2.1.4. Overview of the Gnest engine

The Gnest analysis engine enables dynamic analysis.
It executes the file in a virtual machine (sandbox) and analyses its behaviour.
Following this, it is possible to extract the data generated during the analysis, such as a dump of the memory, the extracted character strings, or a capture of network communications (pcap).
When connected to the GCenter, this engine is useful for in-depth analysis of a file classified as suspicious or malicious, during a second analysis of a file.
This analysis is slower, requiring an experienced operator to analyse the results.

This data is displayed in the Detailed report and more specifically in the TOP, Iocs, Ttps, Overview, Signatures and Process Tree sections.

Maximum file size	50 MB
Analysis timeout	1 hour
Type	slow

2.1.4.1. Viewing the Gnest status

Viewing the current state of the engine is shown in the `Analysers` screen of the Web UI.

2.1.4.2. Gnest update

Updates are available for the Gnest engine via packages.
These updates can be done manually or scheduled via GUM.
See the Overview of GUM: dedicated module for managing updates  section an  and in particular the Updates to detection signatures and/or anti-virus engines section.

2.1.4.3. Configuring the Gnest

Configuring Gnest involves:

Managing and configuring virtual machines.

The graphical interface for managing virtual machines is described in the `Gnest configuration` screen.

The implementation is given in the Procedure to configure the Gnest engine.
Authorising virtual machines to connect to the Internet via a network interface (see paragraph below).

The use of Gnest in templates, and in particular the configuration of Gnest in these templates, enables:

Choosing the active virtual machine
Activating the VM's network interface
Configuring the maximum execution time in the VM
Enabling or disabling the memory dump at the end of the analyses performed by Gnest

The graphical interface for template management is described in the `Admin/Templates` screen of the Web UI.

The implementation is given in the Procedure to configure the Gnest engine.

2.1.4.4. Configuring Sandbox services

Configuration consists of:

Enabling or disabling the output interface to the Internet
Configuring this interface (IP address, etc.)
Configuring a proxy to access the Internet

This configuration is achieved using the `services` command in the configuration menu accessible by the setup user.

The graphical interface is described in `Services` command section.

Important

This proxy is independent of any proxy accessible via the Web UI. This is used solely for installing software.