Quick Guide
This short introductory section is intended to help with understanding the basic layout of the user interface, terminology and visual indicators that are used on the Spectra Analyze appliance and in the rest of this User Guide.
Global Header Bar
At the top of the Spectra Analyze interface is the global header bar, containing the most commonly used options and the main appliance menu used to access all sections of the appliance.
The first item from the left, after the logo, is the Search Samples box, a text field where users can enter search queries and get a pull-down list of all supported keywords. For more information on this feature, refer to the Advanced search chapter. Clicking on the text field will expand it to the far right of the header bar and hide other menu items to provide more space for typing and constructing the query. Clicking away from the text field will remove the focus and restore the original menu layout. Performing the search will navigate the users to the Advanced Search page to display results.
To the right of the Search Samples box is the Upload button, allowing a quick way to upload samples and submit URLs to the appliance from any page of the interface. An upload status bar will be displayed in the header bar while files are uploading. Navigating away from the page or refreshing the browser tab during upload is not supported and will trigger a warning that the upload will be lost. For more information on uploading samples, submitting URLs, file privacy and size limitations, refer to the File Submissions chapter.
- Dashboard: The Dashboard displays statistics related to the amount and type of files that have been submitted and processed on the appliance within a specified time range.
- Search: The Advanced Search feature introduces rich metadata search capabilities on the Spectra Analyze appliance, makes it easier to search across large data sets (both local and global in ReversingLabs Spectra Intelligence), and enables faster, more powerful malware discovery with increased coverage. Click here for more information on writing advanced search queries.
- YARA: Allows rule-based identification and classification of files. Users can create their own YARA rules containing textual or binary patterns. When a file matches the pattern found in a YARA rule, it receives the classification defined by that rule. YARA rules can be grouped into rulesets. (Note: If this page is not visible in the header bar, it can be assigned to the user through the Administration > User Role configuration section.)
- Quota Indicator - Clicking the pie-chart icon opens a pop-up listing all ReversingLabs APIs in use on the appliance which have a limited quota, and their current status.
- Alerts Indicator - The Alerts feature allows real-time monitoring to track changes in malware classification and analysis results. It automates notifications for specific events, allowing users to utilize their time more efficiently and be informed of malware status changes on-the-go. Clicking the indicator opens a list of recent Alerts. If there are any unresolved alerts, their count is displayed as a red badge on the indicator.
- Help - Contains options to access the appliance documentation, contact ReversingLabs support, and open the methodology / legend pop-up with basic information about Risk Score
- User menu - Shows the username of the current user, contains links to the Administration and User Profile (edit user information, change credentials, manage alerts ) pages, and the option to Log Out from the appliance.
Health Status Indicator
The second to last item in the main appliance menu is the health status indicator, pointing out issues with the system load and showing if the appliance is connected to a file reputation service, and if the service is reachable or not. Administrators can click the icon to open a pop-up with a more granular look at the system resources: Disk Usage, Memory usage, CPU utilization, outstanding alerts and issues, and Spectra Detect Manager connection status. The pop-up also contains a link to Open System Status page with detailed information on all the system monitoring services.
Thresholds for these services, such as CPU/memory/disk usage or queue sizes, are configured on the Administration > Configuration > System Health Indicator page.
If there are no issues with the system load and if the appliance is connected to Spectra Intelligence or the T1000 File Reputation Appliance, this will be indicated by a black icon.
A red icon with a small exclamation mark means that the reputation service is not configured or reachable or that CPU/memory/disk usage or queue sizes went over the configured thresholds. In this case, hovering over the icon will list the detected issues.
The services used to deliver file reputation data (Spectra Intelligence or T1000 File Reputation Appliance) can be configured in the Spectra Intelligence / T1000 File Reputation Appliance dialogs in the Administration > Configuration section.
Color-Coding and Sample Status
The Spectra Analyze interface makes use of consistent color-coding to indicate sample classification and risk. There are four colors, each one corresponding to a different sample status. The sample status indicates whether the file is goodware, unknown, suspicious or malicious.
In addition to color-coding, certain parts of the UI also indicate classification status of submitted files and URLs by colored symbols: red square is malicious, orange rhombus is suspicious, green circle is goodware, dark gray square with a circle cutout is unknown.
Inside each of the symbols is the sample’s risk score. Unknown samples (samples without classification) don’t have a risk score.
Samples with a risk score of 5 are represented using a unique icon, as the indicators found during analysis were deemed insufficient to classify the file as definitively malicious or benign. These samples may be of interest, as they have a higher chance of changing classification and/or risk factor as soon as any new information becomes available.
Some Spectra Analyze APIs return sample classification as a numerical value.
| Classification | Value |
|---|---|
| Unknown | 0 |
| Goodware | 1 |
| Suspicious | 2 |
| Malicious | 3 |
Classifications
RED = MALICIOUS - the sample was classified as malicious by ReversingLabs proprietary algorithms which, among other criteria, utilize ReversingLabs Active File Decomposition Engine, ReversingLabs Hashing Algorithm, Spectra Intelligence File Reputation, and YARA rules.
This classification is reserved for high-accuracy heuristics and named threats, such as Emotet, Dridex and WannaCry. Threat severity is expressed through risk score values ranging from 6 to 10. The higher the risk score, the more severe the threat.
While the risk score depends on the malware family, the rule of thumb is that potentially unwanted applications have the lowest value, and ransomware the highest. Some users may choose to ignore certain threat types, such as PUA.
Those are easily identifiable through the risk score, or the standardized ReversingLabs threat name. This decision is based on internal policies of the organization that deploys our classification technology.
GREEN = GOODWARE - the sample is presumed to be benign by ReversingLabs. The sample does not have any AV detections from trustworthy sources and it does not match any of our internal threat signatures. We recommend the users check the risk score of the sample. A higher risk score (4 or 5 on a scale of 0 to 5, with 0 being highest trust) indicates the source is not trusted. On the other hand, samples with lower risk score values (0, 1, or 2) come from prominent software vendors.
ORANGE = SUSPICIOUS - the sample is considered suspicious based on ReversingLabs classification algorithm’s multi-level analysis. This file may be declared malicious or goodware at a later time when more reliable heuristics start detecting the file, when a threat-specific signature is written, or any new information is received that changes its threat profile.
This classification is reserved for heuristically detected threats. It is an early warning detection mechanism that can result in false positives for oddly formed files, and those with behaviors similar to malware.
The ReversingLabs classification algorithm forms its decision based on historical detection accuracy of the technology that reports positive detection. Thresholds don’t relate to the number of detection technologies, but the metrics behind confirmed true positive detections.
Reducing the number of unwanted detections within this category is an ongoing effort, but, generally, the suspicious classification is a good starting point for new threat discovery.
DARK GRAY = UNKNOWN (No Threats Found) - the sample has not received a classification. It does not exist in the file reputation database or there is no information on whether it is malicious or not. The sample will either receive classification at a later date, or it can be sent for analysis to ReversingLabs Spectra Intelligence. ReversingLabs reserves the “Goodware/Known” classification only for samples with clear indicators of being benign, so if a sample remains “Unknown” after analysis, it means it doesn’t show signs of maliciousness but is also not trustworthy enough to be declared “Goodware/Known.”
What is Risk Score?
Risk Score is a value representing the trustworthiness or malicious severity of a sample.
Risk score is expressed as a number from 0 to 10, with 0 indicating whitelisted samples from a reputable origin, and 10 indicating the most dangerous threats.
Values from 0 to 5 are reserved for samples classified as goodware, and take into account the source and structural metadata of the file, among other things. The risk score of a sample also affects its classification. Since goodware samples do not have threat names associated with them, they receive a description based on their risk score. Goodware samples with low risk scores (0 and 1) are labeled as “Whitelisted / Reputable Origin”. Those samples were received from trusted sources such as ReversingLabs partners and verified domains.
Goodware samples with risk scores of 2 and 3 are labeled “Likely benign / Public origin”, and those with scores of 4 and 5 are labeled as “Not a known threat / Unverified origin”.
The “Likely benign / Public origin” description means that the indicators found during the initial classification were deemed insufficient to convict the file as definitively malicious or benign. The addition of “Public origin” indicates that ReversingLabs was already aware of all or some of the contents of the sample.
Risk scores from 6 to 10 are reserved for suspicious/malicious samples, and express their severity. They are calculated by a ReversingLabs proprietary algorithm, and based on many factors such as file origin, threat type, how frequently it occurs in the wild, YARA rules, and more.
Unknown samples (samples with no classification) do not have a risk score.
| Risk Score | Common reasons for classification |
|---|---|
| 0 | File comes from a very trustworthy domain or has a very trustworthy certificate. |
| 1 | File comes from a trustworthy domain or has a trustworthy certificate. |
| 2 | File comes from a usually trusted domain. |
| 3 | File comes from another known site. |
| 4 | Some valid but not very trusted certificates. |
| 5 | Low trust source, no whitelisted certificates. |
| 6 | Adware, potentially unwanted apps, tools for masking malware (packers). |
| 7 | Spyware, Malware, SPAM |
| 8 | Tools used to introduce malware or to use infected machines for denial-of-service attacks: Downloaders, Dialers, Droppers |
| 9 | Malicious browser extensions, fake antivirus software, rootkits. |
| 10 | Most dangerous threats: Viruses, worms, trojans, keyloggers, infostealers, ransomware |
Where to Find Visual Indicators of Sample Status?
Color-coded indicators are present in the following parts of the interface, indicating sample status:
YARA page – statistics about ruleset matches
Inside each of the symbols is the sample’s risk score. Unknown samples (samples without classification) don’t have a risk score.
Sample Details page – as the background color of the Summary header section. The Risk Score numerical value is also indicated in the Summary section
Sample Details page - Next to links in the Extracted Files and File Similarity sections in the sample summary page sidebar menu, and in the How We Caught This > Prevalence > File Similarity subsection of the main sample summary report page
Sample Details page - as colored symbols in URI stats for particular file types - for example, those containing Interesting strings, Network references or Malware configurations
What Determines the Classification of Samples?
A sample’s classification is determined from one of multiple different sources. All types of classification that a sample can receive on Spectra Analyze are described in detail in the Threat Classification Descriptions section.
The information about sample classification in the interface can be found in the expanded row on the Search Page.
and in the Sample Details Summary section. If any files have been extracted from a sample, there will be additional information about the classification of extracted files.
Additional information about classification can be found in the Static Analysis > Classification section on the Sample Details page.
How to interpret analysis results?
The Sample Summary page highlights the most interesting information from the sample analysis report. It contains several sections with links to more detailed information.
The information on the Summary page will be different for every sample analyzed on the appliance, depending on the file type and classification status.
The most crucial information about the sample is curated in the header section of the page:
- the final classification(Malicious/Suspicious/Goodware/Unknown) and the detected threat name
- risk score
- classification reason
- multi-scanner results
- top 3 detected MITRE ATT&CK tactics
Spectra Analyze will always pick the most accurate classification as the final one and display this information in the Sample Summary header section. To properly read the final classification, users must consider and understand the classification reason and the risk score. The classification reason specifies which technology detected this threat. Files will usually have multiple detections from more than one classifier, but the classification reason tile is always the one that produced the final classification.
The final classification will always match one of the classifiers, but individual classifiers may have differing results between them. Due to differences in how different malicious samples and malware families behave, some samples might end up classified as malicious by one technology, and still be considered goodware by others. This doesn’t negate or diminish the final classification, it is the exact reason why Spectra Analyze uses multiple sources to classify files.
That’s also why overlooking the classification reason may result in confusion. For example, adding custom YARA rules to the Spectra Analyze is a powerful malware hunting feature, but improperly written rulesets can be too broad and result in a large number of samples suddenly getting classified as malicious by a YARA rule, even though everything else points to goodware.
Risk scores are assigned by the severity of the detected threat. Lesser threats like Adware will get a risk score of 6 (scores from 0-5 are reserved for goodware), while ransomware and trojans always get a risk score of 10.
Some users may choose to ignore lower risk classifications, such as Adware or Potentially Unwanted Applications (PUA), but those samples will still be classified as malicious to warn about potential threats, such as installers that have embedded adware.
In most cases, the results will be overwhelmingly biased towards a certain classification: a malicious file will be detected as such by Spectra Core and backed up by a large percentage (not necessarily 100%) of scanner detections. It will probably have an exact threat name, naming the malware type and/or the specific malware family. Certain file types might belong to a RHA File Similarity bucket with other malicious files. Even if such files get some negative results from specific technologies, it’s highly unlikely that they are not malicious.
On some occasions, a sample classified as goodware can still have some Spectra Intelligence scanner detections, but not enough to affect the final classification. These detections are most likely false positives, but users are still advised to check the scanner list to see which scanners detected a threat.
The classification of certain samples originates from samples extracted during analysis. It propagates from children to the parent, for example from a malicious executable file to the zip archive where it originated from. If this is the case, the description beneath the classification will highlight that it was based on an extracted file.
Classifications can also be overridden either through Goodware Overrides, where the classification of a high-trust parent sample is propagated down to extracted files, or manually by using the Spectra Analyze override feature.
In cases where the classification was set by the user, it will be considered final and displayed in the header, as well as in the table below. Local classification overrides will be visible as final to all appliance users, while the Spectra Intelligence overrides will additionally be synchronized with other appliances using the same Spectra Intelligence account, and other Spectra Intelligence accounts belonging to the same company, indicated by the middle segment of the username - u/company/user. In cases where a sample has both overrides, the local override will be displayed as the final classification.
In conclusion, while false detections are not impossible, they are much easier to identify if all of the important factors are considered and understood. For more information on each of these, refer to the Classifications, Risk Score and Threat Classification Sources chapters.
What is ReversingLabs Malware Naming Standard?
The ReversingLabs detection string consists of three main parts separated by dots. All parts of the string will always appear (all three parts are mandatory).
platform-subplatform.type.familyname
- The first part of the string indicates the platform targeted by the malware. It is always one of the strings listed in the Platform table below. If the platform is ByteCode, Document or Script, then there will be an additional subplatform string. Platform and subplatform strings are separated by a hyphen ( - ).
- The second part of the detection string describes the malware type. It is one of the strings listed in the Type table below.
- The third part represents the malware family name. This string is one of most common names for that malware.
These strings should be used (case-sensitive) when writing YARA rules to classify files using Spectra Core. See Creating New YARA Rulesets for more information.
Example
If backdoor malware is a PHP script with the family name “Jones”, the detection string will look like this:
Script-PHP.Backdoor.Jones
Supported Detection String Elements
| Platforms (non-exhaustive) | ||
|---|---|---|
| ABAP | Android | AOL |
| Archive | Audio | BeOS |
| Binary | Blackberry | Boot |
| ByteCode | ByteCode-MSIL | Console |
| Document | Document-Word | DOS |
| EPOC | FreeBSD | |
| Image | iOS | Linux |
| MacOS | Menuet | Novell |
| OS2 | Package | Palm |
| Script | Script-PHP | |
| Script-VBS | Shortcut | Solaris |
| SunOS | Symbian | Text |
| Unix | Unknown | Video |
| WebAssembly | Win32 | Win64 |
| WinCE | WinPhone |
| Subplatforms (non-exhaustive) | ||
|---|---|---|
| 7ZIP | Access | ACE |
| ActiveX | ANI | AppleScript |
| AR | ARJ | ASP |
| AutoIt | AutoLISP | BAT |
| BMP | BZIP2 | CAB |
| CGI | CHM | Cookie |
| CorelDraw | EMF | EPS |
| Excel | Ferite | GIF |
| GZIP | HTML | INF |
| INI | IRC | ISO |
| JAR | JAVA | JPEG |
| JS | KiXtart | Logo |
| Lua | LZH | Macro |
| Makefile | Matlab | MIME |
| MSG | MSIL | Multimedia |
| NuGet | Office | OLE |
| OTF | Perl | |
| PHP | PNG | PowerPoint |
| PowerShell | Project | Publisher |
| Python | RAR | Registry |
| RTF | Ruby | Shell |
| Shockwave | SQL | SubtitleWorkshop |
| SWF | SZDD | TAR |
| TIFF | TTF | VBS |
| Visio | WAV | WinHelp |
| WMF | Word | WScript |
| XML | ZIP | ZOO |
| Malware Types (non-exhaustive) | ||
|---|---|---|
| Adware | Backdoor | Browser |
| Certificate | Coinminer | Dialer |
| Downloader | Dropper | Exploit |
| Format | Hacktool | Hyperlink |
| Infostealer | Keylogger | |
| Malware | Network | Packed |
| Phishing | PUA | Ransomware |
| Rogue | Rootkit | Spam |
| Spyware | Trojan | Virus |
| Worm |