5.3.5. `Analysers`
screen of the Web UI
This screen displays the status of the various analysis engines.
When the `Analysers`
command is pressed, the following screen is displayed.
Marker |
Engine |
Engine function |
---|---|---|
1 |
Static analysis |
|
2 |
Shellcode detection |
|
3 |
Domain name detection |
|
4 |
Dynamic analysis within a virtual machine |
|
5 |
Static and heuristic analysis |
The following information is displayed for each engine:
Marker |
Name |
Grip Engine |
Goasm Enging |
Gdgadetect Enging |
Gnest Engine |
Gmalcore Engine |
---|---|---|---|---|---|---|
1 |
Type |
Static analysis |
Shell code detection |
Detection of domain names generated by the Domain Generation Algorithm (DGA) |
Executes the file in a virtual machine and analyses its behaviour |
Static and multi-engine heuristic analysis |
2 |
Capabilities |
Analysis |
Provides a score for the potential danger and names the shellcode detected |
Provides a compromise score |
Names the problem detected |
Provides a score for the potential danger and names the problem detected |
3 |
Config |
Not configurable, so this field is not displayed |
Virtual machine management - adding, deleting, logging |
Gmalcore engine management |
||
4 |
x jobs : number of tasks in progress (analysis status NEW + IN PROGRESS) |
Number of jobs awaiting processing |
||||
5 |
Ability to carry out analyses |
This engine has no requirements, so it is always in the |
The engine is in the
`ready` state if there is the same number of VMs in the GBox.and in CAPE - the dynamic analysis engine
|
The engine is in the
`ready` state if all the engines are installed.and the API is up
|
||
6 |
Engine status |
UP : engine api is listening : DOWN : engine api is not active |
Astuce
`DOWN`
, wait a moment.`DOWN`
status, contact Gatewatcher support.
.. sav2_enAstuce
`DOWN`
, restart the Malcore service or Reinstall the Malcore service: see `Services` command.`DOWN`
status, contact Gatewatcher support.`Not Ready`
status for the Gmalcore engine does not necessarily indicate that the engine is unable to perform scans, but it does indicate that at least one of the 16 antivirus engines is out of date or out of service.5.3.5.1. Grip engine
Maximum file size |
50 MB |
Analysis timeout |
2 minutes |
Type |
light |
5.3.5.1.1. Viewing the Grip status
5.3.5.2. Goasm engine
Maximum file size |
50 MB |
Analysis timeout |
4- 6 minutes |
Type |
rapid |
There is an error message in the
`Shellcode`
section of the reportThe engine simply stops scanning the file byte by byte.
5.3.5.3. Gdgadetect engine
5.3.5.3.1. Introduction to the DGA Algorithm
5.3.5.3.2. Analyse
Learning is based on a pre-trained model, whose architecture is based on a deep neural network of the LSTM type (Long Short Term Memory networks).
5.3.5.3.3. Displaying DGA alerts
`Quick analysis`
page.5.3.5.4. Gnest engine
Maximum file size |
50 MB |
Analysis timeout |
1 hour |
Type |
slow |
5.3.5.5. `Gnest configuration`
screen
Item |
Description |
|
---|---|---|
1 |
`Manage virtual machines` zone: this zone enables creating new virtual machines.This zone includes:
|
|
2 |
|
Base name of the virtual machine(s) (VM) |
3 |
|
Number of machine(s) to create |
6 |
|
Starts the creation of virtual machine(s) |
4 |
|
Enables deleting one or more VMs |
5 |
|
Displays the VM management history window |
10 |
|
|
9 |
|
Value of the amount of memory allocated to the VM |
7 |
|
Value of the processor quantity allocated to the VM |
8 |
|
Deletes the selected machine |
5.3.5.6. Gmalcore engine
detecting malware by means of a static and heuristic multi-engine analysis of files in real time
scanning via 16 anti-virus engines
scanning capacity close to 200,000 files per 24 hours
obtain the name(s) of the threat and a threat score
rapid identification of threats
`engine hash`
in the web interface.Maximum file size |
50 MB |
Analysis timeout |
2 minutes |
Type |
light |
`Heuristic`
section of the GBox analysis report.5.3.5.7. `Gmalcore configuration`
screen
The status of the Gmalcore engines
The date of the last installed update
`Config`
link, the following screen is displayed.Item |
Engine |
Function |
---|---|---|
1 |
Configuration status message |
`Engine is running, but no AV found. Please update.` :requires the installation of an update for the Gmalcore engines
|
2 |
|
This area enables the antivirus engine status to be displayed, with the following information: |
3 |
|
|
7 |
|
|
6 |
|
|
5 |
|
|
4 |
|
The implementation of the Gmalcore configuration is provided in Procédure to configure the Gmalcore engine.