7.7. Detection procedure by Gscan

7.7.1. Introduction

GScan allows you to manually submit files for analysis.

The following options are possible:

Malware: submit files to the Malcore engine
Powershell: scans files containing Powershell scripts and detects potential threats that can serve as a gateway to install malware on Windows.

With regard to malicious powershells, detection is based on a supervised machine learning model, and on the fact that these scripts generally use offuscation techniques or that are similar to them (base64, concatenation, type conversion, etc.).
Shellcode: submits files for analysis by the codebreaker detection engine.

Before starting an analysis, it is necessary to check the type of analysis to be performed, see above.
To start parsing a file, simply drag the file into the `DRAG and DROP or CLICK TO SELECT YOUR FILES` area or click on this area to send the suspicious file.
The result of the analysis is then displayed in a thumbnail with the status of the file for each type of analysis chosen.
The `SCAN HISTORY` page displays the history of the analyses performed.

Note

Attention the maximum file size should not exceed 10MB by default.

There is no limitation on the number of file scans.

Concerning the compressed files analyzed by Malcore:

The number of files contained in an archive is:

limited

editable (50 is the default)

The number of times the file is compressed is:

limited (max recursion level)

editable (5 is the default)

If files are password protected, the password must be declared in the global settings.

These settings are only accessible to members of the administrator group.

See procedure for Setting up GBox and the Malcore and Retroact engines and activate the GBox.

Modify if necessary the maximum size of files sent to Gscan (MB)
Modify if necessary the maximum recursion level for archives sent to Gscan
Modify if necessary the maximum number of archive files sent to Gscan

The graphical interface is described in the Web UI `GScan` screen.

7.7.2. Prerequisites

User : member of Operator group

7.7.3. Preliminary operations

Login to GCenter via a browser (see Connection to the GCenter web interface via a web browser)

7.7.4. Procedure

From the navigation bar, click on the `GScan` button

Tick one or more of the following: `Malware`, `Powershell` or `Shellcode`.

Note

The `DeepScan` option, checked by default, allows a thorough analysis of the file.

As applicable:

Drop desired file in box (3) `DRAG and DROP`

or

click on the button (4) `UPLOAD` then select the load file from the user PC and finally validate the selection

The result is displayed in the thumbnail.

In the case of a positive result, the thumbnail is displayed in red with the information `Infected`.

In the case of a negative result, the thumbnail is displayed in green with the information `clean`.

Malcore engine results. are valid only for Malcore configuration at the time of analysis
Return code	Result	Description	Action
0	No Threat Detected	File was analysed and declared healthy	No
1	Infected	File was scanned and declared infected	No
2	Suspicious	The file was analysed and declared as likely to be infected: some Malcore engines detected this file as malicious...	To be submitted to a GBox
3	Failed Scan	An error occurred during the run.	In the case of use via Gscan or GBox, restart the analysis
7	Skipped - Whitelisted	The file is not analysed and considered healthy since this file is defined in the Malcore whitelist	None if it is normal that this file is in the Malcore whitelist otherwise modify the list then restart the analysis
8	Skipped – Blacklisted	The file is not scanned and considered infected since this file is defined in the Malcore blacklist	None if it is normal that this file is in the Malcore blacklist otherwise modify the list then restart the analysis
9	Exceeded Archive Depth	The number of times the file is compressed is limited (max recursion level). The message indicates that the defined value has been exceeded.	It is possible to increase this limit and to restart the analysis (attention this can lead to an increase in processing time ...)
10	Not scanned	Pb analysis engine	Contact Gatewatcher support if this happens again
12	Encrypted Archive	The archive is encrypted and therefore not parsable: the password indicated does not work	Enter the correct password and run the analysis again
13	Exceeded Archive Size	The maximum file size should not exceed the defined value (maximum value 10MB). The parsed archive is larger than the defined value.	If the set value is less than 10MB, it is possible to change this limit and restart the analysis, otherwise none
14	Exceeded Archive File Number	The maximum number of files in the archive must not exceed the defined value. The scanned archive contains a number of files greater than the defined value.	It is possible to increase this limit and to restart the analysis (attention this can lead to an increase in processing time ...)
15	Password Protected Document	Solution detected inconsistent behaviour with password protected document	No action+
16	Exceeded Archive Timeout	The archive scan time has been exceeded, Malcore engines are not responding within the deadline	Restart the analysis if possible
17	Filetype Mismatch	File type mismatch problem: the solution detects the file extension with its contents and compares it with the file extension displayed	No action+
18	Potentially Vulnerable File	The verdict of the result is: Potentially vulnerable files are files associated with identified vulnerable components or applications.	No action+
19	Cancelled	User explicitly canceled this file analysis request	posted for information
21	Yara Rule Matched	The verdict of the result is: a corresponding Yara rule (malware sample identification);	Posted for information
22	Potentially Unwanted	The solution detected potentially unwanted applications.	Posted for information
23	Unsupported File Type	File type not supported by the solution.	No
255	In Progress	Analysis in progress..	Wait for the analysis to complete

Codebreaker engine results. Only valid for Codebreaker configuration at time of analysis
State	description	action
Clean	File was analysed and declared healthy	No
Exploit	File was scanned and declared infected (shellcode or powershell)	No
Suspicious	The file was analysed and declared susceptible to infection: the engine detected this file as malicious	If possible to submit to a GBox

Note

In the case of an `Analysis Error` message, leave the mouse over the icon.
If the message `Gscan is not enabled` is displayed, contact a member of the administrator group to activate this option from the configuration menu.
Otherwise check that the motors are up to date. To do this, use the `Health check` screen. Use GUM to remedy this.

Click on thumbnail.

The detail window is displayed:
- In the case of a positive result, this window gives detailed information about the detected threat.
- In the case of a negative result, this window gives detailed information about the analysis.
- In all cases, this analysis is now available in the history accessible by the `SCAN HISTORY` button.

Astuce

The result is indicative only for the type of analysis selected.

A file is declared clean only for the selected engine.

For the alerts detected by the Malcore engine, the details of the counters of the report given in part Malcore engine.

For the alerts detected by the codebreaker engine, the details of the counters of the report given in the part Codebreaker Engine.

7.7.5. Ex post facto search procedure

It is possible to change the type of detection after a first analysis.

From the navigation bar, click on the `GScan` button.

Tick the `Malware` box for example.
Place the desired file in the dotted box.

The result is displayed in the thumbnail.
Tick the `Shellcode` box.

The thumbnail shows the result for the shellcode analysis.

7.7.6. Procedure to view the history

Click the `SCAN HISTORY` button.

Click on a scanned file to view the details of the analysis done.