000035436 - What are the supported file types for Malware Analysis in RSA Security Analytics?

Document created by RSA Customer Support Employee on Aug 5, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035436
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Malware Analysis
RSA Version/Condition: 10.x
TasksThe article provides a list of file types that are supported for Malware Analysis in RSA Security Analytics.
ResolutionBelow is a snippet of the spectrum.lua parser which indicates the supported file types.
local spectrumAnalyze = ({
    ["windows executable"] = options.analyzeExe.value,
    ["office 95-2003 word document"] = options.analyzeOffice.value,
    ["office 95-2003 excel document"] = options.analyzeOffice.value,
    ["office 95-2003 powerpoint document"] = options.analyzeOffice.value,
    ["office 95-2003 document"] = options.analyzeOffice.value,
    ["office 2007 document"] = options.analyzeOffice.value,
    ["pdf"] = options.analyzePdf.value,
    ["rar"] = options.analyzeRar.value,
    ["rtf"] = options.analyzeRtf.value,
    ["zip"] = options.analyzeZip.value,

RSA Engineering has confirmed that all versions of Microsoft Office documents are supported for Malware Analysis.  The Office document versions showing above are because no revisions were made to the Office document format after 2007.
File extensions are not considered at all.  Files will be examined by Malware Analysis based upon being identified as a certain type of file by the relevant fingerprint parser. The fingerprint parsers identify a file based on its characteristics, irrespective of name or extension, neither of which are properties of a file itself.
For example, even if a legacy Microsoft Word document is transmitted over the wire as "foo.txt" it will be identified by fingerprint_office_lua as filetype: office 95-2003 word document.