8.8.1. Setting up GBox and the Malcore and Retroact engines and activate the GBox

8.8.1.1. Introduction

This procedure describes:

Enabling the GBox automatic analysis. For this, see the Procedure to enable the GBox analysis
Setting up the scan expiration time for an already scanned file. For this, see the Procedure to setup the analysis timeout
Setting up the Retroact engine. For this, see the Procedure to setup Retroact
Setting up the Malcore engine. For this, see Procedure to change the analysis limits

Note

The graphical interface is described in `Admin-GCenter- Malcore Management` screen of the legacy web UI.

8.8.1.2. Prerequisites

User : member of Administrator group

8.8.1.3. Preliminary operations

Login to GCenter via a browser (see Connecting to the GCenter web interface via a web browser). with the prerequisite rights.

8.8.1.4. Procedure to access the `Malcore Management` window for an administrator account

In the navigation bar, successively click on:

The `Admin` button

The `Gcenter` sub-menu

The `Malcore Management` command

The `Malcore Management` window is displayed.

Click on the `Global settings` section.

8.8.1.5. Procedure to enable the GBox analysis

Note

The GBox must be configured beforehand.

Use the `Enable automatic GBox analysis` selector (6) to transfer files listed by Malcore as Suspect or Infected to a GBox.

8.8.1.6. Procedure to setup the analysis timeout

If necessary change the `Expiration delay` parameter (4).

This parameter sets the time during which Malcore will not re-scan a file already seen on the network.

If the antivirus engines were updated and the same file reappears, it will be scanned again.

During the specified time, if a file is seen on the network again, then it is not re-scanned. The result of the first scan is used.
Confirm the changes using the `Save` button (15).

A confirmation message is displayed: `Updated with success`.

8.8.1.7. Procedure to setup Retroact

Note

The RETROACT scanning engine enables ex-post scanning of files flagged as "suspicious" by Malcore's heuristic analysis.

These post-scans are done over a period of days/weeks/months depending on the retention time after the file has been scanned, with the new signatures and heuristics methods.

Use the `Enable retroactive engine` selector (3) to have files listed by Malcore as Suspect re-scanned when engines are updated.
Confirm the changes using the `Save` button (15).

A confirmation message is displayed: `Updated with success`.

8.8.1.8. Procedure to change the analysis limits

Note

Increasing the limits can lead to more detection although it has a negative impact on performance.

Modifying the analysis parameters in terms of flows taken into account by the Malcore engine:

If necessary, modify parameter (9): maximum size of files extracted by a GCap (MB)

If necessary modify parameter (10): maximum recursion level for archives extracted by GCap

If needed, modify parameter (11): maximum number of files for the archives extracted by GCap

Note

The size of the files extracted by a GCap and the maximum file size taken into account by the Malcore engine may differ.

The maximum file size value on the GCap side must always be smaller than the maximum file size on the Malcore side.

Modifying the analysis parameters via the GSCan module by the Malcore engine:

If necessary, modify parameter (12): maximum size of files sent to GScan (MB)

If necessary, change the parameter (13): maximum recursion level for the archives sent to Gscan

If necessary, modify the parameter (14): maximum number of archive files sent to Gscan

Confirm the changes using the `Save` button( 15).

A confirmation message is displayed: `Updated with success`.