8.2.5. Procedure to analyse the contents of a report

8.2.5.1. Introduction

The detailed analysis report shows the information provided by the valid analysis engines during the analysis.
The various fields displayed are described in Detailed report.
This report must be reviewed by an analyst.

8.2.5.2. Prerequisites

  • User: member of Operators Group

8.2.5.3. Preliminary operations

8.2.5.4. Report selection procedure

../../_images/HOME_OP05.PNG

  • In the reports area, click on the ID of the desired report (1).

  • Please bear in mind the status (9) of the report:

    • For the `In queue` status, wait for the file to be analysed

    • For the `In Progress` status, wait until the file has been analysed.

      Astuce

      If the `In Progress` status takes too long, you can click on the ID to see the processing details.
      Click on the engine information button to view the status of its analysis.

    • For the `Error` status, see Procedure for analysing reports with an `Error` status

    • For the `Clean` status, before confirming that the file is clean, check whether the active engines are indeed the relevant ones...

    • For the `Malicious` status, refer to Procedure for analysing reports having a `Malicious` status

8.2.5.5. Procedure for analysing reports with an `Error` status

  • Click on the corresponding ID.
    A window opens showing the detailed report.
../../_images/GBOX_RAPPORT_01.PNG

Zone (1) denotes that the analysis failed and that the engines are reporting errors.

  • For more information, click on the information icon (2) to see the details of the error.
    Example: `gmalcore: Malcore analysis error for task id ****. Scan result code received: 10`
  • On the basis of the code read on the screen, refer to the following table to identify the reason and choose the appropriate solution.
Codes analysis results

Value

Short description

Long description

0

No threat detected

No threat detected or file is empty

1

Infected/known

A threat was detected

2

Suspicious

Listed as a possible threat although not identified as a specific threat

3

Scan failed
The scan is not fully completed, e.g. invalid file or no read permission.
If no engine is included and analysis is enabled, this will be the final result.

5

Unknown
Signature unknown. NOTE: this is only used when searching for multiple hashes.
For single hash searches, scan_result is not displayed as a response.

7

Cleaning ignored

The analysis is ignored because this type of file is included in the authorisation list.

8

Infection ignored

The scan is ignored because this type of file is on the blocked list.

9

Archiving depth exceeded

The threat cannot be found, however, there are other archive levels that have not been extracted.

10

Not scanned / No scan results

The scan is ignored by the engine owing to an update or some other engine-specific reason. If the analysis is disabled, this will be the final result.

11

Aborted

The analysis in progress has been discontinued due to a problem.

12

Encrypted

The file/buffer was not scanned because the file type is detected as encrypted and password-protected.

13

Archive size exceeded

The extracted archive is too large to be analysed.

14

Archive file number exceeded

There are more files in the archive than are configured on the server.

15

Password-protected document
A password-protected document [for example, Office documents or PDF files requiring a password to view their contents].
If a file is a password protected document, no disinfection will be performed.
Supported file formats include: PDF, DOCX, DOC, DOCM, DOTX, DOTM, DOT, PPTX, PPT, POT, POTM, POTX, PPS, PPSM, PPSX, PPTM, PPTX, XLSX, XLS, XLSM, XLSB,XLS, XLTX, XLTM, XLT, XLAM, XLA.

16

Archive timeout exceeded.

The archiving process reached the given timeout value - a predefined value of 30 minutes.

17

Offset

The file extension does not match the detected file type.

18

Potentially vulnerable file.

Possible vulnerability detected for the applied file.

19

Cancelled

The file analysis was cancelled because it could not be analysed so many times.

23

Unsupported file type
The engine does not support analysis of this file type.
Some engines only scan specific file types such as executable files or documents.

254

In the queue

The file was added to the analysis queue and is waiting to be processed.

255

In progress.

Scanning is in progress.

8.2.5.6. Procedure for analysing reports having a `Malicious` status

  • Click on the corresponding ID.
    A window opens showing the detailed report.
../../_images/GBOX_RAPPORT_02.PNG
The various fields displayed are described in Procedure for analysing reports with an `Error` status.
  • Refer to the summary of the analysis stages (2).
    Each engine should receive a tick to indicate that its analysis was successful.
    If this is not the case, click on the `i` icon for information on the engine's status: resolve the issue before relaunching the analysis.
    The normal case is that all the engines present are OK. The colour of the GBox icon indicates whether the result is clean or malicious.
  • Consult the results of the analysis (1): the score, the overall condition.
    Reminders:

    • A score is only provided for the Gmalcore and Goasm engines

    • The score is only displayed for engines running at the time of the analysis, visible in the summary of analysis stages(2)

Important

The SCORE field only has a meaning for the pre-selected engine. It does not indicate whether the file analysed is clean, only that it has been declared clean by this engine.

  • Refer to the information in the optional zones (3) and analysis sections (4).
    Reminders:

    • The chart is only available if Gnest is part of the model. The data required for the chart is generated by this engine.

    • This graph enables viewing the dangerousness of the file analysed.

    • The optional analysis sections depend on the engine(s) active in the template used.

  • If required, click on button (5) `ALL ARTEFACTS`.
    This enables downloading of artefacts resulting from the analysis, such as memory dump, network capture (pcap), and character strings detected.
    This section also enables the removal of artefacts.
    This button is only available if the Gnest engine is active.
  • If necessary, click on the `REPORT` button.
    This enables downloading the report in pdf format.
  • If necessary, click on the `RETRY` button.
    This enables re-running the analysis of this file with this or another template.
  • If necessary, click on the `SAMPLE` button.
    This enables the analysed file to be downloaded.