Submissions

The Submissions screen, in Virtual Analyzer → Submissions, includes a list of samples processed by Virtual Analyzer. Samples are files and URLs submitted automatically by integrated products or manually by Deep Discovery Analyzer administrators or investigators.

The Submissions screen organizes samples into the following tabs:

Completed: Samples that Virtual Analyzer has analyzed
Processing: Samples that Virtual Analyzer is currently analyzing
Queued: Samples that are pending analysis

Unsuccessful: Samples that have gone through the analysis process but do not have analysis results due to errors

Note

Samples listed in the Unsuccessful are not counted by any widget

ICAP Pre-scan: High-risk samples received from integrated ICAP clients.

Each tab displays a table summarizing basic information about the submitted samples. To customize which columns appear in the table, click the gear icon (

), select the columns to be displayed in the table, and click Apply.

The following table outlines all available columns, and includes columns which are available only on specific tabs.

Submission columns

Column

Information

Object Information

Submitted

Date and time when the sample was submitted

This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.

File Name

This field displays one of the following information:

File name of the sample
File name of the child object with the highest risk level
File name of any child object if no risk is detected

Note

"NONAMEFL" if file size is 0 or too small for analysis

Sample Package

Archived copy of the file sample

Note

Downloads are only available for file submissions. Click to download the file sample as an archived file. The archive password is virus.

This column is available on the Unsuccessful tab only.

Submitter

Name of the Trend Micro product that submitted the sample
"Manual Submission" if manually submitted
"ICAP Client" if sample originated from an ICAP client

This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.

Submitter Name

Host name of the product that submitted the sample
No data (indicated by a dash) if manually submitted
IP address of the ICAP clients

SHA-1

SHA-1 value of the sample

SHA-256

SHA-256 value of the sample

This column is available on the Completed tab only.

Object Type

File or a URL

This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.

Detected

Date and time when the sample was detected

This column is available on the ICAP Pre-scan tab only.

ICAP Mode

Mode reported by the ICAP client when the sample was detected

Possible values are:

REQMOD: ICAP Request modification method
RESPMOD: ICAP Response modification method

This column is available on the ICAP Pre-scan tab only.

Analysis Information

Risk Level

Virtual Analyzer performs static analysis and behavior simulation to identify a sample's characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings.

Red icon (): High risk. The object exhibited highly suspicious characteristics that are commonly associated with malware.

Examples:
- Malware signatures; known exploit code
- Disabling of security software agents
- Connection to malicious network destinations
- Self-replication; infection of other files
- Dropping or downloading of executable files by documents
Yellow icon (): Low risk. The object exhibited mildly suspicious characteristics that are most likely benign.
Green icon (): No risk. The object did not exhibit suspicious characteristics.
Gray icon (): Not analyzed

For possible reasons why Virtual Analyzer did not analyze a file, see the Possible Reasons for Analysis Failure table below.

Note

If several instances processed a sample, the icon for the most severe risk level displays. For example, if the risk level on one instance is yellow and then red on another, the red icon displays. Mouseover the icon for details about the risk level.

This column is available on the Completed tab only.

Completed

Date and time that sample analysis was completed

This column is available on the Completed tab only.

File Type

File type of the object
File type of the archive / File type of the highest risk child object
File type of the archive / File type of any child object if no risk

Note

"Empty" or "UNKNOWN" if file size is 0 or too small to identify file type for analysis

This column is available on the Completed and ICAP Pre-scan tabs only.

Threat

Name of threat as detected by Trend Micro pattern files and other components

This column is available on the Completed and ICAP Pre-scan tabs only.

Note

For the ICAP Pre-scan tab, if the threat name is not available (e.g. the Web Inspection Service doesn't provide a threat name for a URL), "Undefined threat" is displayed.

Threat Types

Type of threat as detected by Trend Micro pattern files and other components

This column is available on the Completed tab only.

Elapsed Time

The amount of time that has passed since processing started

This column is available on the Processing tab only.

Processed By

IP address of the node that is processing the object, if Deep Discovery Analyzer is configured in a load-balancing cluster

This column is available on the Completed and Processing tabs only.

Priority

Priority assigned to the sample

This column is available on the Queued tab only.

Time in Queue

The amount of time that has passed since Virtual Analyzer added the sample to the queue

This column is available on the Queued tab only.

Error

Reason for analysis failure

This column is available on the Unsuccessful tab only.

Child Files

The number of child files detected in the sample

You can click the number to view detailed child file detection informaiton. For more information, see Viewing Child File Detection Information.

This column is available on the ICAP Pre-scan tab only.

Identified By

The name of the detection module that processed the object

This column is available on the ICAP Pre-scan tab only.

YARA Rule File

Name of the YARA rule file that contains the matched YARA rule.

If a child file is detected, you can click the link to view detailed YARA detection information.

This column is available on the Completed tab only.

Note

If a match is found for a child file but not the parent file, this field displays the name of any YARA rule file that contains the matched YARA rule.
If a match is found for a parent file or a file without any child file, this field displays the name of the YARA rule file that contains the matched YARA rule.

Event Information

Event Logged

For samples submitted by other Trend Micro products, the date and time the product dispatched the sample
For manually submitted samples and for samples submitted by ICAP clients, the date and time Deep Discovery Analyzer received the sample

Source / Sender

Where the sample originated

IP address for network traffic or email address for email
No data (indicated by a dash) if manually submitted

Destination / Recipient

Where the sample is sent

IP address for network traffic or email address for email
No data (indicated by a dash) if manually submitted

Protocol

Protocol used for sending the sample, such as SMTP for email or HTTP for network traffic
No data (indicated by a dash) if manually submitted

This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.

URL

URL of the sample

Note

Deep Discovery Analyzer may have normalized the URL when submitted using the management console.

Email Subject

Email subject of the sample

This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.

Message ID

Message ID of the sample

This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.

Source IP

IP address where the sample originated, , based on the X-Client-IP ICAP header sent by the ICAP client

This column is available on the ICAP Pre-scan tab only.

Destination IP

IP address where the sample was sent, based on the X-Server-IP ICAP header sent by the ICAP client

This column is available on the ICAP Pre-scan tab only.

Source User

User currently logged on when the sample was found, based on the X-Authenticated-User ICAP header sent by the ICAP client

This column is available on the ICAP Pre-scan tab only.

Threat Connect

Displays a link to Threat Connect

This column is available on the ICAP Pre-scan tab only.

If the Risk Level column shows a gray icon (

), Virtual Analyzer has not analyzed the sample. The following table lists possible reasons for analysis failure and identifies actions you can take.

Possible Reasons for Analysis Failure

Reason	Action
Virtual Analyzer does not support the file format, or the file is empty.	Check the supported file type list in the Virtual Analyzer → Sandbox Management → Submission Settings tab.
The available sandbox images do not support the file format.	Check the sandbox image information in the Virtual Analyzer → Sandbox Management → Images tab.
The URL exceeds the limit of 2083 characters.	Verify that the URL does not exceed 2,083 characters.
Virtual Analyzer does not support the encryption or compression format.	Check the password list in the Virtual Analyzer → Sandbox Management → Archive Passwords tab.
Virtual Analyzer does not support the file format.	Unsupported file type in current sandbox image. Check the sandbox image information in the Virtual Analyzer → Sandbox Management → Images tab.
Virtual Analyzer is unable to access the Internet.	Verify the connection of the management network to the Internet.
An unexpected error has occurred on the Sandbox for macOS.	Please contact your support provider.
The Sandbox for macOS did not return an analysis result before the timeout period expired.	Resubmit the object for analysis. If the issue persists, contact your support provider.
Unable to establish a connection to the Sandbox for macOS.	Verify the connection of the management network to the Internet.
The URL is invalid.	Verify that the specified URL is in a valid format.
Extracted file sizes exceeds total limitation	Verify that the total file size of the extracted samples do not exceed the specified limitation.
Archive extracted for analysis. See child files.	Locate the extracted samples.
Virtual Analyzer is unable to analyze the object. The available disk space is insufficient.	Verify that the disk space is sufficient to perform the analysis.
Virtual Analyzer is unable to analyze the object within the timeout period.	Resubmit the object for analysis. If the issue persists, contact your support provider.
An unexpected error has occurred. Please resubmit the sample for analysis. If the issue persists, contact your support provider.	Resubmit the object for analysis. If the issue persists, contact your support provider.
The license for the Sandbox for macOS has expired.	Please contact your support provider.

$('#title').html($('meta[name=description]').attr('content'));

Submissions

Note

Submission columns

Note

Note

Note

Note

Note

Note

Note

Possible Reasons for Analysis Failure