7.8. Detecting with GScan

7.8.1. Introduction

GScan allows you to manually submit files for analysis.
The following options are possible:

  • Malware: submit files to the Malcore engine

  • Powershell: scans files containing Powershell scripts and detects potential threats that can serve as a gateway to install malware on Windows.
    With regard to malicious powershells, detection is based on a supervised machine learning model, and on the fact that these scripts generally use obfuscation techniques or that are similar to them (base64, concatenation, type conversion, etc.).

  • Shellcode: submits files for analysis by the shellcode detect engine

Before starting an analysis, it is necessary to check the type of analysis to be performed, see above.
To start parsing a file, simply drag the file into the `DRAG and DROP or CLICK TO SELECT YOUR FILES` area or click on this area to send the suspicious file.
The result of the analysis is then displayed in a thumbnail with the status of the file for each type of analysis chosen.
The `SCAN HISTORY` page displays the history of the analysis performed.

Note

Attention the maximum file size should not exceed 30MB by default.
There is no limitation on the number of file scans.

Concerning the compressed files analyzed by Malcore:

  • The number of files contained in an archive is:

  • limited

  • editable (50 is the default)

  • The number of times the file is compressed is:

  • limited (max recursion level)

  • editable (5 is the default)

  • If files are password protected, the password must be declared in the global settings.

These settings are only accessible to members of the administrator group.

7.8.3. Prerequisites

  • User: member of Operator group

7.8.4. Preliminary operations

7.8.5. Procedure

  • From the navigation bar, click on the `GScan` button (10).

    ../_images/GCE103_HOME-2.PNG

    The `GScan` window is displayed.

../_images/GCE103_SCAN_01.PNG

  • Tick one or more of the following: `Malware` (3), `Powershell` (4) or `Shellcode` (5).

Note

The `DeepScan` option, checked by default, allows a thorough analysis of the file.

  • As applicable:

  • Drop desired file in `DRAG and DROP` box (6)
    or
  • click on the `UPLOAD` button (7) then select the load file from the user PC and finally validate the selection
    The result is displayed in the thumbnail.
    ../_images/GSCAN-2.PNG
    In the case of a positive result, the thumbnail is displayed in red with the `Infected` information.
    In the case of a negative result, the thumbnail is displayed in green with the `clean` information.
Malcore engine results. Are valid only for Malcore configuration at the time of analysis

Return code

Result

Description

Action

0

No Threat Detected

File was analyzed and declared healthy

No

1

Infected

File was scanned and declared infected

No

2

Suspicious

The file was analyzed and declared as likely to be infected: some Malcore engines detected this file as malicious...

To be submitted to a GBox

3

Failed Scan

An error occurred during the run

In the case of use via GScan or GBox, restart the analysis

7

Skipped - Whitelisted

The file is not analyzed and considered healthy since this file is defined in the Malcore whitelist

None if it is normal that this file is in the Malcore whitelist otherwise modify the list then restart the analysis

8

Skipped – Blacklisted

The file is not scanned and considered infected since this file is defined in the Malcore blacklist

None if it is normal that this file is in the Malcore blacklist otherwise modify the list then restart the analysis

9

Exceeded Archive Depth

The number of times the file is compressed is limited (max recursion level). The message indicates that the defined value has been exceeded.

It is possible to increase this limit and to restart the analysis (attention this can lead to an increase in processing time...)

10

Not scanned

Pb analysis engine

Contact the Gatewatcher support if this happens again

12

Encrypted Archive

The archive is encrypted and therefore not parsable: the password indicated does not work

Enter the correct password and run the analysis again

13

Exceeded Archive Size

The maximum file size should not exceed the defined value (maximum value 10MB). The parsed archive is larger than the defined value.

If the set value is less than 10MB, it is possible to change this limit and restart the analysis, otherwise none

14

Exceeded Archive File Number

The maximum number of files in the archive must not exceed the defined value. The scanned archive contains a number of files greater than the defined value.

It is possible to increase this limit and to restart the analysis (attention this can lead to an increase in processing time...)

15

Password Protected Document

Solution detected inconsistent behavior with password protected document

No action+

16

Exceeded Archive Timeout

The archive scan time has been exceeded, Malcore engines are not responding within the deadline

Restart the analysis if possible

17

Filetype Mismatch

File type mismatch problem: the solution detects the file extension with its contents and compares it with the file extension displayed

No action+

18

Potentially Vulnerable File

The verdict of the result is: Potentially vulnerable files are files associated with identified vulnerable components or applications.

No action+

19

Cancelled

User explicitly canceled this file analysis request

posted for information

21

Yara Rule Matched

The verdict of the result is: a corresponding Yara rule (malware sample identification)

Posted for information

22

Potentially Unwanted

The solution detected potentially unwanted applications.

Posted for information

23

Unsupported File Type

File type not supported by the solution.

No

255

In Progress

Analysis in progress...

Wait for the analysis to complete
Shellcode or Powershell engine results. Only valid for configuration at time of analysis

State

description

action

Clean

File was analyzed and declared healthy

No

Exploit

File was scanned and declared infected (Shellcode or Powershell)

No

Suspicious

The file was analyzed and declared susceptible to infection: the engine detected this file as malicious

If possible to submit to a GBox

Note

In the case of an `Analysis Error` message, leave the mouse over the icon.
If the message `GScan is not enabled` is displayed, contact a member of the administrator group to activate this option from the configuration menu.
Otherwise check that the motors are up to date. To do this, use the `Health check` screen. Use Updates to remedy this.
  • Click on the thumbnail.
    The detail window is displayed:

    • In the case of a positive result, this window gives detailed information about the detected threat.

    ../_images/GSCAN-1.PNG

    • In the case of a negative result, this window gives detailed information about the analysis.

    ../_images/GSCAN-3.PNG

    • In all cases, this analysis is now available in the history accessible by the `SCAN HISTORY` button.

    ../_images/GSCAN-4.PNG

Tip

The result is indicative only for the type of analysis selected.
A file is declared clean only for the selected engine.
For the alerts detected by the engine, the details of the counters of the report given in Engine log data structure appendix.

7.8.6. Ex post facto search procedure

It is possible to change the type of detection after a first analysis.

  • From the navigation bar, click on the `GScan` button.

../_images/GCE103_SCAN_01.PNG

  • Tick the `Malware` box for example.

  • Place the desired file in the dotted box.
    The result is displayed in the thumbnail.
  • Tick the `Shellcode` box.
    The thumbnail shows the result for the Shellcode analysis.

7.8.7. Procedure to view the history

  • Click the `SCAN HISTORY` button (2).

../_images/GSCAN-4.PNG

  • Click on a scanned file to view the details of the analysis done.