1. Presentation

The MALCORE and RETROACT detection engines enable:

Detecting malware through a static and heuristic multi-engine analysis of files in real time.
Analysis via 16 Anti-Virus engines.
An analysis capacity of more than 6 million files per 24 hours.
Malware detection by re-analysing potentially harmful files after they pass through with new signatures and heuristic methods.

2. Configuration

Menu: Administrators > GCenter > Malcore Management

The MALCORE management interface enables modifying the GCENTER analysis parameters. From this section, the administrator is able to adjust the global detection parameters of the GCENTER:

Global settings
Profiles
White List
Black List

2.1. Global settings

Menu: Administrators > GCenter > Malcore Management > Global Settings

The RETROACT analysis engine enables post-compromise detection by reanalysing, a posteriori, files whose malicious potential is suspected by MALCORE's heuristic analysis. These subsequent scans are performed over a configurable period of time, several days/weeks/months after the file has passed, with the new signatures and heuristic methods.

Number of days between rescans: This is the time period in days between each file rescan.

Number of rescans: corresponds to the amount of rescans to be performed.

For example, if Number of days between rescans is set to 3 and Number of rescans is set to 3, the suspicious file will be rescanned on D+3, D+6, and D+9.

Enable automatic GBOX analysis: allows the administrator to activate the automatic sending of all infected or suspicious files to the GBOX device if the link is operational.

2.2. Profiles

Menu: Administrators > GCenter > Malcore Management > Profiles

All MALCORE profiles are displayed in this view.

However, each profile can be modified as needed via the Configure button.

The Default profile will be used when processing files sent for analysis by gcaps.

The Gscan profile will be used for processing files submitted through the gscan interface.

Enable archive handling: allows the scanning of all archive types by MALCORE (.zip, .rar, .upx).

Max recursion level: indicates the maximum depth level at which MALCORE will continue to scan files. For example, a .zip contains a folder that contains a folder that contains files. In this case, there are three levels of archive depth. If two is specified in the maximum possible recursion level, then all files in higher levels will not be scanned by MALCORE. Setting a limit here enables MALCORE to avoid overloading, though it will not scan all file levels. The default value is 5.

Number of files: this is the maximum number of files MALCORE can scan per archive. If this number is exceeded, then MALCORE will suspect something. The default number is 50 files.

Scan Original Un-extracted File: instructs MALCORE to consider the archive itself as a file.

Microsoft Office Documents: tells MALCORE to treat Office documents as Office documents (.docx, .xlsx) and not as an archive.

Detect file type mismatch: when ticked, if there is a mismatch between the file type and its extension, the file will appear as Mismatch in the dashboards in the GCENTER WEB interface.

Maximum size of scanned files (in MB): refers to the maximum size of files that are scanned by MALCORE.

Each of these items is taken into account after the administrator records the changes by pressing 'Save'.

2.3. Exception list

Menu: Administrators > GCenter > Malcore Management > White list / Black List

In the Malcore settings, it is possible to manage exception lists named Whitelist, for allowed hashes, and Blacklist, for prohibited hashes.

In the event a file to be analysed has a SHA256 hash present in the Blacklist, the result of the analysis will appear like this:

In the case of a Whitelist:

It is possible to add a hash to these lists either individually via the GCenter interface or by batch, by inserting a CSV file.

By clicking on Add a single file, a single hash can be added by filling in the Sha256 field and an optional remark for further details in the Comment field.

All of this information is taken into account after the administrator stores the changes by pressing Save.

By clicking on Add a set of files, by selecting a file in csv on their workstation, the administrator can add a list of hashes by clicking on the button in the List of SHA256 field. It is necessary to use ';' to separate the various elements of the list.

The administrator can decide to delete the previous list by ticking the Clean previous list? box and record all changes by clicking Save.

All additions and changes made from the White List and Black List sections of the MALCORE engine configuration settings will be taken into account in the analysis of the flow as well as for the files scanned via the GScan.

3. Detection

3.1. Inspectra

Menu: Operators > Inspectra > Malcore

From the 'OPERATORS - Inspectra - Malcore' section, the operator accesses a table listing the files seen as suspicious or infected through the MALCORE detection engine.

The RETROACT module will be tasked with highlighting suspicious files, if the feature is enabled.

The suspicious status is generated by the heuristic engines. These engines are able to detect abnormal elements. In the case of suspicious files, they will be reanalysed by RETROACT.

Suspicious files are detected by means of various antivirus engines, 1 in the CIE version and 16 in the other versions, operating in parallel. These engines were selected for their complementarity, the relevance of their common detection, their detection technology, and the origin of the security information used.

In the window above this table, the operator can click on the ' From - To' field to define the time range (in the format dd/mm/yyyy HH:MM) of the data being displayed.

'Number of results max: is the maximum number of files (lines) displayed in the table.

The 'State' enables selecting the status of the alerts displayed according to the desired search.

State	Description
All but Clean	All results, no threats.
All	All results, all threats.
Infected	Infected, known
Suspicious	Suspicious, listed as a possible threat but not identified as a specific threat.
Failed to Scan	scan not fully completed, e.g. invalid file or read not allowed. If no engine is included and analysis is enabled, this will be the final result.
Cleaned / Deleted	Cleaned, deleted. The threat was found and the file was repaired or deleted.
Unknown	Signature is not known, used in the multiple hash search. For single hash, scan responses are not reported.
Quarantined	The file is quarantined.
Skipped Clean	The analysis is ignored because this file type is whitelisted.
Skipped Dirty	The analysis is ignored because this type of file is blacklisted.
Exceeded Archive Depth	No threat detected although the archive level exceeds the threshold. The archive was not fully analysed.
Not Scanned / No scan results	No results, the analysis was ignored by the engines due to an engine update for a specific reason. If the analysis is disabled, this will be the final result.
Aborted	The current scan was stopped by the server
Encrypted	The file is not scanned because the file type is detected as encrypted and password protected. If the internal archive library is enabled, Malcore will not report any results as the engines are no longer scanning. If the internal archive library is disabled, Malcore will pass the encrypted files to the engines directly, bypassing detection.
Exceeded Archive Size	The size of the archive or file is too large to be analysed.
Exceeded Archive File Number	The number of files in the archive exceeds the configured number on the server.
Password Protected Document	Document secured by a password, e.g. Office or PDF documents requiring a password to view its contents. If a file is a password protected document, no disinfection will be performed. Malcore supports password protected document detection. Extensions for which detection operates PDF, DOCX, DOC, DOCM, DOTX, DOTM, POINT, PPTX, PPT, POT, POTM, POTX, PPS, PPSM, PPSX, PPTM, PPTX, XLSX, XLS, XLSM, XLSB, XLS, XLTX, XLTM, XLT, XLAM, XLA.
Mismatch	The file extension does not match the detected file type. Only applicable when dealing with workflows.
Potentially Vulnerable File	Possibly a susceptible file.

The table's columns are movable and dynamic searches can be made on each of them:

The operator can choose the visibility of the columns in the table by clicking on the Column visibility button:

In addition, a vertical view of the alert is displayed via a right-click of the mouse.

A quick CSV export of the data based on the selected decision date:

An interactive analysis of the element is possible by means of a right click of the mouse. With 'Download malware' it is possible to retrieve the malware and save it on the computer in a password-protected file in `.zip' format. This password can be changed here.

The TRACKWATCH is able to provide further analysis of the detected malware through the Remote analysis' feature. If the configuration is completed beforehand, the operator can decide that the sample should be analysed in the https://intelligence.gatewatcher.com/ platform, i.e. a [GBOX] server (itg-ext/intelligence.html#gbox).

The analysis report generated by sending the infected file for further analysis can be downloaded using 'Download analysis report'.

The analysis parameters of the MALCORE engine can be changed in the default profile settings.

3.2. Dashboards

Menu: Operators > Dashboards > Malcore

In addition to the information already included in the Inspectra table, the data collected by Malcore is also provided on the Malcore Kibana dashboard.

The data will be formatted as follows

4. Generated events

Attention

Engine ids are subject to change over time.

4.1. Example of a log

json
{
    "engine_id": {
      "714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77": "Trojan.Win32.Vebzenpak.iwgiuz",
      "312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d": "Gen:Variant.Graftor.961641",
      "054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af": "Trojan/Win.Generic",
      "0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db": "Trojan.Multi",
      "ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf": "W32/VBKrypt.AVU.gen!Eldorado",
      "fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1": "Trojan.Win32.Injector",
      "b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e": "Trojan.Wacatac",
      "527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737": "Trojan.Vebzenpak.Win32.4817",
      "32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684": "a variant of Win32/Injector.EPML trojan",
      "038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74": "Trojan.Agent (A)",
      "4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc": "Trojan ( 0057dc101 )",
      "3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53": "Trojan.Win32.Vebzenpak.afnw",
      "af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a": "TR/Injector.vdnis",
      "ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c": "TR/Injector.vdnis"
    },
    "@version": "1",
    "detail_scan_time": 289
    "timestamp_detected": "2021-07-05T18:14:45.354Z",
    "SHA256": "9f07b7d90dc159c18619741bbbe05a2eb512a53865ba5101ba9f5668ec01c427",
    "timestamp_last_malcore_analysis": "2021-07-05T18:15:35.546Z",
    "file": "1198",
    "detail_scan_result_i": 1
    "retroact": "None",
    "app_proto": "http",
    "src_port": "80",
    "type": "malcore",
    "detail_wait_time": 88
    "@timestamp": "2021-07-05T18:15:48.857Z",
    "event_type": "malware",
    "filename": "/Im/HBB.exe",
    "total_found": "14/15",
    "scans_history": [
      {
        "code": 1
        "total_found": "14/15",
        "timestamp_analyzed": "2021-07-05T18:15:35.542Z",
        "state": "Infected"
      }
    ],
    "size": "110592",
    "meta": "CLOSED",
    "MD5": "31bbac78b447abc5a1138f5b0f3bb1ae",
    "uuid": "857a9a3f-99e6-4b28-abdd-32a7c28f0295",
    "magic": "PE32 executable (GUI) Intel 80386, for MS Windows",
    "reporting_token": "",
    "severity": 1
    "detail_threat_found": "Infected: Trojan/Win.Generic, TR/Injector.vdnis, Gen:Variant.Graftor.961641, W32/VBKrypt.AVU.gen!Eldorado, a variant of Win32/Injector.EPML trojan, Trojan.Agent (A), Trojan.Win32.Injector, Trojan ( 0057dc101 ), Trojan.Win32.Vebzenpak.afnw, Trojan.Win32.Vebzenpak.iwgiuz, Trojan.Multi, Trojan.Wacatac, Trojan.Vebzenpak.Win32.4817",
    "detail_def_time": "2021-06-23T00:43:00.000Z",
    "nb_rescans": "Not reanalyzed",
    "dest_ip": "10.7.0.15",
    "replica": false,
    "timestamp_analyzed": "2021-07-05T18:15:48.857Z",
    "code": 1
    "src_ip": "192.185.92.26",
    "gcap": "gcap-int-ppo-164.domain.local",
    "host": "gcap-int-ppo-164.domain.local",
    "state": "Infected",
    "GCenter": "gcenter-int-ppo-237.domain.local",
    "dest_port": "54325",
    "_internal_doc_id": "qPzhd3oBnng1PLWX9yKE",
    "flow_id": 1191592708119283
    "try_count": 0
  }

4.2. Summary table of the fields

Fields	Required	Description	Values
MD5	Yes	MD5 hash of the analysed file.	-
SHA256	Yes	SHA256 hash of the analysed file.	-
app_proto	Yes	Application protocol of the flow from which the file originates.	http, ftp, smtp, smb
code	Yes	Return code from the malcore analysis.	0, 1, 2, 3, 7, 8, 9, 10, 12, 13, 14, 16, 17, 18, 255
dest_ip	Yes	Destination's IP address.	-
dest_port	Yes	Destination port.	-
detail_def_time	No	Date of updating the malcore signature database. This field must appear for all analyses	-
detail_scan_result_i	No	Return code from the malcore analysis.	0, 1, 2, 3, 7, 8, 9, 10, 12, 13, 14, 16, 17, 18, 255
detail_scan_time	No	File analysis time (ms) by malcore engines.	-
detail_threat_found	Yes	Type of threat.	-
engine_id	No	List of malcore engines having analysed the file with the corresponding result.	-
event_type	Yes	Type of event.	malware
file	Yes	File identifier.	-
fileinfo_potentially_involved	No	This field only appears in the case of retroact - it shows the list of doc _id less than 24 hours old that are affected by the rescan.	-
filename	Yes	File name.	-
flow_id	No	Unique flow identifier. Enables retrieving the associated fileinfo.	-
gcap	Yes	Name of the gcap assigned to the alert.	-
gcenter	Yes	Name of the GCenter assigned to the alert.	-
host	Yes	Name of the gcap assigned to the alert.	-
magic	yes	Type of payload.	-
nb_rescans	Yes	Number of analyses per retroact	"Not reanalyzed", 1, 2 .. n
replica	Yes	Field is False if the file is being viewed for the first time and True if it is a replica.	True, False
reporting_token	Yes	Token used with the Gbox.	-
retroact	Yes	Result of the retroact analysis By default this field is set to NONE. Only suspicious files will be re-scanned by retroact.	This field can be set to None or advanced malware, if retroact declares the file as infected
severity	Yes	Code for the result of the malcore analysis. Must be between 0 and 3.	0=clean, 1=infected, 2=suspicious, 3=Other
size	Yes	File size.	-
src_ip	Yes	Source IP address.	-
src_port	Yes	Port source.	-
state	Yes	Result of the analysis by the malcore engines.	No Threat Detected Infected Suspicious Failed Scan Skipped - Whitelisted Scan Skipped – Blacklisted Not Scanned Exceeded Archive Depth Encrypted Archive Exceeded Archive Size Exceeded Archive File Number Exceeded Archive Timeout Filetype Mismatch Potentially Vulnerable File In Progress 0 in the case of a whitelisted file 1 in the case of a blacklisted file
timestamp_analyzed	Yes	Timestamp of the alert processing by the GCenter corresponds to the passage in logstash	-
timestamp_detected	Yes	Timestamp of the file capture by gcap	-
timestamp_last_malcore_analysis	Yes	Timestamp of the file's last scan by malcore. Replicas are not reanalysed, so the "timestamp_last_malcore_analysis" may be older than the "timestamp_analyzed"	-
total_found	Yes	Number of engines detecting the file as infected.	XX/YY with YY between 0 and 16 and XX between 0 and YY. YY=number of engines that analysed the file. XX: number of engines whose result was different from "clean". - "File size exceeded the maximum size" if the file was too big to be analysed by malcore. (See Administrators > malcore management > profile > Default > Maximum size of scanned files) - "Black list", or "White list" in the case of malcore blacklist/whitelist (See Administrators > malcore management > whitelist/blacklist)
try_count	No	Attempts to enrich. Internal field for GCenter operation	-
type	Yes	Type of event.	malcore
detail_wait_time	No	wait_time: time elapsed between sending file to node and receiving the result from the engine in milliseconds	-
meta	Yes	Completeness of the analysed file (CLOSED) otherwise TRUNCATED.	CLOSED, TRUNCATED
scan_time_average	No	File analysis time (ms) by malcore engines. This field should appear systematically	-
scans_history.code	Yes	Code for the result of the malcore analysis.	0, 1, 2, 3, 7, 8, 9, 10, 12, 13, 14, 16, 17, 18, 255
scans_history.state	Yes	Result of the analysis by the malcore engines.	No Threat Detected Infected Suspicious Failed Scan Skipped - Whitelisted Scan Skipped – Blacklisted Not Scanned Exceeded Archive Depth Encrypted Archive Exceeded Archive Size Exceeded Archive File Number Exceeded Archive Timeout Filetype Mismatch Potentially Vulnerable File In Progress
scans_history.timestamp_analyzed	Yes	Timestamp of the file analysis.	-
scans_history.total_found	Yes	Number of engines detecting the file as infected.	same as total_found
_internal_doc_id	No	Field used for Gcenter's internal operation	_id de documents elasticsearch

The syslog export has additional fields:

smtp.mail_from,
smtp.rcpt_to,
email.from, email.to,
email.cc,
email.bcc,
email.in_reply_to,
http.hostname,
http.url,
http.http_refer,
http.http_user_agent.

Warning

These fields are affected by a known bug (see release note.)

Warning

The enrichment at the origin of these fields will be depreciated in v2.5.3.102.

5. Detection by gscan

Menu: Operators > GScan > Malware Scanning

Note

When deployed in an MPL environment, GScan functionality is disabled

Gscan enables an operator to submit a file via the GCenter web interface for malcore analysis

To start analysing a file, simply drag it into the DRAG and DROP or SELECT FILES TO SCAN area or click on this area to send your suspicious executables.

Please note that the maximum file size must not exceed 10MB. There is no limit to the number of file scans. The scan result shows almost instantly the status of the sample after analysis. The result can be as follows: Clean or Infected across the 16 engines.