Virtual Analyzer Widgets

Virtual Analyzer widgets help you monitor activity that may become an emerging threat.

Virtual Analyzer is a cloud sandbox designed for analyzing suspicious files. Sandbox images allow observation of file behavior in an environment that simulates endpoints on your network without any risk of compromising the network.

Cloud App Security sends suspicious files to Virtual Analyzer when a file exhibits suspicious characteristics and signature-based scanning technologies cannot find a known threat. Virtual Analyzer performs static analysis and behavior simulation in various runtime environments to identify potentially malicious characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings.

Virtual Analyzer works in conjunction with Threat Connect, the Trend Micro global intelligence network that provides actionable information and recommendations for dealing with threats.

Note:

A suspicious object is a known malicious or potentially malicious IP address, domain, URL, SHA-1 value, SHA-256 value, or sender address found in submitted samples. Trend Micro Threat Connect correlates suspicious objects detected in your environment and threat data from the Trend Micro Smart Protection Network to provide relevant and actionable intelligence.

Parent topic: Advanced Threat Protection Widgets

Virtual Analyzer Risk Levels

The following table explains the Virtual Analyzer risk levels after sample analysis. View the table to understand why a suspicious object was classified as high, medium, or low risk.

Risk Level

Description

High risk

The sample exhibited highly suspicious characteristics that are commonly associated with malware.

Examples:

  • Malware signatures; known exploit code

  • Disabling of security software agents

  • Connection to malicious network destinations

  • Self-replication; infection of other files

  • Dropping or downloading of executable files by documents

Medium risk

The sample exhibited moderately suspicious characteristics that are also associated with benign applications.

Examples:

  • Modification of startup and other important system settings

  • Connection to unknown network destinations; opening of ports

  • Unsigned executable files

  • Memory residency

  • Self-deletion

Low risk

The sample exhibited mildly suspicious characteristics that are most likely benign.

No risk

The sample did not exhibit suspicious characteristics.

Unrated

The sample was not analyzed by Virtual Analyzer for a certain reason.

Possible reasons include:

  • Unsupported file type.

  • Cloud sandbox analysis timed out.

  • Unable to connect to the cloud sandbox.

  • Internal error occurred on the cloud sandbox.

If you need technical assistance, contact Trend Micro technical support.

Processed Threats Widget

This widget shows the number of files that were sent to Virtual Analyzer and processed for threats for each protected application or service. It also shows the total number of files processed for all applications and services, and the average time spent on analyzing each file to help evaluate the Virtual Analyzer capability.

Note:

Average analysis time is calculated based on the time for processing only the files that are finally rated as High risk, Medium risk, Low risk, or No risk.

The graph is based on the selected time period. The Y-axis represents the number of detections for each protected application or service. The X-axis represents the time period moving backwards in time from right to left. Mouse-over an area on the graph to learn more about a metric.

Use the drop-down menus to select the detection type and time period to view.

Click a service in the widget legend to show or hide data related to that service.

Advanced Threat Protection policies affect Cloud App Security scanning behavior for suspicious objects found in Virtual Analyzer. To configure Virtual Analyzer policies, see Configuring Virtual Analyzer.

Virtual Analyzer Risk Summary Widget

This widget summarizes the risk levels that Virtual Analyzer assigned to suspicious objects found in submitted samples. For details about Virtual Analyzer risk levels, see Virtual Analyzer Risk Levels.

Use the drop-down menu to select the time period to view.

Click the number under Detections to view logs related to the corresponding time period (last 24 hours, 7 days, or 30 days).

Top 5 Users Affected by Suspicious Files Widget

This widget shows the users most affected by suspicious files found in Virtual Analyzer and when the suspicious file was last detected.

Use the drop-down menu to select the time period to view.

Click the number under Detections to view logs related to the corresponding time period (last 24 hours, 7 days, or 30 days).

Most Frequent Suspicious Files Widget

This widget shows the most frequent suspicious files found and their risk levels rated by Virtual Analyzer over the selected time period.

Use the drop-down menu to select the time period to view.

Click the number under Detections to view logs related to the corresponding time period (last 24 hours, 7 days, or 30 days).

Suspicious Objects Found Widget

This widget shows the suspicious objects found in Virtual Analyzer for each application or service over the selected time period.

The graph is based on the selected time period. The Y-axis represents the number of detections for each protected application or service. The X-axis represents the time period moving backwards in time from right to left. Mouse-over an area on the graph to learn more about a metric.

Use the drop-down menu to select the time period to view.

Click a service in the widget legend to show or hide data related to that service.