Begin a Malware Analysis Investigation

You can investigate data that has been scanned, flagged, and rated by Malware Analysis as containing Indicators of Compromise. This includes all types of Malware Analysis scans: continuous mode polling, on-demand polling, and on-demand uploaded files. Continuous mode polling must be enabled when the administrator configures basic settings for the Malware Analysis service.

NetWitness provides several methods of launching a Malware Analysis investigation.

Fastest: Instant Launch from Malware Analysis Dashlets

The fastest way to begin a Malware Analysis investigation is an Instant launch from the NetWitness Dashboard using one of the Malware Analysis dashlets that lists events or files that are likely to contain malware. The dashlets are described as part of the NetWitness Content in Dashlets. From one of these dashlets, you can go directly to the Analysis Results for a specific event that has been listed as worthy of investigation:

  • Top Listing of Highly Suspicious Malware
  • Top Listing of Possible Zero Day Malware
  • Malware with High Confidence IOCs and High Scores Dashlet

On-Demand Polling from a Meta Value in the Navigate View

You can initiate on-demand polling from within an investigation by right-clicking a meta value in the Navigate view, and choosing an option from the context menu. When polling is complete, the scanned data is available for malware analysis (see "Launch a Malware Analysis Scan from the Navigate View" in the NetWitness Investigate User Guide).

Investigate a Specific Service

You can also begin a Malware Analysis investigation of a service in the Investigate > Malware Analysis view. For Malware Analysis investigation on a service basis, a service must be specified in the Investigate > Malware Analysis view.

  1. Investigate opens the Malware Analysis view with the user-specified default service selected.
  2. If no default service is currently specified, a dialog allows you to select the Malware Analysis service to investigate.
  3. When a service has been selected in the Malware Analysis view, the Summary of Events for the selected service and continuous scan data for the service is displayed.

This topic provides instructions for all methods of launching a Malware Analysis investigation.

Launch a Malware Investigation from a Malware Analysis Dashlet

A prerequisite for this procedure is that one of the following dashlets must be visible in the NetWitness dashboard or in the Malware Analysis view, and must be populated with listed events or files. If you do not see the dashlets, add them and configure the dashlets.

  • Top Listing of Highly Suspicious Malware
  • Top Listing of Possible Zero Day Malware
  • Malware with High Confidence IOCs and High Scores Dashlet

To launch a Malware Analysis investigation from a dashlet:

  1. Log in to NetWitness and look for one of the above dashlets in the Monitor view or in the Malware Analysis view
  2. In the dashlet, double-click an event or file for deeper analysis. A detailed analysis of the event in the Events List or the event with which the file in the File List is associated is displayed in the Malware Analysis view.

    122_AnaResults_1222.png

To learn more about configuring the Malware Analysis dashlets in the Monitor dashboard, see "Dashlets" in the NetWitness Platform Getting Started Guide.

To learn about the ways you can configure and filter information in dashlets in the Malware Analysis view, refer to Filter Dashlet Data in the Summary of Events View.

To learn about the actions you can perform in the Analysis Results, refer to View Detailed Malware Analysis of an Event.

Begin a Malware Analysis Investigation (No Default Service)

To begin an investigation with no default service specified:

  1. Select Investigate > Malware Analysis.

    The Select a Malware Analysis Service dialog is displayed, with available Malware Analysis hosts and services for the current user in the left panel and available scan jobs in the right panel. This scan jobs panel contains the same columns as the Malware Scan Jobs dashlet in the Unified dashboard. In addition, it has a toolbar and View options, which are described in Select a Malware Analysis Service Dialog.

    netwitness_slctmwasrvc_750x317.png

  2. In the list of Malware Analysis hosts, select a host and a list of scan jobs is displayed in the right panel. These jobs are created when you scan an event or a file (see Upload Files for Malware Analysis Scanning and "Launch a Malware Analysis Scan from the Navigate View" in the NetWitness Investigate User Guide.
  3. To begin analyzing a scan, do one of the following:

    1. Select a scan and click View Scan.
    2. Click View Continuous Mode.

      The Summary of Events for the selected scan is displayed with the default dashlets open. Each user can add, modify, and delete default dashlets, which persist through different scan investigations. Users can also restore default dashlets as described in Filter Dashlet Data in the Summary of Events View.

      netwitness_mwavw_750x546.png

Set or Clear the Default Service

You can set the default service and clear the default service in the Select a Malware Analysis Service dialog.

To set a default service:

  1. Click the service name in the Summary of Events toolbar.

    The Select a Malware Analysis Service dialog is displayed.

    netwitness_slctmwasrvc_750x317.png

  2. Select a service on the list of available Malware services, and click netwitness_defserv.png.

    The service becomes the default, (indicated by netwitness_ic-default.png in front of the host name).

  3. To clear the default service, select the default service in the grid, and click netwitness_defserv.png.

    No default service is set.

Upload and Scan Files

A Malware Analyst with permission to Initiate Malware Analysis Scan can upload files to scan using the Scan Files option in the Select a Malware Analysis Service dialog (see Upload Files for Malware Analysis Scanning. An administrator can upload packet capture files to a Decoder for Malware Analysis in the Services System view as described in "Upload Packet Capture File" in the Decoder and Log Decoder Configuration Guide.

Begin an Investigation (Default Service Specified)

To begin an investigation with a default service specified, select Investigate > Malware Analysis.

The Summary of Events for a continuous scan of the selected service is displayed with the default dashlets open. Each user can add, modify, and delete default dashlets, which persist through different scan investigations. Users can also restore default dashlets as described in Filter Dashlet Data in the Summary of Events View.

netwitness_mwavw_750x546.png

Apply Time Parameters Filter for Results

You can apply a Threshold filter to refresh the results of the chosen dashlets.

  1. To select a different time range, select either Continuous Mode or a different scan from the toolbar.

    The Malware Summary of Events for the selected scan is displayed.

  2. To select a new time range for the scan, click in the range selection list in the toolbar. Ranges available are: Last 5 minutes, Last 10 minutes, Last 15 minutes, Last 30 minutes, Last Hour, Last 3 Hours, Last 6 Hours, Last 12 Hours, Last 24 Hours, Last 2 Days, Last 5 Days, Early Morning, Morning, Afternoon, Evening, All Day, Yesterday, This Week, Last Week, or Custom.

    netwitness_timerange_161x334.png
    The results are updated immediately.

  3. To refresh a continuous mode scan with new data, click netwitness_ic-refresh.png.

Apply a Threshold Filter to Continuous Mode Results

You can apply a new threshold filter to an instance of the Malware with High Confidence IOCs and High Scores dashlet, the Meta Treemap dashlet, the Score Wheel dashlet, and the Event Timeline dashlet.

To customize the scoring applied to the scan, in the toolbar, do the following:

  1. Select netwitness_actiondd.png > Apply Threshold Filter.

    The Apply Threshold Filter dialog is displayed.

    netwitness_thresfiltdg.png

  2. If you want to limit the number of events displayed to events that were given a score above a certain number, do the following:

    1. Drag the slider in the Static, Network, Community, and Sandbox slider bars.
    2. To select the dashlets in which the thresholds apply, select the appropriate checkboxes.
    3. Click Apply.

Delete or Resubmit an On-Demand Scan with New Bypass Settings

You can delete an on-demand scan or resubmit an on-demand scan with different bypass settings than those specified in the Service Configuration view for a Malware Analysis service.

To delete a scan while viewing an on-demand scan, do the following:

  1. Select Actions > Delete Scan.

    A dialog asks for confirmation that you want to delete the scan.

  2. Click Yes.

    The selected scan is deleted.

To apply different bypass settings to the current scan:

  1. Select Actions > Resubmit Scan.

    The Scan for Malware dialog is displayed.

    netwitness_scanmwdialog.png

  2. Select the bypass settings that you want to use on the new scan, and click Scan.

    Malware Analysis resets cache and resubmits the file for a new scan, and the scan jobs are added to the jobs queue.

  3. When the job is complete, scroll to the left and select View.

    The Malware Summary of Events for the selected scan is displayed.

View the Files List

You can view a list of files for an event from the Malware Analysis Summary of Events and from each of the Visualization charts: Event Timeline, Meta Breakdowns, Meta Treemap, and Score Wheel.

To view the Files List, do one of the following:

  • In the Summary of Events, click on the number of files in the Total row or the High Confidence row under Files Processed, PE Files, Office Files, or PDF Files. The Files List is displayed.
  • In any visualization dashlet, click the number next to the Files field in the top right corner of the dashlet.

    The Files List for the selected drill point is displayed.

    122_FileListFilt_1222.png

From the Files List, you can search for a file by filename or MD5 file hash, sort the list using two criteria and ascending or descending order, and download files as described in Examine Scan Files and Events in List Form.

To return to the Summary of Events, click Back to Summary.

View the Events List

From the Malware Analysis Summary of Events and from each of the visualization charts (Event Timeline, Meta Breakdowns, Meta Treemap, and Score Wheel), you can select events to view in the Events grid.

To view the Events List, do one of the following:

  • In the Summary of Events, click the number of Events Created in the Total row or the High Confidence row. The Events List is displayed.
  • In any visualization dashlet, click the number next to the Events field in the top right corner of the dashlet.

    The Events List for the selected time is displayed.

    122_EvList_1222.png