Threat Intelligence (Spectra Intelligence)

The Cloud Threat Intelligence > Multi-Scanner Detections page contains statistics about malware detection for the sample based on the results of AV (antivirus) scanning in the ReversingLabs Spectra Intelligence system. The information is obtained from a number of AV engines and organized by the time and date of each AV scan.

The upper half of the page contains a graph that shows how malware detections for the sample changed over time. More specifically, the graph indicates changes in the maximum detection rate for the sample. The graph always displays the same time range regardless of the currently selected scan date.

The lower half of the page contains a list of all AV vendors used to scan the sample for each recorded scan date. If an AV engine produced a detection, the detected threat name is listed next to the AV vendor name. Every result on this page is clickable and, when clicked, automatically performs a search query.

Users can navigate between recorded scan dates by clicking the arrows above the list of AV vendors, and compare the differences between each scan. The number of AV engines used can differ between recorded scan dates, depending on which vendors/engines were available at the time of each scan.

Text formatting in the list of AV vendors also carries important information.

• If the name of an AV vendor is greyed out, that indicates their AV engine(s) did not produce a detection for the sample. This can happen for a variety of reasons (e.g. the AV engine does not support the file format of the sample, or it did not have the relevant signature at the time of the scan). In case of goodware, this is the intended behavior.
• If there is a number next to the AV vendor name, that indicates how many AV engines of that vendor were used to scan the sample.
• If an AV vendor name is displayed above the black line in the list, that indicates their AV engines are considered next-generation (such as those that use machine learning).
• If a detection name is red, that indicates it is a new detection for the AV vendor. This means the AV vendor did not produce a detection for the sample in any of the previous scans.
• If a detection name is red with another name crossed-out next to it, that indicates the detection name has changed in the currently selected scan. This means the AV vendor previously produced a different detection for the sample. The crossed-out detection name is the old name, and the red detection name is new.
• If a detection name is crossed-out, but there is no other name next to it, that indicates the AV vendor is no longer producing detections for that particular threat.

Some AV vendors indicate that a threat has been detected in a sample, but they do not expose the full threat name. Their detection still influences the final classification of the sample, and in some cases affects the final threat name assigned to the sample.

tip

The information from the Spectra Intelligence section can be used with Advanced Search keywords for targeted malware hunting. Use the av-detection keyword with any of the detected threat names (av-detection: Adware/Genieo!OSX), or specific AV vendor keywords with the threat name detected by a particular vendor (av-sophos:W32/Clovis-A). To find samples by the number of AV detections, use the antivirus keyword. Consult the full list of supported search keywords.

File Similarity

The Cloud Threat Intelligence > File Similarity section of the sidebar displays the amount of functionally similar samples, grouped by their threat status. Clicking the links in the File Similarity section redirects to the list of similar samples, where it is possible to download them to the appliance as described in the Downloading Files from Spectra Intelligence section.