Skip to main content
Version: Spectra Analyze 9.2.2

Search Page

The Search page is accessible from the top navigation menu.

The submissions table

At the top of the page is the Advanced Search Box. It is functionally identical to the one embedded in the global header bar on the other pages.

Below the search box is the list of recent submissions in the Local tab.

The Cloud tab is reserved for Spectra Intelligence results, and will be populated once a search query is performed.

The Advanced Search box is a text field where users enter search queries and get a pull-down list of all supported keywords. To quickly position the cursor into the search box, press ALT+S. This also applies to the search box present on the other pages of the Spectra Analyze interface.

Alternatively, use the Quick Search dialog to construct a query, or the filters below the search box to add more search criteria. Read more about the filtering features in the Filtering Results section.

The maximum length of a single search query that can be entered into the Advanced search box is 1024 characters.

For keywords that support searching by date, a date picker will open instead of the pull-down list.

The Advanced search also has the following buttons:

  • the preferences button opens the Quick Search: dialog where users can construct search queries using a graphical interface, perform bulk searches, and browse through suggested, recent and favorited search queries.
  • the suggestions button opens the Quick Search screen straight to the Show Suggestions tab.
  • the share button opens the dialog for sending the current query to other users via email. Available only when the users types into the Advanced search box.
  • the star button adds the current query and filter configuration to the list of Favorites displayed in the Suggestions tab of the Quick Search dialog. If the current page state is already saved as a favorite, the star will be yellow and open the “Edit favorite query” on click. Favorite queries can also be used as a default filter for the Search page.
  • the Search button (magnifying glass) runs the search query. Once the query is running, an option to stop it appears next to the Local and Cloud tabs below the search box.

The Quick Search dialog can be opened by clicking the Preferences button inside the Advanced Search box, or by pressing the ALT+Q keyboard shortcut. It contains multiple tabs.

An image of the Quick Search dialog, currently showing the Files tab.

Files

The Files tab can be used to construct search queries without having to type them out manually. Users can fill out the form by entering values and picking options from drop-down menus, and then click the Search button in the bottom right of the dialog.

URL, Domain, and IP tabs offer basic URL/Domain/IP search capabilities.

The Bulk Search tab allows users to input up to 10 000 SHA1, SHA256, or MD5 hashes and search for them all at once. The results will be sorted into the Local and Cloud tabs, depending on their availability.

The list of hashes can be uploaded as a file or typed into the text field. In both cases, hashes should be separated by commas, spaces, or newlines.

Mixing hash types is allowed, so all supported types of hashes can be submitted in one search request.

The following examples illustrate different ways to separate hashes:

hash1,hash2,hash3,hash4 (...) hash1000,hash1001
hash1 hash2 hash3 hash4 (...) hash1000 hash1001
hash1
hash2
hash3

To perform a bulk hash search, click the Search button in the dialog. Clicking Cancel closes the dialog.

note

Bulk hash search differs from regular Advanced Search in several ways.**

  • Bulk hash queries cannot be bookmarked in the browser or saved as favorites on the Spectra Analyze appliance.
  • Bulk hash queries do not appear in the Recent queries list.
  • Pivoting and combining search keywords with bulk hash queries is not possible.
  • Bulk hash search can take up to one minute, depending on the number of requested hashes.
  • Due to the way samples are processed in the Spectra Intelligence cloud, some discrepancy can arise between sample metadata in bulk search results versus regular search results.
  • By default, bulk hash search results are sorted by First Seen in descending order (most recent to oldest). This cannot be changed; the results page for bulk hash search does not support custom sorting by columns.
  • Different types of hashes can be submitted in one bulk hash query, but subscribing is only supported for SHA1 hashes. If multiple different hash types are selected in the list of search results, and the user attempts to subscribe to them, only the SHA1 hashes will be added to the subscription. Other hash types will be automatically filtered out from the subscription.
tip

Instead of using the Bulk hash search dialog to look up large numbers of different hash types, the hashes keyword can be used for a similar purpose. The hashes keyword allows mixing different types of hashes in one search query, without the need to explicitly name the hash type or to group hashes by type. All hash types (MD5, SHA1, SHA256) can be used with this keyword. The maximum length of a single query is 1024 characters. An example query: hashes: [<sha1>, <md5>, <md5>, <sha256>, <sha1>, <sha1>]

Show Suggestions

Clicking the Suggestions button to the right of the search box will open the Quick Search pop-up window directly to the Suggestions tab, containing trending, recent and favorite advanced search queries.

The tab is divided into three sections, from left to right:

  • Interesting search examples - predefined search queries that users can run to get a better understanding of the data in the results.
  • Recent queries - a list of up to 20 latest search queries performed on the Spectra Analyze instance. Clicking on any of the queries in the list automatically runs that query again, and moves it to the top of the list. Recent queries are deduplicated, so consecutively running the same query does not cause duplicate entries in the list. All recent queries from this list are also displayed in the pull-down keyword list when the user starts typing into the search box. The list of recent queries is private and visible only to the Spectra Analyze user who performed them, not to all Spectra Analyze users.
  • Favorites - a list of up to 20 user-defined favorite search queries. Users can save any query as a favorite by clicking the star button in the search box when the query is active. When a query is added to the Favorites list, clicking it automatically runs that query. Hovering over a favorite in the list displays a triple-dot menu with options to edit the query (change its name, search keywords, parameters…), copy it to clipboard, remove it from the Favorites list, or share it via email. The list of favorites is private and visible only to the Spectra Analyze user who created it; in other words, every user has their own Favorites list. Favorite queries can also be used as a default filter for the Search page.

To start using Advanced Search, click any of the predefined search examples, or start typing into the Advanced search box to create a custom search query.

Keyword Auto-Suggestion Pull-Down List

As soon as the user starts typing into the search box, the auto-suggestion pull-down list matching either the supported search keywords or their predefined values will open.

User queries will be matched against keywords and their predefined values starting from any position, and not only from the beginning. For example, entering aliciou as a search query will match and return the entire classification:malicious keyword and value pair.

Click the …more link to expand the list of keywords.

Every keyword has a short explanation with examples on the right side of the list. Some keywords offer predefined values that the user can select from the pull-down list.

The pull-down list also displays 20 most recent search queries performed on the Spectra Analyze appliance. Recent queries are offered as auto-suggestions when the user starts typing into the search box (if they match some of the text the user has typed).

Date and time picker

When a keyword that supports searching by date and time is typed into the search box, the date picker menu opens instead of the usual pull-down list. The user can select any of the predefined date and time values, or click “Custom” to enter their own date and time range.

Date picker pull-down with predefined time ranges

Query Builder [PREVIEW]

Query Builder is an alternative way of constructing and writing search queries. When activated in the gear menu on the Search Page, queries are represented as tags or blocks, allowing for better context awareness and auto-completion when adding new items in the middle of the query. Hovering the mouse between any two blocks displays a “+” button which can be used to insert an additional item anywhere in the query. Clicking the “X” button on a specific block deletes it. While the search box is focused, tags can be navigated using the arrow keys on the keyboard, and deleted using Backspace or Delete.

Threat Intelligence Cards

Threat Intelligence Cards make use of extensive ReversingLabs file metadata to provide an informative, educational overview and analytics on malware types and families in an easily accessible format on the Search page. The prerequisite for this feature is a properly configured Spectra Intelligence account on the appliance.

When users perform an exact search with the threatname keyword for a single threat name or a list of threat names, one or more collapsible sections become available above the list of search results. At most 10 cards will be displayed, even if more threat names were provided in the query.

A threat intelligence card displaying information about the Emotet malware family.

Depending on available data, Threat Intelligence Cards will either show information about a specific malware family (for example, Emotet), or a more generalized description of the family type (trojan).

Cards can contain all, or a subset, of the following information:

  • first and last seen dates
  • current latest version
  • packer
  • targeted OS
  • targeted industries
  • threat name
  • threat name alias
  • actor aliases
  • malware family/type description
  • reference links
  • malware prevalence graph
  • top file types used by this malware family
  • weekly rankings for the current and the previous week
  • overall total number of unique samples containing this threat.

To better reflect the popularity of the malware family in the Spectra Intelligence cloud, the Current week and Last week columns count all sample uploads and increase on repeated uploads of the same sample. The Total number of detected samples column shows a deduplicated count of unique samples belonging to that malware family.

The malware family/type descriptions displayed here are also visible on the Sample Details > Summary page in the Malware Description section.

Results List

note

The terms “samples”, “files”, “submissions”, and “search results” are often used interchangeably in the appliance interface and in this documentation.

The list of files and URLs submitted to the Spectra Analyze can be found on the Search page, below the Search box. Drop-down menus under the Search box allow filtering of the results list by multiple criteria.

The results section of the page is divided into these general sections:

  1. The action bar with the filter tabs. The action bar allows filtering the results by location (local or cloud) and availability (public or private); exporting them; configuring how the dates will be displayed in the results grid and if optional columns will be displayed.

  2. Filter tabs:

    • Local - filters the search results to display only the samples found on the local Spectra Analyze instance. The tab also shows the number of results.
    • Cloud - applies only to Spectra Intelligence search results. The maximum amount of Cloud results that can be returned for a search query is 100 000. Although the number may indicate there are more samples in the Spectra Intelligence cloud, Spectra Analyze will only allow browsing through 100 000 of them.
  3. Bulk Hash search only tabs:

    • Not found - displayed only when the list of results contains hashes that were not found in the ReversingLabs system. For Local results, Not found refers to hashes not found on the current Spectra Analyze instance. For Cloud results, Not found refers to hashes not found in the Spectra Intelligence cloud.

    • Invalid - displayed only when the list of results contains incomplete or erroneous hashes. It helps users identify potential formatting mistakes in their lists of hashes.

  4. The samples/results list

  5. The navigation bar at the bottom

The samples/results list contains basic information about submitted files and URLs, or matching local/Spectra Intelligence search results after performing a search. Local results are sorted by Last Submitted by default, even if that column is disabled in the gear icon menu in the top right of the submissions grid. Spectra Intelligence results are sorted by First Seen date. Selecting the main checkbox in the topmost row will select all submissions on the current page. When submissions are selected, their highlight color changes to yellow.

note

To improve search query responsiveness and performance, Cloud results prioritize First Seen within the last month by default. In case there are no results, the results page automatically extends the search query backward up to one year, until there are results. If still no results are found, users can choose to expand the search further by clicking the Extend Search Timeframe option. This progressively expands the search, year by year, until first results are found.

The list consists of the following columns:

Selection checkbox - for selecting individual submissions on the page to perform bulk actions on them. When one or more items are selected on the page, an additional actions menu (☰) with bulk actions becomes active to the right of the Size column.

Submission type indicator - the icon indicating whether the submission is a file or a URL.

Classification indicator - classification status of submitted files and URLs is indicated by colored symbols: red square is malicious, orange rhombus is suspicious, green circle is goodware, black square with a circle cutout is unknown.

Inside of each of these symbols is the sample’s risk score. Unknown samples (samples without classification) don’t have a risk score.

Samples with a risk score of 5 are represented using a unique icon, as the indicators found during analysis were deemed insufficient to convict the file as definitively malicious or benign. These samples may be of interest, as they have a higher chance of changing classification and/or risk factor as soon as any new information becomes available.

First Seen - time when a sample was first received by Spectra Intelligence (for Cloud results) or uploaded and analyzed on the appliance (for Local results). Open the gear icon menu next to the Export button on the far right of the page to change how the dates are displayed in this column (exact or relative dates).

Threat - detected threat name for a submission, formatted according to the ReversingLabs Malware Naming Standard. Threat names are displayed only for malicious and suspicious samples. If the threat name is not detected for a suspicious submission, it receives a generic “Suspicious” threat name label.

Name - file name of the submission (as uploaded). For URLs, the file name corresponds to the URL submitted by the user. If the file name doesn’t contain any of the standard characters ([A-Z, a-z, 0-9]); for example, if the file name is !!!, its SHA1 hash is displayed instead to make it easier to click. Clicking the name opens the Sample Details page with more information about the submission.

Predicted filenames are displayed under the original filenames. They are generated by Spectra Core, and can be helpful for distinguishing files that only have a hash value as their filename. Clicking a predicted filename redirects to the Advanced Search page and performs a search query to find other samples with the same predicted filename. The predicted filename won’t be shown if it’s a hash value.

Last Submitted - indicates when the submission was last submitted to the appliance. Open the gear icon menu next to the Export button on the far right of the page to change how the dates are displayed in this column (exact or relative dates). The Last Submitted column can also be enabled/disabled from this menu.

Username - indicates which Spectra Analyze user submitted each file or URL. This column can be enabled/disabled by clicking the gear icon next to the Export button.

Format - file format of the submission, either represented as a combination of file type and subtype (e.g., PE/EXE) or as an identified format (e.g., NSIS, PDF). URLs submissions not pointing to a single file are represented as ZIP files in this column.

Files - total count of files extracted from the submission, including the original uploaded file.

Size - indicates the size of the submitted file, or of the contents downloaded from a submitted URL. If the file size is undefined for a Cloud result, the “Sample size currently unknown” message is displayed in the Size column on the Cloud results page. Those samples will be unavailable for download (the Fetch & Analyze option will be disabled) because it cannot be determined whether they exceed the maximum file size that can be downloaded from Spectra Intelligence (500 MB).

Local Sample Actions

Actions menu (☰) - contains various actions the users can perform on each submission.

The actions include:

  • Download sample - downloads the submission from Spectra Analyze to the local storage.
  • Download container - if the file is a child (extracted from another file during analysis), downloads its top-most parent from Spectra Analyze to the local storage.
  • Set classification - opens a dialog where users can manually override the classification assigned to a submission.
  • Subscribe and Unsubscribe - adds or removes the sample from alert subscriptions.
  • Reanalyze - opens a floating dialog where users can reanalyze the submission with static, dynamic, or Spectra Intelligence analysis services.
  • Delete sample - removes the submission from Spectra Analyze. This action is visible to users only for files and URLs they have submitted themselves. Regular users cannot delete files and URLs submitted by other users. Administrators can see this menu item for all submissions, and delete all submissions regardless of who created them.
  • Copy to my submissions - displayed only if the sample was submitted by a different user. Selecting this adds the sample to the submissions for the current user.
  • Download Extracted Files - displayed if the sample has any extracted files. Selecting this downloads files extracted from the sample to local storage.

URL submissions have a differently organized menu with mostly the same options. The menu is split into two sections, Payload actions which features the options above, and URL actions with the option to reanalyze the URL.

Expanded Details

Each result row on the Search page can be expanded to see more details about a submission. Click anywhere in a row when the cursor changes to an up-down arrow. Expanded rows for local samples contain more information and different actions than those of samples available in the Spectra Intelligence cloud.

This section describes local results. For more information on Public/Private Spectra Intelligence results, refer to the Differences Between Local and Cloud Results chapter.

Expanded row for a sample on the Search page

The information displayed here depends on the file type, and can include:

  • sample hashes
  • sample sources
  • first and last seen times (on the appliance and/or in the Spectra Intelligence cloud)
  • link to the parent file (if the file was extracted from another file)
  • RHA statistics (for supported file types)
  • User Tags and System Tags
  • comments for the sample (if any)
  • classification reason (see the Threat Classification Descriptions section for more information about classification reasons)
  • number and percentage of AV detections
  • file format details
  • document metadata
  • email metadata
  • capabilities
  • indicators of interest
  • certificate information

To add User Tags to a sample directly from the expanded details, click the Add link in the list of User Tags. Clicking the Hex Preview button opens the Preview Sample / Visualization pop-up modal.

To see more information about a sample, click the file name to open the Sample Details page.

Filtering Results

Users can filter samples by uploader (user accounts and connector services), as well as by a number of filtering criteria using the appropriate drop-down menus below the Search box.

These filters vary depending on where the search query is being performed.

On the local tab, available filters are: time type and range, classification, submission user, processing status, and sample origin.

Alternatively, instead of drop-down filters, use the following local-only search keywords:

  • submission-user
  • submission-time
  • processing-status
  • tag-user (not available as a menu selection)

Being local-only, these keywords do not work on the Cloud tab. The classification filter uses the globally available classification keyword.

The Cloud tab contains the time type and range filters, classification, and the cloud search dropdown, allowing the users to search for all cloud data, or just for private/public samples.

note

Typing these keywords in a query will override and disable the respective drop-down menu under the search bar, to avoid filtering conflicts.

When added using the drop-down menus, the keywords will not be shown in the Advanced Search box as part of the query, but they will still be applied to the results, saved to the Recent queries list, and shared using the Share query button.

In addition to these keywords, users can use any of the supported keywords to write search queries and search for samples available locally or in the Spectra Intelligence cloud.

To reset the existing query and filters, click the Clear button next to the filters.

The page also provides access to analysis reports (Sample Details) and various actions that can be performed on each submission.

Changing the default Search page behavior

When the search page is opened, all of the configured filters on the page return to their default values. The gear icon next to the Export menu contains Initial Search Results options to change the default search page behavior:

  • Use Default Filters: If this option is selected, the search page will apply the default filters.
  • Use Last Query: If this option is selected, the search page will save the query and any filter configurations of the last performed query, and restore those values when the page is next opened.
  • Use Favorite Query: If this option is selected, users can choose a specific favorited search query from a dropdown list. This favorite will be used to configure the filters and populate the search box when the search page is next opened.
  • Automatically Expand Search Period: If this option is selected, the search period will expand until some results are found.

This selection persists between sessions, and applies only to the current user.

Exporting Results

The Export menu contains options to export the whole page or just the selected samples. For the Selected samples option to become available, one or more samples on the page have to be selected.

To export multiple pages of results, browse pages one by one and manually export them. It is possible to adjust the amount of results displayed per page in the navigation bar, thus increasing or decreasing the number of results that will appear in the exported file when exporting the entire page.

Data can be exported as CSV, JSON or XML.

To copy only the sample hashes for the desired set of samples, the menu contains options to copy SHA1, SHA256 and MD5 hashes to the clipboard. Hashes are delimited by a whitespace, so that they can be directly pasted into the search bar.

The exported file can contain one or more of the following columns. They can be enabled in the Export menu, under Show more Export options.

  • Files - the number of files extracted from a sample (if the sample is a container). For Cloud results, this number is always 0, and they cannot be searched using the local-only filecount keyword. However, the Spectra Analyze interface displays -- in the Files column for all Cloud results. For Local results, the correct file count is displayed, and extracted files can be browsed by clicking the file name and selecting the Extracted Files option on the Sample Details page.
  • Format - file format of each sample in the results grid.
  • Name - name under which a sample was uploaded to the appliance or to Spectra Intelligence.
  • Threat - detected threat name for malicious and suspicious samples, formatted according to ReversingLabs Malware Naming Standard.
  • First seen - time when a sample was first received by Spectra Intelligence (for Cloud results) or uploaded and analyzed on the appliance (for Local results).
  • Size - indicates the size of a sample.
  • Available - Spectra Intelligence results only. Indicates whether a sample can be downloaded from Spectra Intelligence.
  • Classification - indicates the classification status (malicious, suspicious, goodware, unknown) assigned to a sample by any of the ReversingLabs classification sources and technologies.
  • Last seen - time when a sample was last received by Spectra Intelligence (for Cloud results) or uploaded and analyzed on the appliance (for Local results).
  • AV count - indicates the number of AV scanners that were used to analyze a sample in the Spectra Intelligence cloud.
  • Risk Score - the numerical value assigned to a sample, representing its trustworthiness or malicious severity.
  • SHA256, MD5 - additional sample hashes that can be included in the exported file. The SHA1 hash is always included by default.
  • Last Submitted, Username - available only for local results. If selected for Cloud results, the fields will be empty.

Differences between Local and Public (Cloud) Results

Spectra Intelligence Results List

File format information

In some cases, file format displayed on the Local results tab can be different from the file format displayed on the Cloud results tab for the same sample. Some samples will not have file format information at all. This happens when the information about a sample is returned from different sources.

Extracted files information

The number of extracted files for Cloud search results is always 0, but the Spectra Analyze interface displays -- in the Files column for all Cloud results.

Browsing and sorting Cloud results

The maximum amount of Cloud results that can be returned for a search query is 100 000. Although there may be more samples matching the query in the Spectra Intelligence cloud, Spectra Analyze will only allow browsing through 100 000 of them.

If the list of search results has more than 2000 samples, it is not possible to sort the results by any of the columns.

Expanded Row Information

Clicking a sample’s row in the list of results expands it to display more information about the sample.

For Local results, this information includes the Spectra Core analysis report, and is generally more detailed.

Expanded row of a Cloud sample on the Search results page

For Cloud results, the information in the expanded row includes sample classification received from Spectra Intelligence, sample hashes, first and last seen dates, and the results of AV scanning.

Clicking the file name opens the Spectra Intelligence version of the Sample Details page with more information about the sample. The See All Scans link leads directly to the Multi-Scanner page on the sample’s Summary page.

Sample Availability

The Local results tab includes only those samples that are currently available on the local Spectra Analyze instance.

The Cloud tab includes samples found in the Spectra Intelligence cloud. Select Cloud Search and pick All Cloud Data or further differentiate between public and private results. Private results may include files that have been deleted and are no longer available for download. Selecting Public Cloud Data shows data uploaded to Spectra Intelligence as shareable that may be available for download to the local Spectra Analyze instance. Alternatively, use the available:true keyword in the search query.

Sample availability is indicated by a cloud icon on the left side of the results page. Samples with a black cloud icon are available for download; those with a grey icon are not.

Spectra Intelligence Sample Actions

The Cloud results page offers only the Fetch and Analyze, Reanalyze in Spectra Intelligence and Subscribe/Unsubscribe actions for each sample. Fetch and Analyze and Reanalyze in Spectra Intelligence are available only for public and available samples (indicated by a black cloud icon).

To learn how to subscribe to or unsubscribe from samples in the search results list, consult the Alerts section.

Bulk Actions for Managing Search Results

Both Local and Cloud results pages allow users to select multiple samples at once and perform some actions on them.

  • Local results page:
    • Reanalyze
    • Download samples
    • Download Extracted Files
    • Apply Tags
    • Delete
    • Subscribe
    • Unsubscribe
  • Cloud results page:
    • Fetch & Analyze (public results only)
    • Subscribe
    • Unsubscribe

To perform bulk actions, first select a number of samples to activate the bulk actions menu (☰).

There are several ways to select multiple samples.

  1. Manually select the checkbox on the left side of every sample.
  2. Click the Select all N samples link that appears at the top when one or more samples are selected. This will select all samples on all pages in the results list.
  3. Click the Select All checkbox in the top left corner of the results table. This will select all samples on the current page. Click the checkbox again to deselect all selected samples.

When multiple samples are selected, a new bulk actions menu (☰) appears on the right side of the results page. Select the desired option in the menu.

Bulk actions menu with option to download local samples highlighted

Downloading Files from Spectra Analyze to Local Storage

important
  • Submissions selected for download are compressed and downloaded as a single ZIP file protected by a user-defined password.
  • Currently, bulk downloads are limited to 15 000 files at once. The total combined size of all files selected for download should not exceed 4 GB.
  • If the appliance is unable to create the ZIP file within 20 minutes, the download process will time out.

Files on the Spectra Analyze appliance can be downloaded to the local storage using the Download sample option from the actions menu (☰) for every submission.

Apart from downloading submissions one by one, users can also download multiple submissions at once (bulk download) to their local storage.

This option is available from the Local search results on the Advanced Search page*, YARA ruleset matches, Sample Details > File Similarity > Local and from the Submissions page.

There are several ways to select multiple items on the Search page:

  1. Manually select the checkbox on the left side of every submission.
  2. Select one or more submissions, then click the Select all N samples link that appears at the top of the page. This will select all submissions on all currently accessible pages.
  3. Click the main checkbox in the topmost row of the submissions list. This will select all submissions on the current page. Click the checkbox again to deselect all selected submissions.

When one or more items are selected, an additional actions menu (☰) appears highlighted on the right side of the page. Select the Download samples option in the menu.

When the download process starts, a notification appears in the Spectra Analyze interface. The notification contains a link for canceling the download process. If the notification is dismissed (by clicking the X button), it will appear again when the page is refreshed, or when the user navigates to another part of the Spectra Analyze interface.

When the download process is done, another notification appears even if previous notifications were dismissed.

Downloading Container Files

When a file is extracted from another file during analysis, the file from which it was extracted is referred to as its “container”.

Extracted files have the Download container option in their action menu (☰) on the Search page. Selecting this option downloads the top-most container of the extracted file from Spectra Analyze to the local storage.

If a file has been extracted from multiple different containers, the oldest one found on the appliance will be downloaded. Extracted files for which the top-most container has been removed from the appliance do not have this option in their action menu.

The option to download the container is also available on the YARA ruleset matches, Sample Details > Summary, Sample Details > Extracted Files, File Similarity > Local, and on the Local search results page of the Advanced Search page.

Downloading Files from Spectra Intelligence

Apart from submitting files to the appliance manually or through the API, users can also obtain new files by downloading them from Spectra Intelligence. Downloaded files are stored on the appliance, and accessible from the Local tab on the Search page.

The prerequisite is that the appliance is connected to Spectra Intelligence.

In order to download a file from Spectra Intelligence, it has to be marked as available (in other words, uploaded to the cloud as shareable). The interface indicates this with a black cloud icon. Files with a gray cloud icon are marked as private, and are not available for download.

Keep in mind that appliance administrators can configure the allowed file size for downloads from Spectra Intelligence. When this is configured, users can’t download files exceeding that file size. Regardless of the configuration, the maximum allowed file size is 500 MB per file. Files that are too large to be downloaded from Spectra Intelligence will have a special indicator icon instead of the black/gray cloud icon.

Files can be downloaded from Spectra Intelligence to the Spectra Analyze appliance on the following pages:

  • Advanced Search results - Public tab
  • YARA > ruleset matches
  • Sample Details > File Similarity > Spectra Intelligence filter
  • Submissions > search results > Spectra Intelligence filter

On each of the pages, files can be selected in several ways, depending on the page:

  1. Manually select individual checkboxes on the left side of each file.
  2. Select one or more files, then click the Select all N samples link that appears at the top of the page. This will select all files on all currently accessible pages.
  3. Click the main checkbox (usually at the top left of the list). This will select all files on the current page. Click the checkbox again to deselect all selected files.

When one or more files are selected, an additional actions menu (☰) appears highlighted on the right side of the page. Depending on the page, the following options may be available in the menu:

Some pages on the Spectra Analyze appliance display the Fetch All button at the top right of the page when no files are selected. In those cases, clicking the button downloads all available files from the page to the appliance. It is also possible to choose an arbitrary amount of files by selecting individual checkboxes on the left side of each file. In this case, the Fetch All button changes to Fetch Selected.

When downloading is confirmed, Spectra Analyze displays a notification about files being queued for download. Navigating away from the page will not stop the downloads. The process should only take a couple of seconds, after which the downloaded files will appear on the Search page.

Managing Unknown (Not Found) Files

note

“Unknown” in this context means “unknown to the system”, “not found in the system”. It does not refer to the Unknown status that files have when they are not classified yet.

Spectra Analyze can detect and track files that are currently not present on the appliance or in the Spectra Intelligence cloud. Users can look up hashes of specific files and set up alert subscriptions to get notified when the files become available in the cloud.

Search page

To track unknown files using the Advanced Search feature, users should submit hashes through the Bulk Hash Search dialog.

When one or more hashes are submitted through the Bulk Hash Search dialog, unknown hashes are automatically filtered out and displayed in a separate Not found tab on the search results page.

When one or more SHA1 hashes in the Not found list are selected, the actions menu (☰) provides options to subscribe or unsubscribe to them. Users can then create an alert description as described in the Tracking Unknown Hashes with Alerts section.

Deleting Submitted Files and URLs

It is possible to manually delete files and URLs from the Search page. Users can delete only those submissions that they have added, while administrators (“superusers”) can delete any submission regardless of who added it to the appliance.

There are several ways to delete a submission:

  1. by selecting Delete sample in the actions menu (☰) on the Search page. This menu item is visible to users only for their own submissions. Administrators can see this menu item for all submissions.
  2. by clicking a submission name to access its Sample Details page, then selecting Delete sample in the ACTIONS menu

Sample Details Summary page with highlighted Actions menu

Multiple submissions can be deleted at once. To do this, select one or more items on the Search page using the checkboxes on the left side. Selected submissions are highlighted in yellow. To select all submissions at once, click the Select all N uploads message at the top of the list.

Next, open the bulk actions menu (☰) highlighted on the right side of the list. Select Delete to remove selected submissions.

A confirmation dialog appears, displaying the number of submissions to be deleted. Click Yes to proceed with deleting the submissions. Navigating away from the page will not stop the deletions.

Clicking No or Cancel closes the confirmation dialog and returns to the Search page.

Reanalyzing Files and URLs

Users can perform additional analysis activities at any point after the files/URLs have initially been submitted and processed on the Spectra Analyze appliance.

Namely, files can be submitted for reanalysis to the following supported services:

  1. Static Analysis - Spectra Core. Users can choose to reanalyze files with a newer version of the Spectra Core static analysis engine after updating the appliance.
  2. Cloud Analysis - Spectra Intelligence. Users can submit a file to be reanalyzed with AV engines in the Spectra Intelligence cloud.
  3. Dynamic Analysis with services supported on Spectra Analyze (ReversingLabs Cloud Sandbox and Auxiliary Analysis, Cuckoo, FireEye, Joe Sandbox, CAPE, Cisco Secure Malware Analytics, VMRay) - Users can submit a file to be reanalyzed with one or more dynamic analysis services enabled and configured on Spectra Analyze. Samples larger than 400 MB cannot be submitted to dynamic analysis services (100 MB for FireEye). If the reanalysis on any of the dynamic analysis services fails for whatever reason, no dynamic analysis report will be available for the sample, because old reports get automatically deleted on re-submission.
  4. Assessment (auxiliary analysis).

Single and bulk Reanalyze options are accessible on the following pages:

  • Advanced Search > Local results
  • the Summary section of the Sample Details page
  • the list of YARA matches (local and local-retro only)

On the Search page, a single file can be submitted for reanalysis by selecting the Reanalyze option in its actions menu (☰).

For bulk reanalysis with services other than Spectra Core, up to 100 files can be selected and submitted at once.

When the Reanalyze option is selected, a floating dialog opens, where users can select which services to use for reanalysis.

Dialog with options for reanalyzing samples

Multiple services can be selected in the dialog. If any of the selected files have last been analyzed with a Spectra Core version older than the current version on the Spectra Analyze appliance, the Spectra Core static analysis service is selected by default. For other services, the date of the last successful analysis is displayed under the service name. The ReversingLabs Cloud Sandbox dynamic analysis service allows the users to select the platform to which the sample will be submitted: Windows 7, Windows 10, macOS Big Sur, or Ubuntu 20 (Linux).

If a service is unavailable or misconfigured on the appliance, this is indicated by a status label under the service name. If a file is already being processed by a service when submitted for reanalysis, that service will be disabled.

After selecting the desired service(s), confirm by clicking Go to submit files for reanalysis.

Dynamic analysis services have additional limitations. Consult the Dynamic Analysis section for more details.

important

Files without available sources cannot be reanalyzed using the Reanalyze option/dialog.

For extracted files, the Reanalyze option in the actions menu can be used to submit them for reanalysis to all services except Spectra Core.

Submitted URLs will behave exactly as files, so everything applies to URL submissions as well. To crawl a URL again, select the Recrawl option in its action menu (☰). This will open the URL submission pop up window with the URL already inserted, allowing the users to select/change the crawling method.

Reanalyzing Files and URLs in Error State

In some cases, submissions on the Spectra Analyze appliance can remain in error state if there have been some issues during their previous analysis.

Files in error state have a "Fail" indicator instead of the classification indicator on the Search page. Hovering over the indicator displays a tooltip with information about the last failed analysis.

If the file name is crossed-out, that indicates the file doesn’t have a source on the appliance. Files without available sources cannot be submitted for reanalysis.

To reanalyze a file or a URL submission in error state, select the Retry Analysis option in its actions menu (☰). This option is available for individual submissions only (not for multiple submissions at once).

During reanalysis, users can normally browse pages on the Spectra Analyze appliance, including the Sample Details page of the submission that is being reanalyzed.

Following a successful reanalysis, the submission will no longer display the Fail indicator, and will receive a classification from one of the supported sources.

Analyzing Files with RHA Similarity Algorithm

The RHA (ReversingLabs Hashing Algorithm) is a functional similarity algorithm that classifies files based on the similarity of their features. Format-specific attributes of a file are abstracted into categories, and then evaluated for similarity at four different precision levels (25%, 50%, 75% and 100%). The precision levels represent the degree of similarity: the higher the level, the more similar attributes there are between files.

The Spectra Analyze appliance can display RHA information for PE, MachO, and ELF samples. Only the first precision level (25%) is supported for those file formats.

If RHA results are available for a file, they will be displayed next to a red RHA icon on the left side of the Expanded Details section, in the sidebar of the Sample Details page, and in the File Similarity section on the Summary section of the Sample Details page.

The File Similarity section in the Sample Details page sidebar

To get a list of functionally similar samples for a file:

  • click the links in the File Similarity section on the Sample Details page
  • expand the row on the Search page and click any of the numbers in the RHA section (above User and System Tags)

RHA table with numerical callouts indicating RHA-related options

This will open the RHA results with samples functionally similar to the selected file. They can be filtered by threat status (All threats, Goodware, Unknown, Malicious, Suspicious) and by source (All, Local, Spectra Intelligence). Additionally, Subscribe/Unsubscribe options are available for those files, making it possible to create alert subscriptions for them.

When the cursor changes to an up-down arrow in the RHA results list, click to expand the row and get more information about the file.

Expanded sample row in the RHA table

Files marked with a gray cloud icon are unavailable for download, while those marked with a black cloud icon can be downloaded to the appliance.

Clicking Fetch All at the top of the RHA results list will download all available files to the appliance, up to a maximum of 1000 files.

It is also possible to manually select one or multiple files from the list and click Fetch Selected. The procedure is identical to the one described in the Downloading Files from Spectra Intelligence section.

tip

When the functionally similar samples are downloaded and analyzed, it is useful to look at their “Protection” features and “Indicators” (in the Sample Details > Spectra Core section), and compare them.