Spectra Analyze
Spectra Analyze is a malware analysis solution designed for individual analysts and small teams. It combines deep static file analysis with cloud threat intelligence to accelerate threat detection, investigation, and collaboration.
Spectra Analyze is available as a hardware/software appliance or as a cloud-based service.
Introduction
Spectra Analyze is powered by Spectra Core, the ReversingLabs engine for automated static decomposition and analysis of binary files.
When you submit a file, Spectra Core unpacks it and extracts all available information from every contained object. The unpacking process supports all variants of more than 400 formats, including PE packers, archives, installation packages, firmware images, documents, and mobile applications.
Once unpacked, Spectra Core extracts metadata from each file: strings, format header details, function names, library dependencies, file segments, and static behavior analysis with capability information. This data is combined with threat intelligence from Spectra Intelligence, a cloud service that provides scanner results, threat names, and community classifications, to produce a complete analysis report.
The result is a classification of each analyzed file as malicious, suspicious, goodware, or unknown, along with a risk score and the indicators that drove the result.
For more information about the latest features, see the Spectra Analyze website.
See Getting Started to configure your first cloud connection, upload a file, and interpret your first analysis report.
Navigating the Interface
This section describes the layout of the Spectra Analyze interface, including the terminology and visual indicators used throughout the appliance and its documentation.
Global Header Bar
The global header bar runs across the top of every page in the Spectra Analyze interface. It contains the most commonly used controls and the main navigation menu.
From left to right:
Search Samples is a text field for entering search queries. Clicking the field expands it across the header bar and hides other menu items to give more space for constructing queries. Performing a search navigates to the Advanced Search page. See Advanced Search.
Submit opens the file and URL submission dialog. An upload progress bar appears in the header bar while files are uploading. Navigating away from the page or refreshing the browser during an upload will cancel it. See File and URL Submissions.
Dashboard displays submission and processing statistics for a specified time range. See Dashboard.
Search & Submissions provides access to the Advanced Search feature for querying analyzed files across local and global Spectra Intelligence data sets. See Search & Submissions Page.
YARA allows rule-based identification and classification of files using text or binary patterns. If this item is not visible, it can be enabled under Administration > User Roles. See YARA Hunting.
Graph provides an interactive visualization of relationships between malware samples, files, domains, IPs, and other entities. See Graph Page.
Help contains links to appliance documentation, ReversingLabs support, and the legend for risk score indicators.
Quota Indicator (pie chart icon) shows the current usage status of all ReversingLabs APIs configured on the appliance that have a limited quota.
Alerts Indicator enables real-time monitoring of changes in malware classification and analysis results. If there are unresolved alerts, their count appears as a red badge on the indicator. See Alerts.
Health Status Indicator shows the current status of the appliance. See Health Status Indicator below.
User menu shows the current username and provides access to Administration, User Profile, and Log Out.
Risk Tolerance shows the current risk tolerance level for the appliance, if enabled. See Risk Tolerance.
Health Status Indicator
The second to last item in the main appliance menu is the health status indicator, pointing out issues with the system load and showing if the appliance is connected to a file reputation service, and if the service is reachable or not. Administrators can click the icon to open a pop-up with a more granular look at the system resources: Disk Usage, Memory usage, CPU utilization, outstanding alerts and issues, and Spectra Detect Manager connection status. The pop-up also contains a link to Open System Status page with detailed information on all the system monitoring services.
Thresholds for these services, such as CPU/memory/disk usage or queue sizes, are configured on the Administration > Configuration > System Health page.
If there are no issues with the system load and if the appliance is connected to Spectra Intelligence or the T1000 File Reputation Appliance, this is indicated by a black icon.
A red icon with a small exclamation mark means that the reputation service is not configured or reachable or that CPU/memory/disk usage or queue sizes went over the configured thresholds. In this case, hovering over the icon lists the detected issues.
The services used to deliver file reputation data (Spectra Intelligence or T1000 File Reputation Appliance) can be configured under Administration > Configuration in the Spectra Intelligence and T1000 File Reputation Appliance dialogs.