Analysis report: Report tab

The Report tab display changes depending on the type of sample being processed.

Click file download to download the detected file to your local machine. From the pull-down menu. select Download file or Download as ZIP.

If you select Download as ZIP, the Download file as a zip pop-up is displayed, prompting you to provide an optional password for the archive.

Important:

The VMware NSX Network Detection and Response only allows you to download detected files under certain conditions.

If the artifact is considered low risk, file download is displayed and you can download it to your local machine.

If the artifact is considered risky, file download is not displayed unless your license has the ALLOW_RISKY_ARTIFACT_DOWNLOADS capability.

You must be aware that the artifact can possibly cause harm when opened.

The User Portal may display a pop-up: Warning: Downloading Malicious File. Click the I agree button to accept the conditions and download the file.

For malicious artifacts. you may want to encapsulate the file in a zip archive to prevent other solutions that are monitoring your traffic from automatically inspecting the threat.

If you do not have the ALLOW_RISKY_ARTIFACT_DOWNLOADS capability and require the ability to download malicious artifacts, contact VMware Support.

Click download to download the PCAP file.

Click snapshot to download screenshots.

Click cloud download to download the report.

Click plus / minus to expand/collapse the sections on the tab.

Analysis information section

The Analysis information section contains key information about the analysis that the current report refers to:

  • Analysis subject The MD5 hash of the sample.

  • Analysis type The analysis type that was performed:

    • Dynamic analysis on Microsoft Windows 10 The analysis subject was executed in a simulated Windows 10 environment using the VMware NSX Network Detection and Response sandbox. The system monitors the file behavior and its interactions with the operating system looking for suspicious or malicious indicators.

    • Dynamic analysis in instrumented Chrome browser The analysis subject (such as an HTML file or URL) was inspected using the instrumented browser, which is based on Google Chrome. The instrumented browser reproduces faithfully the behavior of the real browser and therefore is not easily fingerprinted by malicious content.

    • Dynamic analysis in emulated browser The analysis subject (such as an HTML file or URL) was inspected using the emulated browser. The emulated browser has the ability to dynamically emulate different browser "personalities" (for example, changing its user-agent or varying the APIs that it exposes). This capability is useful when analyzing malicious content that targets specific browser types or versions. On the downside, this browser is less realistic and can possibly be fingerprinted by malicious content.

    • Dynamic analysis in simulated file-viewer The analysis subject (such as a PDF file) was inspected using the simulate file-viewer. The viewer can detect embedded contents and links.

    • Archive inflation The analysis subject (an archive) was inflated: its contents have been extracted and, if of appropriate type, have been submitted for analysis.

  • Password used If available, the password that was used by the VMware backend to successfully decrypt the sample is provided.