Submissions | Trend Micro Service Central

Views:

The Submissions screen, in Virtual Analyzer > Submissions, includes a list of samples processed by Virtual Analyzer. Samples are files and URLs submitted automatically by integrated products, through email messages from permitted sender domains and SMTP servers, or manually by Deep Discovery Analyzer administrators or investigators.

The Submissions screen organizes samples into the following tabs:

Completed: Samples that Virtual Analyzer has analyzed
Processing: Samples that Virtual Analyzer is currently analyzing
Queued: Samples that are pending analysis
Unsuccessful: Samples that have gone through the analysis process but do not have analysis results due to errors

Note:
Samples listed on the Unsuccessful tab are not included in the sample count displayed on a widget.
ICAP Pre-scan: High-risk samples received from integrated ICAP clients.

Note:
The ICAP Pre-scan tab displays when you enable ICAP integration on the Administration > > Integrated Products/Services > ICAP screen.

Each tab displays a table summarizing basic information about the submitted samples. To customize which columns appear in the table, click the gear icon (), select the columns to be displayed in the table, and click Apply.

To update the data displayed in the table, click Refresh.

The following table outlines all available columns. Column display varies depending on the tab you select.

Table 1. Submission columns
Column	Information
Object Information
Submitted	Date and time when the sample was submitted This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
File Name	This field displays one of the following information: File name of the sample File name of the child object with the highest risk level File name of any child object if no risk is detected Note: "NONAMEFL" if file size is 0 or too small for analysis
Sample Package	Archived copy of the file sample Note: Downloads are only available for file submissions. Click to download the file sample as an archived file. The archive password is `virus`. This column is available on the Unsuccessful tab only.
Submitter	This field displays one of the following: Name of the Trend Micro product that submitted the sample "Email Submission" if the sample was submitted through an email message "Manual Submission" if the sample was manually submitted "ICAP Client" if the sample originated from an ICAP client This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
Submitter Name	Host name of the product that submitted the sample Logon account name if a sample is submitted manually IP address of the ICAP client or SMTP server that submitted the sample
SHA-1	SHA-1 value of the sample
SHA-256	SHA-256 value of the sample This column is available on the Completed and ICAP Pre-scantabs only.
Object Type	File or URL This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
Detected	Date and time when the sample was detected This column is available on the ICAP Pre-scan tab only.
ICAP Mode	Mode reported by the ICAP client when the sample was detected Possible values are: REQMOD: ICAP Request modification method RESPMOD: ICAP Response modification method This column is available on the ICAP Pre-scan tab only.
Analysis Information
Risk Level	Virtual Analyzer performs static analysis and behavior simulation to identify a sample's characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings. Red icon (): High risk. The object exhibited highly suspicious characteristics that are commonly associated with malware. Examples: Malware signatures; known exploit code Disabling of security software agents Connection to malicious network destinations Self-replication; infection of other files Dropping or downloading of executable files by documents Yellow icon (): Low risk. The object exhibited mildly suspicious characteristics that are most likely benign. Green icon (): No risk. The object did not exhibit suspicious characteristics. Gray icon (): Not analyzed For possible reasons why Virtual Analyzer did not analyze a file, see Possible Reasons for Analysis Failure. Note: If several instances processed a sample, the icon for the most severe risk level displays. For example, if the risk level on one instance is yellow and then red on another, the red icon displays. Mouseover the icon for details about the risk level. This column is available on the Completed tab only.
Completed	Date and time that sample analysis was completed This column is available on the Completed tab only.
File Type	File type of the object File type of the archive / File type of the highest risk child object File type of the archive / File type of any child object if no risk Note: "Empty" or "UNKNOWN" if file size is 0 or too small to identify file type for analysis This column is available on the Completed and ICAP Pre-scan tabs only.
Threat	Name of threat as detected by Trend Micro pattern files and other components This column is available on the Completed and ICAP Pre-scan tabs only. Note: For the ICAP Pre-scan tab, if the threat name is not available (e.g. the Web Inspection Service doesn't provide a threat name for a URL), "Undefined threat" is displayed.
Threat Types	Type of threat as detected by Trend Micro pattern files and other components This column is available on the Completed tab only.
Elapsed Time	The amount of time that has passed since processing started This column is available on the Processing tab only.
Processed By	IP address of the node that is processing the object, if Deep Discovery Analyzer is configured in a load-balancing cluster This column is available on the Completed and Processing tabs only. Note: When Deep Discovery Analyzer is analysing a sample with interactive mode enabled, you can perform the following tasks on the Processing screen: View the current status (Preparing for access, Accessible, Completing, or Completed) Click this field to display detailed information (for example, analysis method and IP address and port information for VNC access in interactive mode) Click Stop Analysis to terminate a sample analysis
Priority	Priority assigned to the sample This column is available on the Queued tab only.
Time in Queue	The amount of time that has passed since Virtual Analyzer added the sample to the queue This column is available on the Queued tab only.
Error	Reason for analysis failure This column is available on the Unsuccessful tab only.
Child Files	The number of child files detected in the sample You can click the number to view detailed child file detection information. For more information, see Viewing Child File Detection Information for ICAP Pre-scan. This column is available on the ICAP Pre-scan tab only.
Identified By	The name of the detection module that processed the object This column is available on the ICAP Pre-scan tab only.
YARA Rule File	Name of the YARA rule file that contains the matched YARA rule If a child file is detected, you can click the link to view detailed YARA detection information. This column is available on the Completed tab only. Note: If a match is found for a child file but not the parent file, this field displays the name of any YARA rule file that contains the matched YARA rule. If a match is found for a parent file or a file without any child file, this field displays the name of the YARA rule file that contains the matched YARA rule.
YARA Rule Name	Name of the matched YARA rule. This column is available on the Completed and ICAP Pre-scan tabs.
Event Information
Event Logged	For samples submitted by other Trend Micro products, the date and time the product dispatched the sample For manually submitted samples and for samples submitted by ICAP clients, the date and time Deep Discovery Analyzer received the sample
Source / Sender	Where the sample originated IP address for network traffic Email address for email submissions No data (indicated by a dash) if manually submitted
Destination / Recipient	Where the sample is sent IP address for network traffic or email address for email No data (indicated by a dash) if the sample is submitted manually or through an email message
Protocol	Protocol used for sending the sample, such as SMTP for email or HTTP for network traffic No data (indicated by a dash) if manually submitted This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
URL	URL of the sample Note: Deep Discovery Analyzer may have normalized the URL when submitted using the management console.
Email Subject	Email subject of the sample This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
Message ID	Message ID of the sample This column is available on the Completed, Processing, Queued and Unsuccessful tabs only.
Source IP	IP address where the sample originated, based on the X-Client-IP ICAP header sent by the ICAP client This column is available on the ICAP Pre-scan tab only.
Destination IP	IP address where the sample was sent, based on the X-Server-IP ICAP header sent by the ICAP client This column is available on the ICAP Pre-scan tab only.
Source User	User currently logged on when the sample was found, based on the X-Authenticated-User ICAP header sent by the ICAP client This column is available on the ICAP Pre-scan tab only.
Threat Connect	Displays a link to Threat Connect This column is available on the ICAP Pre-scan tab only.