This operation deletes all YARA rules. No YARA hits will occur until a new YARA file
is uploaded.
You can enable HAR while creating a task for the IVM or MobileVM environments. The option, Create an HTTP
Archive resource from the packet capture (HAR), is in the Basic Options tab. See "Configure Task Settings"
on page 47 for more information.
Upon task completion, the HAR resources are accessible in the Other Resources section of the task report.
Note that, if no HTTP traffic was generated during the task execution, HAR resources are not available. See "View
Task Summary Results" on page 65.
To view the raw HAR data, click the HTTP Archive link. Or, click HAR Viewer to display the HAR data in chart and
histogram form. Click a URL to display the HTTP headers associated with it. Click a request/response to see
details on the header.
97 of 100
Advanced Malware Analysis Settings
The HTTP Archive is also accessible through the Remote API. To determine the resource ID for the HAR, use the
following curl command:
"api_version": 4,
"exec_time": 0.0064,
"request": "GET /tasks/38/resources",
"results": [
{
...
},
{
"resource_magic_extension": null,
"resource_magic_magic": "txt:har",
"resource_magic_magic_id": 12,
"task_resources_file_name": "bj1ITl-HTTP Archive",
"task_resources_magic_id": 12,
"task_resources_md5": "d5000fcd6b6215d7d022c200f9416158",
"task_resources_resource_id": 93,
"task_resources_task_id": 38
},
{
...
Using task_resources_resource_id 93, the following request will retrieve the HAR resource binary:
98 of 100
Symantec Content Analysis 2.4
For more information on using RAPI, see the API Guide for Content Analysis and Malware Analysis.
With the IVM plugin capability, you can also achieve some of the benefits of forensic investigation and/or static
analysis while taking advantage of the automated dynamic analysis simultaneously. IVM plugins are Python
scripts that can interact with the IntelliVMs. They can interact before, during, and after sample execution, and are
limited only to what a particular analyst can program. Such features as memory dumping, hook detection, and
DLL injection are already present as plugins; when run as part of a dynamic analysis, they provide the relevant
information as resources available for download when the automated analysis finishes, typically after about sixty
seconds.
Plugin Structure
Plugins are written in Python. Out of the box, any standard Python library can be used for processing. Additional
libraries can be installed during the customization process using the standard Python method.
def guest_pre_exec():
pass
def guest_exec():
pass
def guest_post_exec():
pass
guest_pre_exec()
This is called before the main guest_exec function. This callback could be used to initialize or set up the guest
environment (for example, proxy settings, debugger hooks, software configuration).
Note: The execution context is a service account rather than the Admin user; keep
this in mind when setting HKCU/* keys and changing other settings.
guest_exec()
This is called after guest_pre_exec. This callback should first invoke the event listener START_MONITOR and then
execute the target sample. The default technique is to use the built-in function SHELLEXECUTE. guest_exec must
return quickly; therefore, the method used to execute the target sample must return immediately.
99 of 100
Advanced Malware Analysis Settings
guest_post_exec()
This is called after either the timeout value has been reached, or all tainted processes have exited. If the timeout
value has been reached, the target process may still be running. This callback could be used to inspect memory,
collect dropped files or perform any additional post-processing.
General Example
This is a basic "hello world" script that shows part of what can be done. In the guest_pre_exec() callback, data is
written to a text file and then Notepad is started. The call to ANTIVMTRICKS() modifies the VM to avoid some of
the more common ways of doing virtual environment detection.
Add a Plugin
Plugins can be added via the remote API. Plugins are considered sample resources and must be added as such.
Note: The plugin integer ID will be updated with each import. If you call this plugin
from scripts you will need to update them after changing the plugin. No changes are
needed in the UI.
If you wish to do this manually, review the RAPI documentation for the POST /rapi/samples/resources REST call.
The following example command remotely uploads the ghost_user_with_unpacker.py plugin:
100 of 100