2.1.6. Malcore retroanalyzer engine

2.1.6.1. Introduction

2.1.6.1.1. For what types of threats is this engine designed?

Regarding files for which a verdict can not be determined during a first scan by the Malcore engine, the Malcore retroanalyzer engine makes it possible to resubmit them periodically to antivirus engines.

Thus, the Malcore retroanalyzer engine quickly identifies malware as soon as a signature is available in the case of an analysis of a sample previously flagged as suspicious.

2.1.6.1.2. How does this particular engine detect threats?

The Malcore retroanalyzer engine uses the same detection methods as the Malcore engine.
However, this engine focuses on analyzes previously declared as "suspicious" status.
Please refer to the Malcore engine engine documentation for more information about the detection process.

2.1.6.1.3. How does Malcore retroanalyzer work in the GCenter?

When a file, rebuilt by a GCap (according to the Configuring the file reconstruction rules via the GCap profile) is submitted to Malcore, this sample is analyzed by a set of antivirus engines composing Malcore.

If one of these engines detects the file as malicious, an alert is generated in the dashboards.

However, in the case of a new strain or a new variant, anti-viral signature may not be available at the time of the analysis, but the expected behaviour of the sample is specific enough to be suspicious about it.
In this case, this sample will be flag as such and a periodic analysis will be scheduled periodically in order to clearly determine if this sample is malicious or not.
This loop will last until either a state has been set for the sample (CLEAN or INFECTED) or the sample has reached the data expiration time.

2.1.6.2. Events generated

Events generated by the Malcore retroanalyzer engine are alerts.

Alerts are displayed in the `Alerts` screen and are displayed as detected by the engine.

The events generated by the Malcore retroanalyzer and the Malcore engines are the same: see Events generated.

2.1.6.3. List of counters of the alert

Note

The alert counters are visible:

in the Alert details screen of the WEBUI
in the Expanded document of Kibana
in the export to the SIEM

The detailed information is given in the table (Counters of the source part of logs).

2.1.6.4. Counters associated with Malcore retroanalyzer engine

The following counters are present in Malcore retroanalyzer events:

Counters associated with Malcore retroanalyzer engine
Field	Required	Description	Values
nb_rescans	Yes	Number of scans per Malcore retroanalyzer	"Not reanalyzed", 1, 2 .. n
Retroanalyzer	No	Result of Malcore retroanalyzer analysis. By default this field is NO Only suspicious files will be reanalyzed by Malcore retroanalyzer	This field can be set to No or advanced malware if Malcore retroanalyzer declares file as infected

2.1.6.5. Management of the engine

2.1.6.5.1. Viewing the engine status

The Malcore retroanalyzer engine and the Malcore engine use the same anti-viral engines: see `Health checks` screen.

2.1.6.5.2. Engine update

The Malcore retroanalyzer engine and the Malcore engine use the same update system: see the paragraph Engine update.

2.1.6.5.3. Configuration of Malcore retroanalyzer engine

The management interface enables to activate the engine: this activation is done in the `Malcore retroanalyzer` screen.

2.1.6.6. Alert Analysis

The alerts are displayed on a specific screen: this screen is described in Web UI `Alerts`.
The general procedure for analyzing alerts is described in Using of NDR dashboards.
The specific procedure for analyzing Malcore retroanalyzer alerts is described in the Analysing the Malcore retroanalyzer alerts.