Investigate: View Detailed Malware Analysis of an Event

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 8Show Document
  • View in full screen mode
 

When viewing the list of individual events in a Malware Analysis scan in the Malware Analysis Events grid, you can double-click an event to view the detailed analysis results for the event.

View Malware Analysis Details for an Event

  1. Start an investigation in the Malware Analysis tab.
    The Malware Summary of Events is displayed, and includes four charts, including the Event Timeline.
  2. Do one of the following:
    1. To view all events in the Event Timeline, click the View Events button.
    2. Double-click data in the Meta Breakdown, Meta Treemap Chart, or Score Wheel.
      The Events List is displayed.
  3. Double-click an event.
    The Analysis Results for the event are displayed.
    Analysis Results
  4. (Optional) If you want to delete an event, select Actions > Delete Event.
  5. If you want to view a reconstruction of the network session, select Actions > View Network Session.
    The session opens in the Navigate view > Event Reconstruction.

Pivot Network Analysis Results

You can pivot the Network Analysis Results in several ways:

  1. Scroll down to the Network Analysis Results.
    Network Analysis Results
  2. Hover over a meta value and left-click.
    The context menu is displayed.
    Network Analysis Results context menu
  3. To view the selected meta value in the Navigate view, select Start Investigation and a time option.
  4. To view the selected meta value in a browser, select Open in Web Browser > Open in Google.

Use File Actions in the Static Analysis Results

  1. Scroll down to the Static Analysis Results.
    Static Analysis Results
  2. If you want to download a file, select the file name and either Download File (zipped) or Download File (natively) in the drop-down menu. It is safer to download a file in zipped format.
    Static Analysis Results drop-down menu
  3. If you want to mark the file as safe or unsafe in the hash list, select Filter File Hash and Mark hash as good or Mark hash as bad.

View Community Analysis Results Details

The Community Analysis Results summarizes results from the community, identifying Indicators of Compromise that were flagged as a risk or identified as good.

In addition, this view lists the results from Installed AV Vendors and Not Installed AV Vendors. You can compare results of the installed AV vendors that were configured for the current Malware Analysis service versus Community results. You can also see results from a list of AV vendors that are not configured as installed for the current Malware Analysis service.

Each row of AV vendor results includes the shield icon to show whether the IOC was discovered by a Primary (Primary AV icon) or Secondary AV (Secondary AV icon) vendor in the community, the name of the Installed or Not Installed vendor, and the name of malware or risk detected by the community and AV vendor. If the AV vendor did not detect a risk, -- Not detected -- is displayed instead of the name of the risk.

The Not Installed AV Vendors section is expandable to view all entries, but is collapsed by default to minimize the need to scroll. Clicking the + expands the list.

If no installed AV vendors have been configured for the current Malware Analysis service, the following message is displayed: No AV vendors were marked as installed. Please go to the Malware Analysis Service configuration page to identify installed AV vendors.


Malware Analysis AV Vendors

View Sandbox Analysis Results in the ThreatGrid User Interface

If you have registered with ThreatGrid, you can view the Sandbox results directly in ThreatGrid.

  1. Scroll down to the Sandbox Analysis Results.
    Sandbos Analysis Results
  2. Click the Analysis ID and select Open In ThreatGrid.
    The analysis report in ThreatGrid is displayed.
You are here
Table of Contents > Conducting Malware Analysis > View Detailed Malware Analysis of an Event

Attachments

    Outcomes