About Spectra Analyze
Spectra Analyze is a malware analysis solution for individual analysts or small teams that makes threat detection, deep analysis and collaboration more effective and productive. This solution is offered as a hardware/software appliance, or as a cloud-based service.
Spectra Analyze is powered by Spectra Core, the world’s fastest and most comprehensive software platform for automated static decomposition and analysis of binary files.
When a sample is submitted to the appliance, it is processed by Spectra Core to automatically unpack files and extract all available information from each contained object. The unpacking process handles all variants of more than 400 PE packer, archive, installation package, firmware image, document and mobile application formats.
Once unpacked, Spectra Core extracts all available metadata from files including strings, format header details, function names, library dependencies, file segments and capabilities with static behavior analysis information.
The general overview of information extracted by Spectra Core can be seen on the Sample Details page, with more specifics in the Indicators and Extracted Files sections.
For more information about the latest features, see the Spectra Analyze website.
Navigating the Interface
This section is intended to help you understand the basic layout of the user interface, terminology and visual indicators used on the Spectra Analyze appliance and in its documentation.
Global Header Bar
At the top of the Spectra Analyze interface is the global header bar, containing the most commonly used options and the main appliance menu used to access all sections of the appliance.
The first item from the left, after the logo, is the Search Samples box, a text field where users can enter search queries and get a dropdown list of all supported keywords.
Clicking the text field expands it to the far right of the header bar and hides other menu items to provide more space for typing and constructing the query. Clicking away from the text field removes the focus and restores the original menu layout. Performing a search navigates users to the Advanced Search page to display results. For more information, see Advanced Search.
To the right of the Search Samples box is the Submit button used to upload samples and submit URLs to the appliance from any page of the interface. An upload status bar is displayed in the header bar while files are uploading. Navigating away from the page or refreshing the browser tab during upload is not supported and triggers a warning that the upload will be lost. For more information on uploading samples, submitting URLs, file privacy and size limitations, see File Submissions.
-
Dashboard: Displays statistics related to the amount and type of files that have been submitted and processed on the appliance within a specified time range.
-
Search: The Advanced Search feature introduces rich metadata search capabilities on the Spectra Analyze appliance, makes it easier to search across large data sets (both local and global in ReversingLabs Spectra Intelligence), and enables faster, more powerful malware discovery with increased coverage. For more information, see Advanced Search.
-
YARA: Allows rule-based identification and classification of files. Users can create their own YARA rules containing textual or binary patterns. When a file matches the pattern found in a YARA rule, it receives the classification defined by that rule. YARA rules can be grouped into rulesets.
noteIf this page is not visible in the header bar, it can be assigned to the user on the Administration > User Role configuration page.
-
Graph: Provides an interactive visualization of relationships between malware samples, files, domains, IPs, and other entities.
-
Help: Contains options to access the appliance documentation, contact ReversingLabs support, and open the legend explaining basic information about Risk Score.
-
Quota Indicator: Clicking the pie-chart icon opens a pop-up listing all ReversingLabs APIs in use on the appliance which have a limited quota, and their current status.
-
Alerts Indicator: Allows real-time monitoring to track changes in malware classification and analysis results. It automates notifications for specific events, informing users of malware status changes. Clicking the indicator opens a list of recent alerts. If there are any unresolved alerts, their count is displayed as a red badge on the indicator.
-
Health Status Indicator: Shows the status of the appliance.
-
User menu: Shows the username of the current user, contains links to the Administration and User Profile, where you can edit user information and change your password, and configure alerts. From the User menu, you can also Log Out from the appliance.
Health Status Indicator
The second to last item in the main appliance menu is the health status indicator, pointing out issues with the system load and showing if the appliance is connected to a file reputation service, and if the service is reachable or not. Administrators can click the icon to open a pop-up with a more granular look at the system resources: Disk Usage, Memory usage, CPU utilization, outstanding alerts and issues, and Spectra Detect Manager connection status. The pop-up also contains a link to Open System Status page with detailed information on all the system monitoring services.
Thresholds for these services, such as CPU/memory/disk usage or queue sizes, are configured on the Administration > Configuration > System Health Indicator page.
If there are no issues with the system load and if the appliance is connected to Spectra Intelligence or the T1000 File Reputation Appliance, this is indicated by a black icon.
A red icon with a small exclamation mark means that the reputation service is not configured or reachable or that CPU/memory/disk usage or queue sizes went over the configured thresholds. In this case, hovering over the icon lists the detected issues.
The services used to deliver file reputation data (Spectra Intelligence or T1000 File Reputation Appliance) can be configured under Administration > Configuration in the Spectra Intelligence and T1000 File Reputation Appliance dialogs.
Color-Coding and Sample Status
Read more about the ReversingLabs classification algorithm.
Spectra Analyze uses consistent color-coding to indicate sample classification and risk. There are four colors, each one corresponding to a different sample status. The sample status indicates whether a file is goodware, suspicious or malicious - or if no threats were found, indicating the sample remains unclassified.
In addition to color-coding, certain parts of the UI also indicate classification status of submitted files and URLs by colored symbols: red square is malicious, orange rhombus is suspicious, green circle is goodware, dark gray square with a circle cutout means no threats were found.
Inside each of the symbols is the sample’s risk score. Samples with no threats found (samples without classification) don’t have a risk score.
Samples with a risk score of 5 are represented using a unique icon, as the indicators found during analysis were deemed insufficient to classify the file as definitively malicious or benign. These samples have a higher chance of changing classification and/or risk factor if new information becomes available.
Some Spectra Analyze APIs return sample classification as a numerical value.
| Classification | Value |
|---|---|
| No threats found | 0 |
| Goodware | 1 |
| Suspicious | 2 |
| Malicious | 3 |
Visual Indicators of Sample Status
Color-coded indicators are present in the following parts of the interface, indicating sample status:
-
YARA page – statistics about ruleset matches. Next to each of the symbols is the sample’s risk score. Samples with no threats found (samples without classification) don’t have a risk score.
-
File Analysis page which opens when you click a sample's hash – as the background color of the Report Summary Header. The risk score numerical value is also indicated here.
-
How We Caught This tab - in the File Similarity and File Classifications sections.
-
In URI stats for particular file types - as colored symbols on tabs Interesting strings, Network references or Malware configurations if any are available.
Classification of Samples
A sample’s classification is determined from one of multiple different sources. All types of classification that a sample can receive on Spectra Analyze are described in detail under Threat Classification Descriptions.
Information about sample classification can be found in the following locations on the interface:
-
Expanded row on the Search Page
-
In the sample details summary - if any files have been extracted from a sample, there is additional information about the classification of extracted files under Static Analysis > Classification.
Interpreting Analysis Results
Each sample's analysis report is available on the Sample Details page which contains various sections with links to more detailed information. The information on this page is different for every sample analyzed on the appliance, depending on the file type and classification status.
The Report Summary Header contains the most important information:
- The final classification (malicious / suspicious / goodware / no threats found) and information about file size and format
- Risk score
- Detected threat name
- Classification reason
- Community threat detections count
- YARA matches count
Spectra Analyze always picks the most accurate classification as the final one and displays it in the header. However, to properly read the final classification, users must consider and understand the classification reason and the risk score.
Understanding the Classification Reason
The classification reason specifies which technology detected a threat. Files usually have multiple detections from more than one classifier, but the classification reason tile specifies which one produced the final classification.
The final classification always matches one of the classifiers, but individual classifiers may have differing results between them. Due to differences in how different malicious samples and malware families behave, some samples might end up classified as malicious by one technology, and still be considered goodware by others. This doesn’t negate or diminish the final classification, it is why Spectra Analyze uses multiple sources to classify files.
That’s also why overlooking the classification reason may result in confusion. For example, adding custom YARA rules to Spectra Analyze is a powerful malware hunting feature, but improperly written rulesets can be too broad and result in a large number of samples suddenly getting classified as malicious by a YARA rule, even though everything else points to goodware.
Understanding the Risk Score
Risk scores are assigned by the severity of the detected threat. Values from 0 to 5 are reserved for samples classified as goodware/known. Lesser threats like adware get a risk score of 6, while ransomware and trojans always get a risk score of 10.
Some users may choose to ignore lower risk classifications, but those samples are still classified as malicious to warn about potential threats, such as installers that have embedded adware.
Understanding Threat Propagation
The classification of certain samples originates from samples extracted during analysis. It propagates from children to the parent, for example from a malicious executable file to the zip archive where it originated from. If this is the case, the description beneath the classification highlights that it was based on an extracted file.
Administering Classification Overrides
Classifications can also be overridden either through Goodware Overrides, where the classification of a high-trust parent sample is propagated down to extracted files, or manually by using the Spectra Analyze override feature.
In cases where the classification was set by the user, it is considered final and displayed in the header, as well as in the table below. Local classification overrides are visible as final to all appliance users, while the Spectra Intelligence overrides are additionally synchronized with other appliances using the same Spectra Intelligence account, and other Spectra Intelligence accounts belonging to the same company, indicated by the middle segment of the username - u/company/user. In cases where a sample has both overrides, the local override is displayed as the final classification.
Understanding the Overall Classification
In most cases, analysis results are overwhelmingly biased towards a certain classification: a malicious file will be detected as such by Spectra Core and backed up by a large percentage (not necessarily 100%) of scanner detections. It will probably have an exact threat name, naming the malware type and/or the specific malware family. Certain file types might belong to a RHA File Similarity bucket with other malicious files. Even if such files get some negative results from specific technologies, it’s highly unlikely that they are not malicious.
On some occasions, a sample classified as goodware can still have some Spectra Intelligence scanner detections, but not enough to affect the final classification. These detections are most likely false positives, but users are still advised to check the scanner list to see which scanners detected a threat.
In conclusion, while false detections are not impossible, they are much easier to identify if all of the important factors are considered and understood. For more information on each of these, see Classification, Risk Score and Threat Classification Sources.