5.3.5. `Analysers` screen of the Web UI

This screen displays the status of the various analysis engines.

When the `Analysers` command is pressed, the following screen is displayed.

../../_images/GBOX_ANALY_01.PNG

Marker

Engine

Engine function

1

Grip engine

Static analysis

2

Goasm engine

Shellcode detection

3

Gdgadetect engine

Domain name detection

4

Gnest engine

Dynamic analysis within a virtual machine

5

Gmalcore engine

Static and heuristic analysis

The following information is displayed for each engine:

../../_images/GBOX_ANALY_02.PNG

Marker

Name

Grip Engine

Goasm Enging

Gdgadetect Enging

Gnest Engine

Gmalcore Engine

1

Type

Static analysis

Shell code detection

Detection of domain names generated by the Domain Generation Algorithm (DGA)

Executes the file in a virtual machine and analyses its behaviour

Static and multi-engine heuristic analysis

2

Capabilities

Analysis

Provides a score for the potential danger and names the shellcode detected

Provides a compromise score

Names the problem detected

Provides a score for the potential danger and names the problem detected

3

Config

Not configurable, so this field is not displayed

Virtual machine management - adding, deleting, logging

Gmalcore engine management

4

x jobs : number of tasks in progress (analysis status NEW + IN PROGRESS)

Number of jobs awaiting processing

5

Ability to carry out analyses

This engine has no requirements, so it is always in the `ready` state.
The engine is in the `ready` state if there is the same number of VMs in the GBox.
and in CAPE - the dynamic analysis engine
The engine is in the `ready` state if all the engines are installed.
and the API is up

6

Engine status

UP : engine api is listening : DOWN : engine api is not active

Astuce

If the engine status (Grip, Goasm, Gdgadetect or Gnest) is `DOWN`, wait a moment.
If the engine remains in the `DOWN` status, contact Gatewatcher support. .. sav2_en

Astuce

If the Gmalcore engine status is `DOWN`, restart the Malcore service or Reinstall the Malcore service: see `Services` command.
If the engine remains in the `DOWN` status, contact Gatewatcher support.
The `Not Ready` status for the Gmalcore engine does not necessarily indicate that the engine is unable to perform scans, but it does indicate that at least one of the 16 antivirus engines is out of date or out of service.

5.3.5.1. Grip engine

However, it is useful for quickly analysing the file's metadata if it is classified as suspicious or malicious.
It is used to obtain information about the file prior to more in-depth analysis.
This data is displayed in the detailed report, more specifically in the TOP and Static sections (see Detailed report).

Maximum file size

50 MB

Analysis timeout

2 minutes

Type

light

5.3.5.1.1. Viewing the Grip status

5.3.5.2. Goasm engine

This analysis engine enables detecting and analysing shellcodes.
It enables identifying certain encodings and provides details of the system calls made.
This engine assigns a score to the potential danger and names the shellcode detected.
This data is displayed in the detailed report, more specifically in the TOP and Shellcode sections (see Detailed report).

Maximum file size

50 MB

Analysis timeout

4- 6 minutes

Type

rapid
Goasm can be deemed fast for small files (< 5MB).
In the case of large text files (> 5MB), detection takes time because the binary must be scanned for shellcode patterns.
Goasm's internal analysis timeout can therefore be reached: 4 min.
The external engine timeout is set at 6 min.
In the event of an internal timeout:

  • There is an error message in the `Shellcode` section of the report

  • The engine simply stops scanning the file byte by byte.

In the event of an external timeout (error occurred or Goasm blocked), an error is present in the report mentioning a timeout. In this case, restart the analysis.

5.3.5.3. Gdgadetect engine

5.3.5.3.1. Introduction to the DGA Algorithm

The GBox includes an engine capable of detecting domain names generated by the Domain Generation Algorithm (DGA).
The presence of DGA-generated domain names on a network is a strong indicator of being compromised.
Indeed, malware can use HTTP requests to automatically generated domain names to contact their command and control servers. They are also called CnC, C&C, or C2.
These domain names contain different properties than legitimate domain names.
Conventional detection approaches, such as blacklists, are not relevant in the case of continuously renewed domains.
Simple entropy calculations result in a large number of false positives.

5.3.5.3.2. Analyse

Learning is based on a pre-trained model, whose architecture is based on a deep neural network of the LSTM type (Long Short Term Memory networks).

5.3.5.3.3. Displaying DGA alerts

The analysis is carried out on the `Quick analysis` page.
Depending on the result, a green or red icon indicates whether it is a DGA or not.

5.3.5.4. Gnest engine

The Gnest analysis engine enables dynamic analysis.
It executes the file in a virtual machine (sandbox) and analyses its behaviour.
Following this, it is possible to extract the data generated during the analysis, such as a dump of the memory, the extracted character strings, or a capture of network communications (pcap).
When connected to the GCenter, this engine is useful for in-depth analysis of a file classified as suspicious or malicious, during a second analysis of a file.
This analysis is slower, requiring an experienced operator to analyse the results.
This data is displayed in the Detailed report and more specifically in the TOP, Iocs, Ttps, Overview, Signatures and Process Tree sections.

Maximum file size

50 MB

Analysis timeout

1 hour

Type

slow

5.3.5.5. `Gnest configuration` screen

This screen enables managing the virtual machines of the Gnest engine.
After clicking on the Gnest engine link, the following screen is displayed.
../../_images/GBOX_ANALY_04.PNG

Item

Description

1
`Manage virtual machines` zone: this zone enables creating new virtual machines.
This zone includes:

2

  • `Machine(s) base name`

Base name of the virtual machine(s) (VM)

3

  • `Machine(s) count` field

Number of machine(s) to create

6

  • `ADD` button

Starts the creation of virtual machine(s)

4

`BATCH DELETE` button

Enables deleting one or more VMs

5

`HISTORY` button

Displays the VM management history window

10

`Default` name: the existing virtual machine and the name of the default machine. It includes the following Information

9

  • `Memory` field

Value of the amount of memory allocated to the VM

7

  • `CPU` field

Value of the processor quantity allocated to the VM

8

  • `Delete this machine` button

Deletes the selected machine
Adding/deleting VMs waits until the current Gnest analyses have finished and blocks the next analyses.
However, if a VM's template is deleted while jobs are still pending, the jobs will be switched to error mode.
The implementation is given in Procedure to configure the Gnest engine.

5.3.5.6. Gmalcore engine

  • detecting malware by means of a static and heuristic multi-engine analysis of files in real time

  • scanning via 16 anti-virus engines

  • scanning capacity close to 200,000 files per 24 hours

  • obtain the name(s) of the threat and a threat score

  • rapid identification of threats

The 16 anti-virus engines are displayed under the name `engine hash` in the web interface.

Maximum file size

50 MB

Analysis timeout

2 minutes

Type

light
Events generated by Gmalcore are displayed in the `Heuristic` section of the GBox analysis report.

5.3.5.7. `Gmalcore configuration` screen

This screen provides information on the Gmalcore engine configuration:

  • The status of the Gmalcore engines

  • The date of the last installed update

After clicking on the Gmalcore Engine `Config` link, the following screen is displayed.
../../_images/GBOX_ANALY_03.PNG

Item

Engine

Function

1

Configuration status message
`Engine is running, but no AV found. Please update.` :
requires the installation of an update for the Gmalcore engines

2

`ENGINES STATUS`

This area enables the antivirus engine status to be displayed, with the following information:

3
  • coloured icons.
    Each engine is preceded by an icon indicating how long ago the engine signatures were updated.

7

  • `ENGINE HASH`. The 16 anti-virus engines are displayed under the name"engine hash"

6

  • `LAST UPDATE`. Date of the last update

5

  • `STATUS`. Icon indicating the status and age of the last update

4

  • `STATE`. Engine status (PRODUCTION, DOWNLOADED...)

The implementation of the Gmalcore configuration is provided in Procédure to configure the Gmalcore engine.