Endpoint Detection and Response customers can use the Sandbox Analysis feature. This feature allows you to upload a file within the Nebula console and receive a comprehensive report on the item, indicating if the file is malicious or not. Reports display on the Sandbox Analysis page after a few minutes from the time you upload the file.
This article explains how to upload files for analysis, and the types of data you can investigate in the results table of the Sandbox Analysis page.
Upload file on the Sandbox Analysis page
- On the left navigation pane, go to Investigate > Sandbox Analysis.
- At the top of the Sandbox Analysis page, drag and drop a file or click browse computer to choose a file for upload. The following file parameters apply:
- Max file size: 64 MB
- File types accepted: PE 32/64bit (exe,dll)
- A window asks you to confirm the file upload. Click Confirm Upload to initiate the analysis process.
Uploading and analyzing a file may take a few minutes. Refresh the Sandbox Analysis page for an updated status. Once analysis is complete, the result displays in the table beneath the file upload area.
Investigate information displayed by Sandbox Analysis
Information displayed in the results table is intended to warn you of potentially malicious files that may warrant an endpoint scan, or for your forensic investigation to find indicators of compromise in your environment.
The results table lists the analysis reports from all of your file uploads. Each line item displays the information in different columns. The columns available are:
- File name: The name of the analyzed file. Click the name to expand process information and specific threat details.
- MD5: Shows the file's MD5 hash value.
- SHA256: Shows the file's SHA256 hash value.
Status: Shows one of the following:
- Pending: The file is still being analyzed by Sandbox Analysis.
- No Threat: The file appears to be safe.
- Malicious: The file appears to be compromised. We recommend you remove the file from affected machines and run a scan immediately.
- File type: Shows the file type.
- File size: Shows the file's size in KB or MB.
- Upload location: Shows the Nebula console page where the file was uploaded from.
- Upload date: Shows the date and time the file was uploaded.
- VirusTotal: Click the Check Now link to open the Virus Total website in a new browser tab. This site displays the process path as if found by 3rd party antivirus vendors. This can help you determine if the event is a false positive. NOTE: VirusTotal is a 3rd party website. For information, see VirusTotal's Terms of Service.
When you click on a file name from your Sandbox Analysis results table, the Process Information pop-up window slides into view. This shows more detailed information about the file's hash values, system impact, and indicators of threat behavior based on severity. The process information window displays the following information and functions:
- View Process Graph: Click this button to expand a visual representation of the files or processes touched by the suspicious activity, including any files or processes spawned from the original file or process.
- Check VirusTotal: Click this button to open the Virus Total website in a new browser tab.
- Export: Click this button to download the data to your local machine.
- MD5 value, if applicable.
- SHA1 value, if applicable.
- SHA256 value, if applicable.
- SHA512 value, if applicable.
- Indicators of threat behavior:
- High Severity: Click to expand this field and view a descriptive list of all threat indicators that the Sandbox Analysis deems as high severity.
- Medium Severity: Click to expand this field and view a descriptive list of all threat indicators that the Sandbox Analysis deems as medium severity.
- Low Severity: Click to expand this field and view a descriptive list of all threat indicators that the Sandbox Analysis deems as low severity.
Dropped Files: Provides data on files and locations used by the analyzed file.
- File size
- File type(s)
- MD5 value
- SHA512 value