Once the attachment(s) have been fully processed you will be shown a brief scan result with the option to View Results, i.e. Sandbox Analysis Report. This report gives insight to what occurred during the sandbox process and the signatures that lead to its scan result. Each part of the analysis process is broken down into sections:

View the Sandbox Analysis Report

Once the attachment(s) have been fully processed you will be shown a brief scan result with the option to View Results, i.e. Sandbox Analysis Report.

  1. Once the sandbox process is complete, click View Results.
  2. An authorization code will be sent to your email address, enter the authorization code you received.
    • Admin accounts do not require authorization code when using the Admin Console.
  3. The Sandbox Analysis Report is then loaded for viewing.

Sandbox Analysis Report Breakdown

Basic Information to help understand each part of your Sandbox Analysis Report.

Attachment and Sandbox Details

At the top of every report is an Overview with file details and basic information about the sandbox used during the process. File details include size, type, MD5, SHA1, SHA256, and CRC32 – this is the attachments identity.

Sandbox-breakdown-1.png


Sandbox Process Tree

The Process Tree logs, in order of occurrence, all processes that took place during the Sandbox Analysis.

Sandbox-breakdown-3.png


Sandbox Screenshots

Screenshots of the sandbox environment during the analysis process, i.e. Visual of how the sandbox was affected.

Sandbox-breakdown-4.png


Sandbox Signatures

Signatures are the significant aspects that lead to the scan result. e.g. Network connections, downloads, creating files, modifying system files, etc. Signature have brief description, are color coordinated, and are places in order of severity.

Normal Signatures

Common procedures or connections that are expected, process crashes, system lookups, etc. e.g. Checking the amount of memory in system, this could be used to identify a virtual system.

Warning Signatures

Processes, connections, and other behaviors that are suspicious and possibly dangerous. e.g. URL downloaded by PowerShell script and PowerShell is sending data to a remote host.

Dangerous Signatures

Malicious processes, connections, and behaviors generally seen when executing malware/viruses. e.g. Checking for ant-virus software and dropping a binary file and executing it.


Files Created

A basic breakdown of any files created during after the file was executed, these can be simple log files or a ransomwares at work. The created files details include filename, path, size, type, MD5, SHA1, SHA256, and CRC32.


HTTP & HTTPS Requests

Details on any HTTP & HTTPS Request that were attempted or made during the testing. Details include information over requested URL, what was requested, and the response. These connections could be used to download or send data.


DNS Requests

Details over any DNS records requested during the process, such as A record.


ICMP Traffic

Internet Control Message Protocol (ICMP) traffic details, including Source IP, Source Port, Dest IP, & Dest Port.


TCP Traffic

Transmission Control Protocol (TCP) traffic details, including Source IP, Source Port, Dest IP, & Dest Port.


UDP Traffic

User Datagram Protocol (UDP) traffic details, including Source IP, Source Port, Dest IP, & Dest Port.

Related Attachment Quarantine and Sandboxing Resources and Guides

Admin Console

User Guide

Attachment Sandboxing