Host GS: Services Stats View - Malware Analysis

Document created by RSA Information Design and Development on Apr 9, 2016
Version 1Show Document
  • View in full screen mode
 
  

This topic describes the features available in Security Analytics Services Stats view for Malware Analysis. 

The Services Stats view provides a way to monitor the status and operations of a service.

To access the Service Stats view for Malware Analysis:

  1. In the Security Analytics menu, select Administration > Services.
    The Services view is displayed.
  2. Select a service and select Actns.png > View > Stats.

The following figure shows the Services Stats view for Malware Analysis. The default tab is the Events tab.

MA Services Stats view - Events tab

The following figure shows the Analysis Threads tab.

MAStatsThreads.png

Features

The Services Stats view for Malware Analysis has two tabs:

  • Events tab
  • Analysis Threads tab

Events Tab

The Events tab contains the Timeline chart, which displays the number of events at various times throughout the day.

The following table describes the features of the Events tab.

                       
FeatureDescription
Time Range drop-down menuThis menu offers different options for the time range shown on the graph. You can choose a custom time range by selecting Custom and choosing a start and end date from the drop-down menus.
Plot areaEach type of event is represented by a different color on the graph. You can zoom in on sections of the graph by clicking and dragging to select the section you want to see closer.
Event Type keyAt the bottom of the tab, the types of events shown in the plot area are displayed, with their respective line colors. For example, the Network line is green, and the On Demand line is purple. To disable any of the options from appearing in the chart, click the option. It is grayed out and its line is removed from the graph.

Analysis Threads Tab

Malware Analysis is capable of analyzing many files simultaneously, each represented by a thread. Each file goes through a linear process when it is analyzed:

  1. Network meta analysis
  2. Request file from Decoder
  3. Static
  4. Community (if enabled)
  5. Sandbox (if enabled)

This tab gives you the status of each thread to see where the file is currently residing in the analysis process. Thread statuses are sorted by the type of file analysis, which is the method in which Malware Analysis received the file, such as a Network session, Manually Uploaded file, or an On Demand scan.

This is useful particularly for finding which part of analysis is the limiting factor for time. For example, you might go to the tab and see all 20 threads Requesting Files from NextGen. This means the Decoder is having problems or is overwhelmed, and cannot deliver quickly.

If threads have not updated their status for long periods of time, it may indicate that Malware Analysis is stuck.

The following table provides descriptions of the list columns.

                             
ColumnDescription
Last UpdatedThe most recent date and time when the thread updated.
Session IdThe ID number of the session.
StatusThe status of the file analysis.
File NameThe name of the file being analyzed.
File HashThe hash of the file being analyzed.
You are here: References > Services Stats View - Malware Analysis

Attachments

    Outcomes