Investigation: Begin a Malware Analysis Investigation

Document created by RSA Information Design and Development on May 5, 2016Last modified by Susan Ewald on May 5, 2016
Version 4Show Document
  • View in full screen mode
 

This topic provides instructions for investigating data scanned by Malware Analysis in Security Analytics Investigation.

You can investigate data that has been scanned, flagged, and rated by Security Analytics Malware Analysis as containing Indicators of Compromise. This includes all types of Malware Analysis scans: continuous mode polling, on-demand polling, and on-demand uploaded files. Continuous mode polling must be enabled when the administrator configures basic settings for the Malware Analysis service.

Security Analytics provides several methods of launching a Malware Analysis investigation.

Fastest: Instant Launch from Malware Analysis Dashlets

The fastest way to begin a Malware Analysis investigation is an Instant launch from the Security Analytics Dashboard using one of the Malware Analysis dashlets that lists events or files that are likely to contain malware. From one of these dashlets, you can go directly to the Analysis Results for a specific event that has been listed as worthy of investigation:

  • Top Listing of Highly Suspicious Malware
  • Top Listing of Possible Zero Day Malware
  • Malware with High Confidence IOCs and High Scores Dashlet

On-Demand Polling from a Meta Value in the Navigate View

You can initiate on-demand polling from within an investigation by right-clicking a meta value in the Navigate view, and choosing an option from the context menu. When polling is complete, the scanned data is available for malware analysis (see Launch a Malware Analysis Scan from the Navigate View).

Investigate a Specific RSA Service

You can also begin a Malware Analysis investigation of a service in the Investigation > Malware Analysis view. For Malware Analysis investigation on a service basis, a service must be specified in the Investigation > Malware Analysis view:

  1. Security Analytics opens the Malware Analysis view with the user-specified default service selected.
  2. If no default service is currently specified, Security Analytics presents a dialog for selecting the Malware Analysis service to investigate.
  3. When a service has been selected manually or by default in the Malware Analysis view, Security Analytics opens the Summary of Events for the selected service and continuous scan data for the service.

This topic provides instructions for all methods of launching a Malware Analysis investigation.

Launch a Malware Investigation from a Malware Analysis Dashlet

A prerequisite for this procedure is that one of the following dashlets must be visible in the Unified dashboard or in the Malware Analysis view, and must be populated with listed events or files. If you do not see the dashlets, add them and configure the dashlets.

  • Top Listing of Highly Suspicious Malware
  • Top Listing of Possible Zero Day Malware
  • Malware with High Confidence IOCs and High Scores Dashlet

To launch a Malware Analysis investigation from a dashlet:

  1. Log on to Security Analytics and look for one of the above dashlets in the main dashboard or in the Malware Analysis view. Below is an example of the Top Listing of Possible Zero Day Malware Dashlet configured to show files.

    MwaTopZeroDayFls.png
  2. In the dashlet, double-click an event or file for deeper analysis. A detailed analysis of the event in the Events List or the event with which the file in the File List is associated is displayed in the Malware Analysis view.
    MWAnaRes.png

To learn more about configuring the Malware Analysis dashlets in the Unified dashboard, see "Dashlets" in the Getting Started with Security Analytics Guide.

To learn about the ways you can configure and filter information in dashlets in the Malware Analysis view, refer to Filter Dashlet Data in the Summary of Events View.

To learn about the actions you can perform in the Analysis Results, refer to View Detailed Malware Analysis of an Event.

Begin a Malware Analysis Investigation (No Default Service)

To begin an investigation with no default service specified:

  1. In the Security Analytics menu, select Investigation > Malware Analysis.
    The Select a Malware Analysis Service dialog is displayed, with available Malware Analysis hosts and services for the current user in the left panel and available scan jobs in the right panel. This scan jobs panel contains the same columns as the Malware Scan Jobs dashlet in the Unified dashboard. In addition, it has a toolbar and View options, which are described in Investigation - Select a Malware Analysis Service Dialog.
    SlctMWASrvc.png
  2. In the list of Malware Analysis hosts, select a host and a list of scan jobs is displayed in the right panel.
  3. To begin analyzing a scan, do one of the following:
    1. Select a scan and click View Scan.
    2. Click View Continuous Mode.
      The Summary of Events for the selected scan is displayed with the default dashlets open. Each user can add, modify, and delete default dashlets, which persist through different scan investigations. Users can also restore default dashlets as described in Filter Dashlet Data in the Summary of Events View.
      MWAVw.png

Set or Clear the Default Service

You can set the default service and clear the default service in the Select a Malware Analysis Service dialog.

To set a default service:

  1. Click the service name in the Summary of Events toolbar.
    The Select a Malware Analysis Service dialog is displayed.
    SlctMWASrvc.png
  2. Select a service on the list of available Malware services, and click DefServ.png.
    The service becomes the default, (indicated by DefServChk.png in front of the host name).
  3. To clear the default service, select the default service in the grid, and click DefServ.png.
    No default service is set.

Upload and Scan Files

A Malware Analyst with permission to Initiate Malware Analysis Scan can upload files to scan using the Scan Files option in the Select a Malware Analysis Service dialog (see Upload Files for Malware Analysis Scanning. An administrator can upload packet capture files to a Decoder for Malware Analysis in the Services System view as described in "Upload Packet Capture File" in the Decoder and Log Decoder Configuration Guide.

Begin an Investigation (Default Service Specified)

To begin an investigation with a default service specified:

  1. In the Security Analytics menu, select Investigation > Malware Analysis.
    The Summary of Events for a continuous scan of the selected service is displayed with the default dashlets open. Each user can add, modify, and delete default dashlets, which persist through different scan investigations. Users can also restore default dashlets as described in Filter Dashlet Data in the Summary of Events View.
    MWAVw.png

Apply Time Parameters Filter for Results

You can apply a Threshold filter to refresh the results of the chosen dashlets.

  1. To select a different time range, select either Continuous Mode or a different scan from the toolbar.
    ContMode.png
    The Malware Summary of Events for the selected scan is displayed.
  2. To select a new time range for the scan, click in the range selection list in the toolbar. Ranges available are: Last 5 minutes, Last 10 minutes, Last 15 minutes, Last 30 minutes, Last Hour, Last 3 Hours, Last 6 Hours, Last 12 Hours, Last 24 Hours, Last 2 Days, Last 5 Days, Early Morning, Morning, Afternoon, Evening, All Day, Yesterday, This Week, Last Week, or Custom.
    TimeRange.png
    The results are updated immediately.
  3. To refresh a continuous mode scan with new data, click IconRefresh.png.

Apply a Threshold Filter to Continuous Mode Results

You can apply a new threshold filter to an instance of the Malware with High Confidence IOCs and High Scores dashlet, the Meta Treemap dashlet, the Score Wheel dashlet, and the Event Timeline dashlet.

To customize the scoring applied to the scan, in the toolbar, do the following:

  1. Select Settings > Apply Threshold Filter.
    The Apply Threshold Filter dialog is displayed.
    AppThrsFiltDg.png
  2. If you want to limit the number of events displayed to events that were given a score above a certain number, do the following:
    1. Drag the slider in the Static, Network, Community, and Sandbox slider bars.
    2. To select the dashlets in which the thresholds apply, select the appropriate checkboxes.
    3. Click Apply.

Delete or Resubmit an On-Demand Scan with New Bypass Settings

You can delete an on-demand scan or resubmit an on-demand scan with different bypass settings than those specified in the Service Configuration view for a Malware Analysis service.

To delete a scan while viewing an on-demand scan, do the following:

  1. Select Actions > Delete Scan.
    Security Analytics asks for confirmation that you want to delete the scan.
  2. Click Yes.
    The selected scan is deleted.

To apply different bypass settings to the current scan:

  1. Select Actions > Resubmit Scan.
    The Scan for Malware dialog is displayed.
    ScnfrMlwr.png
  2. Select the bypass settings that you want to use on the new scan, and click Scan.
    Malware Analysis resets cache and resubmits the file for a new scan, and Security Analytics adds the scan to the jobs queue.
  3. When the job is complete, scroll to the left and select View.
    The Malware Summary of Events for the selected scan is displayed.

View the Files List

You can view a list of files for an event from the Malware Analysis Summary of Events and from each of the Visualization charts: Event Timeline, Meta Breakdowns, Meta Treemap, and Score Wheel.

To view the Files List, do one of the following:

  • In the Summary of Events, click on the number of files in the Total row or the High Confidence row under Files Processed, PE Files, Office Files, or PDF Files. The Files List is displayed.
  • In any visualization dashlet, click the number next to the Files field in the top right corner of the dashlet.
    MWAScrWhl.png
    The Files List for the selected drill point is displayed.
    Files List.png

From the Files List, you can search for a file by filename or MD5 file hash, sort the list using two criteria and ascending or descending order, and download files as described in Examine Scan Files and Events in List Form.

To return to the Summary of Events, click Back to Summary.

View the Events List

From the Malware Analysis Summary of Events and from each of the visualization charts (Event Timeline, Meta Breakdowns, Meta Treemap, and Score Wheel), you can select events to view in the Events grid.

To view the Events List, do one of the following:

  • In the Summary of Events, click the number of Events Created in the Total row or the High Confidence row. The Events List is displayed.
  • In any visualization dashlet, click the number next to the Events field in the top right corner of the dashlet.
    MWAScrWhl.png
    The Events List for the selected time is displayed.
    MWAEventLst.png

 

You are here: Conduct Malware Analysis > Begin a Malware Analysis Investigation

Attachments

    Outcomes