This topic introduces a feature of Security Analytics Malware Analysis that compares file analysis results from your installed antivirus (AV) vendors versus community results from the Security Analytics Malware Analysis knowledge base. In addition, instructions for configuring the feature are included.While a file is being analyzed by community analysis, Security Analytics Malware Analysis checks an antivirus knowledge base to determine if the sample is already known to be malicious. If the file is known to be malicious, Security Analytics flags the file to indicate whether a primary antivirus vendor or a secondary antivirus vendor identified the sample. Security Analytics classifies vendors as primary and secondary to indicate the level of reputation the vendors have in the industry, and Indicators of Compromise factor the reputation into scoring. For example, detection made solely by secondary antivirus vendors may score less than detection by primary vendors.
Note: When choosing AV vendor software to install on your network, it is highly recommended that you include at least one from Security Analytics Primary Vendors list.
You can identify the antivirus vendors installed on your network to Security Analytics. Security Analytics compares the antivirus results during community analysis against the results from the installed vendors selected in the AV tab. If a match is detected, the file being analyzed is flagged to indicate that your locally installed primary or secondary antivirus software detected the sample.
The example below shows the community analysis results for a file that had a score of 100. Under Indicators of Compromise, you can see that the file was flagged by the listed AV vendors in the Community. Under AV Vendor Results, Security Analytics indicates whether the AV vendors installed in your environment flagged the file as malicious. If your installed AV vendors detected the virus, the name of the malware is displayed. If your installed AV vendors did not detected the virus, --Not detected-- is displayed next the the AV vendor name. Under Not Installed Vendors, you can click + to expand the section and see if other vendors not installed on your system detected the virus.
Identify Installed AV Software
To identify antivirus software installed on your network:
- In the Security Analytics menu, select Administration > Services.
- Select a Malware Analysis service, and in the row select > View > Config.
- In the Service Config View, select the AV tab.
- Select the checkbox next to each antivirus vendor (primary and other) whose software is installed on your network.
- To save the changes, click Apply.
The Community Analysis results will indicate whether your software flagged an event.
- (Optional) If you want to reset the list of installed AV software to the default value (none), click Reset.
All selections are removed.
- To save changes, click Apply.