Virtual
Analyzer is a secure virtual environment that manages and analyzes objects submitted
by
integrated products, and administrators and investigators (through SSH). Custom sandbox
images
enable observation of files, URLs, registry entries, API calls, and other objects
in environments
that match your system configuration.
If you configure Deep Discovery Web
Inspector
to use the internal Virtual Analyzer server (the default), you must import Virtual
Analyzer
images before Deep Discovery Web
Inspector can perform
sandbox analysis. You can check the status of the internal Virtual Analyzer sandbox
environment
and view the table to understand the real-time status of Virtual Analyzer and the
sandbox
images.
As an alternative to using the internal Virtual Analyzer, you can configure Deep Discovery Web
Inspector to use Deep Discovery
Analyzer to perform suspicious object analysis.
Virtual Analyzer performs static and dynamic analysis to identify an
object's notable characteristics in the following categories:
-
Anti-security and self-preservation
-
Autostart or other system configuration
-
Deception and social engineering
-
File drop, download, sharing, or replication
-
Hijack, redirection, or data theft
-
Malformed, defective, or with known malware traits
-
Process, service, or memory object change
-
Rootkit, cloaking
-
Suspicious network or messaging activity
During analysis, Virtual Analyzer rates the characteristics in context and
then assigns a risk level to the object based on the accumulated ratings. Virtual
Analyzer also
generates analysis reports, suspicious object lists, PCAP files, and OpenIOC files
that can be
used in investigations.
