8.2.5. Procedure to analyse the contents of a report
8.2.5.1. Introduction
8.2.5.2. Prerequisites
User: member of Operators Group
8.2.5.3. Preliminary operations
Connect to the GBox via a browser (see Connection to the web interface via a browser).
8.2.5.4. Report selection procedure
In the reports area, click on the ID of the desired report (1).
Please bear in mind the status (9) of the report:
For the
`In queue`
status, wait for the file to be analysedFor the
`In Progress`
status, wait until the file has been analysed.Astuce
If the`In Progress`
status takes too long, you can click on the ID to see the processing details.Click on the engine information button to view the status of its analysis.For the
`Error`
status, see Procedure for analysing reports with an `Error` statusFor the
`Clean`
status, before confirming that the file is clean, check whether the active engines are indeed the relevant ones...For the
`Malicious`
status, refer to Procedure for analysing reports having a `Malicious` status
8.2.5.5. Procedure for analysing reports with an `Error`
status
- Click on the corresponding ID.A window opens showing the detailed report.
Zone (1) denotes that the analysis failed and that the engines are reporting errors.
- For more information, click on the information icon (2) to see the details of the error.Example:
`gmalcore: Malcore analysis error for task id ****. Scan result code received: 10`
- On the basis of the code read on the screen, refer to the following table to identify the reason and choose the appropriate solution.
Value
Short description
Long description
0
No threat detected
No threat detected or file is empty
1
Infected/known
A threat was detected
2
Suspicious
Listed as a possible threat although not identified as a specific threat
3
Scan failed
The scan is not fully completed, e.g. invalid file or no read permission.If no engine is included and analysis is enabled, this will be the final result.5
Unknown
Signature unknown. NOTE: this is only used when searching for multiple hashes.For single hash searches, scan_result is not displayed as a response.7
Cleaning ignored
The analysis is ignored because this type of file is included in the authorisation list.
8
Infection ignored
The scan is ignored because this type of file is on the blocked list.
9
Archiving depth exceeded
The threat cannot be found, however, there are other archive levels that have not been extracted.
10
Not scanned / No scan results
The scan is ignored by the engine owing to an update or some other engine-specific reason. If the analysis is disabled, this will be the final result.
11
Aborted
The analysis in progress has been discontinued due to a problem.
12
Encrypted
The file/buffer was not scanned because the file type is detected as encrypted and password-protected.
13
Archive size exceeded
The extracted archive is too large to be analysed.
14
Archive file number exceeded
There are more files in the archive than are configured on the server.
15
Password-protected document
A password-protected document [for example, Office documents or PDF files requiring a password to view their contents].If a file is a password protected document, no disinfection will be performed.Supported file formats include: PDF, DOCX, DOC, DOCM, DOTX, DOTM, DOT, PPTX, PPT, POT, POTM, POTX, PPS, PPSM, PPSX, PPTM, PPTX, XLSX, XLS, XLSM, XLSB,XLS, XLTX, XLTM, XLT, XLAM, XLA.16
Archive timeout exceeded.
The archiving process reached the given timeout value - a predefined value of 30 minutes.
17
Offset
The file extension does not match the detected file type.
18
Potentially vulnerable file.
Possible vulnerability detected for the applied file.
19
Cancelled
The file analysis was cancelled because it could not be analysed so many times.
23
Unsupported file type
The engine does not support analysis of this file type.Some engines only scan specific file types such as executable files or documents.254
In the queue
The file was added to the analysis queue and is waiting to be processed.
255
In progress.
Scanning is in progress.
8.2.5.6. Procedure for analysing reports having a `Malicious`
status
- Click on the corresponding ID.A window opens showing the detailed report.
- Refer to the summary of the analysis stages (2).Each engine should receive a tick to indicate that its analysis was successful.If this is not the case, click on the
`i`
icon for information on the engine's status: resolve the issue before relaunching the analysis.The normal case is that all the engines present are OK. The colour of the GBox icon indicates whether the result is clean or malicious. - Consult the results of the analysis (1): the score, the overall condition.Reminders:
A score is only provided for the Gmalcore and Goasm engines
The score is only displayed for engines running at the time of the analysis, visible in the summary of analysis stages(2)
Important
The SCORE field only has a meaning for the pre-selected engine. It does not indicate whether the file analysed is clean, only that it has been declared clean by this engine.
- Refer to the information in the optional zones (3) and analysis sections (4).Reminders:
The chart is only available if Gnest is part of the model. The data required for the chart is generated by this engine.
This graph enables viewing the dangerousness of the file analysed.
The optional analysis sections depend on the engine(s) active in the template used.
- If required, click on button (5)
`ALL ARTEFACTS`
.This enables downloading of artefacts resulting from the analysis, such as memory dump, network capture (pcap), and character strings detected.This section also enables the removal of artefacts.This button is only available if the Gnest engine is active. - If necessary, click on the
`REPORT`
button.This enables downloading the report in pdf format. - If necessary, click on the
`RETRY`
button.This enables re-running the analysis of this file with this or another template. - If necessary, click on the
`SAMPLE`
button.This enables the analysed file to be downloaded.