Submissions Parent topic

The Submissions screen, in Virtual Analyzer Submissions, includes a list of samples processed by Virtual Analyzer. Samples are files and URLs submitted automatically by integrated products or manually by Deep Discovery Analyzer administrators or investigators.
The Submissions screen organizes samples into the following tabs:
  • Completed: Samples that Virtual Analyzer has analyzed
  • Processing: Samples that Virtual Analyzer is currently analyzing
  • Queued: Samples that are pending analysis
  • Unsuccessful: Samples that have gone through the analysis process but do not have analysis results due to errors
    Note
    Note
    Samples listed on the Unsuccessful tab are not included in the sample count displayed on a widget.
  • ICAP Pre-scan: High-risk samples received from integrated ICAP clients.
Each tab displays a table summarizing basic information about the submitted samples. To customize which columns appear in the table, click the gear icon (gear-icon.png), select the columns to be displayed in the table, and click Apply.
The following table outlines all available columns. Column display varies depending on the tab you select.

Submission columns

Column
Information
Object Information
Submitted
Date and time when the sample was submitted
This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
File Name
This field displays one of the following information:
  • File name of the sample
  • File name of the child object with the highest risk level
  • File name of any child object if no risk is detected
Note
Note
"NONAMEFL" if file size is 0 or too small for analysis
Sample Package
Archived copy of the file sample
Note
Note
Downloads are only available for file submissions. Click to download the file sample as an archived file. The archive password is virus.
This column is available on the Unsuccessful tab only.
Submitter
  • Name of the Trend Micro product that submitted the sample
  • "Manual Submission" if manually submitted
  • "ICAP Client" if sample originated from an ICAP client
This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
Submitter Name
  • Host name of the product that submitted the sample
  • No data (indicated by a dash) if manually submitted
  • IP address of the ICAP clients
SHA-1
SHA-1 value of the sample
SHA-256
SHA-256 value of the sample
This column is available on the Completed and ICAP Pre-scantabs only.
Object Type
File or a URL
This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
Detected
Date and time when the sample was detected
This column is available on the ICAP Pre-scan tab only.
ICAP Mode
Mode reported by the ICAP client when the sample was detected
Possible values are:
  • REQMOD: ICAP Request modification method
  • RESPMOD: ICAP Response modification method
This column is available on the ICAP Pre-scan tab only.
Analysis Information
Risk Level
Virtual Analyzer performs static analysis and behavior simulation to identify a sample's characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings.
  • Red icon (grid_dot_red.png): High risk. The object exhibited highly suspicious characteristics that are commonly associated with malware.
    Examples:
    • Malware signatures; known exploit code
    • Disabling of security software agents
    • Connection to malicious network destinations
    • Self-replication; infection of other files
    • Dropping or downloading of executable files by documents
  • Yellow icon (grid_dot_yellow.png): Low risk. The object exhibited mildly suspicious characteristics that are most likely benign.
  • Green icon (grid_dot_green.png): No risk. The object did not exhibit suspicious characteristics.
  • Gray icon (grid_not_analyzed.png): Not analyzed
    For possible reasons why Virtual Analyzer did not analyze a file, see Possible Reasons for Analysis Failure.
Note
Note
If several instances processed a sample, the icon for the most severe risk level displays. For example, if the risk level on one instance is yellow and then red on another, the red icon displays. Mouseover the icon for details about the risk level.
This column is available on the Completed tab only.
Completed
Date and time that sample analysis was completed
This column is available on the Completed tab only.
File Type
  • File type of the object
  • File type of the archive / File type of the highest risk child object
  • File type of the archive / File type of any child object if no risk
Note
Note
"Empty" or "UNKNOWN" if file size is 0 or too small to identify file type for analysis
This column is available on the Completed and ICAP Pre-scan tabs only.
Threat
Name of threat as detected by Trend Micro pattern files and other components
This column is available on the Completed and ICAP Pre-scan tabs only.
Note
Note
For the ICAP Pre-scan tab, if the threat name is not available (e.g. the Web Inspection Service doesn't provide a threat name for a URL), "Undefined threat" is displayed.
Threat Types
Type of threat as detected by Trend Micro pattern files and other components
This column is available on the Completed tab only.
Elapsed Time
The amount of time that has passed since processing started
This column is available on the Processing tab only.
Processed By
IP address of the node that is processing the object, if Deep Discovery Analyzer is configured in a load-balancing cluster
This column is available on the Completed and Processing tabs only.
Priority
Priority assigned to the sample
This column is available on the Queued tab only.
Time in Queue  
The amount of time that has passed since Virtual Analyzer added the sample to the queue
This column is available on the Queued tab only.
Error
Reason for analysis failure
This column is available on the Unsuccessful tab only.
Child Files
The number of child files detected in the sample
You can click the number to view detailed child file detection information. For more information, see Viewing Child File Detection Information.
This column is available on the ICAP Pre-scan tab only.
Identified By
The name of the detection module that processed the object
This column is available on the ICAP Pre-scan tab only.
YARA Rule File
Name of the YARA rule file that contains the matched YARA rule
If a child file is detected, you can click the link to view detailed YARA detection information.
This column is available on the Completed tab only.
Note
Note
  • If a match is found for a child file but not the parent file, this field displays the name of any YARA rule file that contains the matched YARA rule.
  • If a match is found for a parent file or a file without any child file, this field displays the name of the YARA rule file that contains the matched YARA rule.
Event Information
Event Logged
  • For samples submitted by other Trend Micro products, the date and time the product dispatched the sample
  • For manually submitted samples and for samples submitted by ICAP clients, the date and time Deep Discovery Analyzer received the sample
Source / Sender
Where the sample originated
  • IP address for network traffic or email address for email
  • No data (indicated by a dash) if manually submitted
Destination / Recipient
Where the sample is sent
  • IP address for network traffic or email address for email
  • No data (indicated by a dash) if manually submitted
Protocol
  • Protocol used for sending the sample, such as SMTP for email or HTTP for network traffic
  • No data (indicated by a dash) if manually submitted
This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
URL
URL of the sample
Note
Note
Deep Discovery Analyzer may have normalized the URL when submitted using the management console.
Email Subject
Email subject of the sample
This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
Message ID
Message ID of the sample
This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
Source IP
IP address where the sample originated, , based on the X-Client-IP ICAP header sent by the ICAP client
This column is available on the ICAP Pre-scan tab only.
Destination IP
IP address where the sample was sent, based on the X-Server-IP ICAP header sent by the ICAP client
This column is available on the ICAP Pre-scan tab only.
Source User
User currently logged on when the sample was found, based on the X-Authenticated-User ICAP header sent by the ICAP client
This column is available on the ICAP Pre-scan tab only.
Threat Connect
Displays a link to Threat Connect
This column is available on the ICAP Pre-scan tab only.
Related information