# Spectra Analyze Documentation
> Malware analysis appliance documentation including setup, API, administration, and sample analysis.
This file contains all documentation content in a single document following the llmstxt.org standard.
## Analysis Timeout Issues
File analysis timeouts can occur when processing complex or large files that require extensive analysis time. Understanding the causes and solutions helps ensure successful file processing.
## Common Causes
Analysis timeouts typically happen due to:
- **Large file sizes** - Files approaching or exceeding the size limits for your appliance tier
- **Deep nesting** - Archives containing multiple layers of compressed files
- **Extensive unpacking** - Files that trigger recursive decompression operations
- **Complex file structures** - Files with intricate internal structures requiring detailed parsing
- **Resource constraints** - Insufficient RAM or CPU allocation for the analysis workload
## Configuration Options
### Spectra Analyze
The analysis timeout can be adjusted in the appliance configuration:
1. Navigate to **Administration > Configuration**
2. Locate the analysis timeout setting
3. Increase the timeout value based on your file processing requirements
4. Save the configuration changes
### File Inspection Engine
Use the `--analysis-timeout` flag to control the per-file time limit:
```bash
rl-scan --analysis-timeout 300 /path/to/file
```
The timeout value is specified in seconds.
## Troubleshooting Steps
If analysis timeouts persist:
1. **Increase allocated resources** - Ensure the appliance or container has sufficient RAM (32 GB+ recommended) and CPU cores
2. **Check decompression ratio limits** - Verify that recursive unpacking isn't exceeding configured limits
3. **Review file characteristics** - Examine the file structure to identify potential issues
4. **Monitor system resources** - Check if the appliance is under heavy load from concurrent analyses
5. **Adjust timeout values** - Increase timeout settings for complex file processing workflows
## Related Topics
- [Platform Requirements](/General/DeploymentAndIntegration/PlatformRequirements) - Hardware specifications for different appliance tiers
- [How Spectra Core analysis works](/General/AnalysisAndClassification/SpectraCoreAnalysis) - Understanding the analysis process
---
## Antivirus Result Availability
When a sample is uploaded or rescanned in Spectra Intelligence, it will usually get new antivirus results **within 30 minutes**.
When a sample has new antivirus results, these will available in relevant APIs, for example [TCA-0104 File analysis](/SpectraIntelligence/API/FileThreatIntel/tca-0104/).
---
## Certificate Revocation
ReversingLabs maintains a certificate revocation database that is updated with each [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis) release. Because the database is offline, some recently revoked certificates may not appear as revoked until the next update.
Certificate Authority (CA) revocation alone is not sufficient to classify a sample as malicious. Most CAs backdate revocations to the certificate's issuance date, regardless of when or whether the certificate was abused.
When additional context is available, ReversingLabs adjusts the revocation date to reflect the most appropriate point in time. If a certificate is whitelisted, this correction is not applied.
## Searching for Revoked Certificates
You can find samples signed with revoked certificates using **Advanced Search** with the `tag:cert-revoked` keyword.
Advanced Search is available both through the [Spectra Analyze user interface](/SpectraAnalyze/search-page/) and as the [TCA-0320 Advanced Search](/SpectraIntelligence/API/MalwareHunting/tca-0320/) API.
---
## File Classification and Risk Scoring — ReversingLabs
# Classification
File classification assigns a risk score (0-10) and threat verdict (malicious, suspicious, goodware, or unknown) to every analyzed file using ReversingLabs Spectra Core. The classification algorithm combines YARA rules, machine learning, heuristics, certificate validation, and file similarity matching to determine security status. YARA rules take precedence as the most authoritative signal, followed by other detection methods that contribute to the final verdict.
The classification of a sample is based on a comprehensive assessment of its assigned risk factor, threat level, and trust factor; however, it can be manually or automatically overridden when necessary.
Based on this evaluation, files are placed into one of the following buckets:
- No threats found (unclassified)
- Goodware/known
- Suspicious
- Malicious
The classification process weighs signals from all available sources to arrive at the most accurate verdict. Some signals are considered more authoritative than others and take priority. For example, [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis) YARA rules always take precedence because they are written and curated by ReversingLabs analysts. These rules provide the highest degree of accuracy, as they target specific, named threats. This does not mean that other classification methods are less important. Similarity matching, heuristics, and machine learning still contribute valuable signals and may produce additional matches. In cases where multiple detections apply, YARA rules simply serve as the deciding factor for the final classification.
## Risk score
A risk score is a value representing the trustworthiness or malicious severity of a sample. Risk score is expressed as a number from 0 to 10, with 0 indicating whitelisted samples from a reputable origin, and 10 indicating the most dangerous threats. At a glance:
Files with no threats found don't get assigned a risk score and are therefore **unclassified**.
Values from 0 to 5 are reserved for samples classified as **goodware/known**, and take into account the source and structural metadata of the file, among other things. Since goodware samples do not have threat names associated with them, they receive a description based on their risk score.
Risk scores from 6 to 10 are reserved for **suspicious** and **malicious** samples, and express their severity. They are calculated by a ReversingLabs proprietary algorithm, and based on many factors such as file origin, threat type, how frequently it occurs in the wild, YARA rules, and more. Lesser threats like adware get a risk score of 6, while ransomware and trojans always get a risk score of 10.
### Malware type and risk score
In cases where multiple threats are detected and there are no other factors (such as user overrides) involved, the final classification is always the one that presents the biggest threat. If they belong to the same risk score group, malware types are prioritized in this order:
| Risk score | Malware types |
|------------|---------------------------------------------------------------------------------------------------------------------|
| 10 | EXPLOIT > BACKDOOR > RANSOMWARE > INFOSTEALER > KEYLOGGER > WORM > VIRUS > CERTIFICATE > PHISHING > FORMAT > TROJAN |
| 9 | ROOTKIT > COINMINER > ROGUE > BROWSER |
| 8 | DOWNLOADER > DROPPER > DIALER > NETWORK |
| 7 | SPYWARE > HYPERLINK > SPAM > MALWARE |
| 6 | ADWARE > HACKTOOL > PUA > PACKED |
## Threat level and trust factor
The [risk score table](#risk-score) describes the relationship between the risk score, and the threat level and trust factor used by the [File Reputation API](/SpectraIntelligence/API/FileThreatIntel/tca-0101).
The main difference is that the risk score maps all classifications onto one numerical scale (0-10), while the File Reputation API uses two different scales for different classifications.
### Nomenclature
The following classifications are equivalent:
| File Reputation API | Spectra Analyze | Spectra Detect Worker |
| ------------------- | --------------- | ------------------------ |
| known | goodware | 1 (in the Worker report) |
In the Worker report, the [risk score](#risk-score) is called `rca_factor`.
## Deciding sample priority
The [risk score table](#risk-score) highlights that the a sample's risk score and its classification don't have a perfect correlation. This means that a sample's risk score cannot be interpreted on its own, and that the primary criterion in deciding a sample's priority is its classification.
Samples classified as suspicious can be a result of heuristics, or a possible early detection. A suspicious file may be declared malicious or known at a later time if new information is received that changes its threat profile, or if the user manually modifies its status.
The system always considers a malicious sample with a risk score of 6 as a higher threat than a suspicious sample with a risk score of 10, meaning that samples classified as malicious always supersede suspicious samples, regardless of the calculated risk score.
The reason for this is certainty - a malicious sample is decidedly malicious, while suspicious samples need more data to confirm the detected threat. It is a constant effort by ReversingLabs to reduce the number of suspicious samples.
While a suspicious sample with a risk score of 10 does deserve user attention and shouldn't be ignored, a malicious sample with a risk score of 10 should be triaged as soon as possible.
## Malware naming standard
---
## Handling False Positives
# Handling False Positives
A false positive occurs when a legitimate file is incorrectly classified as malicious. While ReversingLabs strives for high accuracy, false positives can occasionally happen due to the complexity of malware detection across hundreds of file formats and millions of samples.
## What You Can Do
If you encounter a false positive, you have several options:
### 1. Local Classification Override
On Spectra Analyze, you can immediately override the classification using the classification override feature:
- Navigate to the file's Sample Details page
- Use the classification override option to manually set the file as goodware
- The override takes effect immediately on your appliance
- All users on the same appliance will see the updated classification
### 2. Spectra Intelligence Reclassification Request
Submit a reclassification request through Spectra Intelligence:
- The override propagates across all appliances connected to the same Spectra Intelligence account
- Other appliances in your organization will automatically receive the updated classification
- This is the recommended approach for organization-wide corrections
### 3. Goodware Overrides
Use Goodware Overrides to propagate trusted parent classifications to extracted child files:
- If a trusted parent file (e.g., from Microsoft or another reputable vendor) contains files that trigger false positives
- The parent's goodware classification can automatically override the child files
- This is particularly useful for legitimate installers that may contain components flagged by heuristics
## How ReversingLabs Handles False Positive Reports
If a customer reports a false positive (through Zendesk, or by contacting the Support team at support@reversinglabs.com), the first thing we do is re-scan the sample to make sure that the results are up-to-date.
If the results are still malicious, our Threat Analysis team will:
1. Conduct our own research of the software and the vendor
2. Contact the AV scanners and notify them of the issue
3. Change the classification in our system (we do not wait for AVs to correct the issue)
---
If the file is confirmed to be a false positive, we begin by analyzing why the incorrect classification occurred.
Then we try to correct the result by making adjustments related to file relationships, certificates, AV product detection velocity (e.g. are detections being added or removed), we will re-scan and reanalyze samples, adjust/add sources and, if necessary, manually investigate the file.
If these efforts do not yield a correct result, we have the ability to **manually override the classification** — but we only do so after thorough analysis confirms the file is benign.
---
## ReversingLabs malware naming standard
The ReversingLabs detection string consists of three main parts separated by dots.
All parts of the string will always appear (all three parts are mandatory).
```
platform-subplatform.type.familyname
```
1. The first part of the string indicates the **platform** targeted by the malware.
This string is always one of the strings listed in the [Platform string](#platform-string) table.
If the platform is Archive, Audio, ByteCode, Document, Image or Script, then it has a subplatform string.
Platform and subplatform strings are divided by a hyphen (`-`).
The lists of available strings for Archive, Audio, ByteCode, Document, Image and Script
subplatforms can be found in their respective tables.
2. The second part of the detection string describes the **malware type**.
Strings that appear as malware type descriptions are listed in the [Type string](#type-string) table.
3. The third and last part of the detection string represents the malware family name,
i.e. the name given to a particular malware strain.
Names "Agent", "Gen", "Heur", and other similar short generic names are not allowed.
Names can't be shorter than three characters, and can't contain only numbers.
Special characters (apart from `-`) must be avoided as well.
The `-` character is only allowed in exploit (CVE/CAN) names (for example CVE-2012-0158).
#### Examples
If a trojan is designed for the Windows 32-bit platform and has the family name "Adams",
its detection string will look like this:
```
Win32.Trojan.Adams
```
If some backdoor malware is a PHP script with the family name "Jones",
the detection string will look like this:
```
Script-PHP.Backdoor.Jones
```
Some potentially unwanted application designed for Android that
has the family name "Smith" will have the following detection string:
```
Android.PUA.Smith
```
Some examples of detections with invalid family names are:
```
Win32.Dropper.Agent
ByteCode-MSIL.Keylogger.Heur
Script-JS.Hacktool.Gen
Android.Backdoor.12345
Document-PDF.Exploit.KO
Android.Spyware.1a
Android.Spyware.Not-a-CVE
Win32.Trojan.Blue_Banana
Win32.Ransomware.Hydra:Crypt
Win32.Ransomware.HDD#Cryptor
```
#### Platform string
The platform string indicates the operating system that the malware is designed for.
The following table contains the available strings and the operating systems for which they are used.
| String | Short description |
| ----------- | ------------------------------------------------------------------------------------------ |
| ABAP | SAP / R3 Advanced Business Application Programming environment |
| Android | Applications for Android OS |
| AOL | America Online environment |
| Archive | Archives. See [Archive subplatforms](#archive-subplatforms) for more information. |
| Audio | Audio. See [Audio subplatforms](#audio-subplatforms) for more information. |
| BeOS | Executable content for Be Inc. operating system |
| Boot | Boot, MBR |
| Binary | Binary native type |
| ByteCode | ByteCode, platform-independent. See [ByteCode subplatforms](#bytecode-subplatforms) for more information. |
| Blackberry | Applications for Blackberry OS |
| Console | Executables or applications for old consoles (e.g. Nintendo, Amiga, ...) |
| Document | Documents. See [Document subplatforms](#document-subplatforms) for more information. |
| DOS | DOS, Windows 16 bit based OS |
| EPOC | Applications for EPOC mobile OS |
| Email | Emails. See [Email subplatforms](#email-subplatforms) for more information. |
| Firmware | BIOS, Embedded devices (mp3 players, ...) |
| FreeBSD | Executable content for 32-bit and 64-bit FreeBSD platforms |
| Image | Images. See [Image subplatforms](#image-subplatforms) for more information. |
| iOS | Applications for Apple iOS (iPod, iPhone, iPad…) |
| Linux | Executable content for 32 and 64-bit Linux operating systems |
| MacOS | Executable content for Apple Mac OS, OS X |
| Menuet | Executable content for Menuet OS |
| Novell | Executable content for Novell OS |
| OS2 | Executable content for IBM OS/2 |
| Package | Software packages. See [Package subplatforms](#package-subplatforms) for more information. |
| Palm | Applications for Palm mobile OS |
| Script | Scripts. See [Script subplatforms](#script-subplatforms) for more information. |
| Shortcut | Shortcuts |
| Solaris | Executable content for Solaris OS |
| SunOS | Executable content for SunOS platform |
| Symbian | Applications for Symbian OS |
| Text | Text native type |
| Unix | Executable content for the UNIX platform |
| Video | Videos |
| WebAssembly | Binary format for executable code in Web pages |
| Win32 | Executable content for 32-bit Windows OS's |
| Win64 | Executable content for 64-bit Windows OS's |
| WinCE | Executable content for Windows Embedded Compact OS |
| WinPhone | Applications for Windows Phone |
##### Archive subplatforms
| String | Short description |
| ---------------------------------- | ------------------------------------------------------------ |
| ACE | WinAce archives |
| AR | AR archives |
| ARJ | ARJ (Archived by Robert Jung) archives |
| BZIP2 | Bzip2 archives |
| CAB | Microsoft Cabinet archives |
| GZIP | GNU Zip archives |
| ISO | ISO image files |
| JAR | JAR (Java ARchive) archives |
| LZH | LZH archives |
| RAR | RAR (Roshal Archive) archives |
| 7ZIP | 7-Zip archives |
| SZDD | Microsoft SZDD archives |
| TAR | Tar (tarball) archives |
| XAR | XAR (eXtensible ARchive) archives |
| ZIP | ZIP archives |
| ZOO | ZOO archives |
| *Other Archive identification* | All other valid [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis) identifications of Archive type |
##### Audio subplatforms
| String | Short description |
| -------------------------------- | ---------------------------------------------------------- |
| WAV | Wave Audio File Format |
| *Other Audio identification* | All other valid Spectra Core identifications of Audio type |
##### ByteCode subplatforms
| String | Short description |
| ------ | ----------------- |
| JAVA | Java bytecode |
| MSIL | MSIL bytecode |
| SWF | Adobe Flash |
##### Document subplatforms
| String | Short description |
| ----------------------------------- | ------------------------------------------------------------ |
| Access | Microsoft Office Access |
| CHM | Compiled HTML |
| Cookie | Cookie files |
| Excel | Microsoft Office Excel |
| HTML | HTML documents |
| Multimedia | Multimedia containers that aren't covered by other platforms (e.g. ASF) |
| Office | File that affects multiple Office components |
| OLE | Microsoft Object Linking and Embedding |
| PDF | PDF documents |
| PowerPoint | Microsoft Office PowerPoint |
| Project | Microsoft Office Project |
| Publisher | Microsoft Office Publisher |
| RTF | RTF documents |
| Visio | Microsoft Office Visio |
| XML | XML and XML metafiles (ASX) |
| Word | Microsoft Office Word |
| *Other Document identification* | All other valid Spectra Core identifications of Document type |
##### Email subplatforms
| String | Short description |
| ------ | ------------------------------------- |
| MIME | Multipurpose Internet Mail Extensions |
| MSG | Outlook MSG file format |
##### Image subplatforms
| String | Short description |
| -------------------------------- | ------------------------------------------------------------ |
| ANI | File format used for animated mouse cursors on Microsoft Windows |
| BMP | Bitmap images |
| EMF | Enhanced Metafile images |
| EPS | Adobe Encapsulated PostScript images |
| GIF | Graphics Interchange Format |
| JPEG | JPEG images |
| OTF | OpenType Font |
| PNG | Portable Network Graphics |
| TIFF | Tagged Image File Format |
| TTF | Apple TrueType Font |
| WMF | Windows Metafile images |
| *Other Image identification* | All other valid Spectra Core identifications of Image type |
##### Package subplatforms
| String | Short description |
| ---------------------------------- | ------------------------------------------------------------ |
| NuGet | NuGet packages |
| DEB | Debian Linux DEB packages |
| RPM | Linux RPM packages |
| WindowStorePackage | Packages for distributing and installing Windows apps |
| *Other Package identification* | All other valid Spectra Core identifications of Package type |
##### Script subplatforms
| String | Short description |
| --------------------------------- | ------------------------------------------------------------ |
| ActiveX | ActiveX scripts |
| AppleScript | AppleScript scripts |
| ASP | ASP scripts |
| AutoIt | AutoIt scripts (Windows) |
| AutoLISP | AutoCAD LISP scripts |
| BAT | Batch scripts |
| CGI | CGI scripts |
| CorelDraw | CorelDraw scripts |
| Ferite | Ferite scripts |
| INF | INF Script, Windows installer scripts |
| INI | INI configuration file |
| IRC | IRC, mIRC, pIRC/Pirch Script |
| JS | Javascript, JScript |
| KiXtart | KiXtart scripts |
| Logo | Logo scripts |
| Lua | Lua scripts |
| Macro | Macro (e.g. VBA, AmiPro macros, Lotus123 macros) |
| Makefile | Makefile configuration |
| Matlab | Matlab scripts |
| Perl | Perl scripts |
| PHP | PHP scripts |
| PowerShell | PowerShell scripts, Monad (MSH) |
| Python | Python scripts |
| Registry | Windows Registry scripts |
| Ruby | Ruby scripts |
| Shell | Shell scripts |
| Shockwave | Shockwave scripts |
| SQL | SQL scripts |
| SubtitleWorkshop | SubtitleWorkshop scripts |
| WinHelp | WinHelp Script |
| WScript | Windows Scripting Host related scripts (can be VBScript, JScript, …) |
| *Other Script identification* | All other valid Spectra Core identifications of Script type |
#### Type string
This string is used to describe the general type of malware.
The following table contains the available strings and describes what each malware type is capable of. For a catalog of common software weaknesses that enable malware, see [CWE](https://cwe.mitre.org/) maintained by MITRE. CISA maintains advisories on actively exploited vulnerabilities at [cisa.gov/known-exploited-vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities).
| String | Description |
| ----------- | ------------------------------------------------------------ |
| Adware | Presents unwanted advertisements |
| Backdoor | Bypasses device security and allows remote access |
| Browser | Browser helper objects, toolbars, and malicious extensions |
| Certificate | Classification derived from certificate data |
| Coinminer | Uses system resources for cryptocurrency mining without the user's permission |
| Dialer | Applications used for war-dialing and calling premium numbers |
| Downloader | Downloads other malware or components |
| Dropper | Drops malicious artifacts including other malware |
| Exploit | Exploits for various vulnerabilities, CVE/CAN entries |
| Format | Malformations of the file format. Classification derived from graylisting, validators on unpackers |
| Hacktool | Software used in hacking attacks, that might also have a legitimate use |
| Hyperlink | Classifications derived from extracted URLs |
| Infostealer | Steals personal info, passwords, etc. |
| Keylogger | Records keystrokes |
| Malware | New and recently discovered malware not yet named by the research community |
| Network | Networking utilities, such as tools for DoS, DDoS, etc. |
| Packed | Packed applications (UPX, PECompact…) |
| Phishing | Email messages (or documents) created with the aim of misleading the victim by disguising itself as a trustworthy entity into opening malicious links, disclosing personal information or opening malicious files. |
| PUA | Potentially unwanted applications (hoax, joke, misleading...) |
| Ransomware | Malware which encrypts files and demands money for decryption |
| Rogue | Fraudulent AV installs and scareware |
| Rootkit | Provides undetectable administrator access to a computer or a mobile device |
| Spam | Other junk mail that does not unambiguously fall into the Phishing category, but contains unwanted or illegal content. |
| Spyware | Collects personal information and spies on users |
| Trojan | Allows remote access, hides in legit applications |
| Virus | Self-replicating file/disk/USB infectors |
| Worm | Self-propagating malware with exploit payloads |
---
## Risk score reference table
---
## Risk Tolerance [PREVIEW]
To enable this preview feature, contact [ReversingLabs Support](mailto:support@reversinglabs.com).
When enabled, the Risk Tolerance feature introduces the following additional classification reasons:
- Classified by Auxiliary Analysis
- Classified by Joe Sandbox
- Classified by Network References
- Classified by Cloud Sandbox (RLCS)
Availability of these services depends on your appliance configuration.
**Note: Cloud Sandbox (RLCS) can also be included in verdicts through a GUI option. With the Risk Tolerance feature enabled, however, RLCS results are weighted more heavily and can classify a sample as malicious even if other sources do not.**
---
## Self-Service Registration
This guide describes how to set up self-service registration for Spectra Analyze using Okta as the identity provider. It can be set up with SAML or OIDC integration.
## Setting up Okta with Spectra Analyze
In the Okta Administration interface, navigate to **Applications > Applications** and click **Create App Integration**. Set up either OIDC or SAML integration.
### SAML
1. Enter the required username and password attribute statements.
**Info: Group attributes are only necessary if the groups functionality is intended to be used.**
2. When the integration is configured, navigate to the **Assignments** tab and assign at least one group to the application.
3. Navigate to the **Sign On** tab and download the metadata.
4. Set up the SAML configuration in Spectra Analyze with matching claims and upload the metadata.
**Info: Make sure to select the `Allow unsolicited responses from IdP` checkbox.**
## Enabling Sign Up
1. In **Security > Profile Enrollment**, create a new **Profile Enrollment Policy**.
2. Set the **Self-service registration** to `Allowed`, and select the **Email verification** checkbox.
3. Navigate to **Manage apps** and add your application to the created policy.
4. In **Security > Authenticators**, edit the **Email authenticator**, and enable it to be used for both authentication and recovery.
5. In the **Enrollment** tab, add a new policy for the same group that was assigned to the application, and set the **Email** authenticator to at least `Optional`.
6. In **Security > Authentication Policies**, click **Add a policy**.
7. Add your application to this policy, and edit the **Catch-all Rule** by setting it to deny access.
8. Add a new rule, and configure it so that the access is allowed, and the user must authenticate using Password / IdP + another factor.
9. For the **Possestion factor constraints**, set `Require user interaction`.
10. Set up the Authentication methods according to your requirements, and set it to allow at least password and email.
**Frequency of password** and other factors of authentication can be configured at the bottom.
**Note: To add additional conditions, such as limiting the eligible emails for sign up to a certain domain, add a custom expression in the **IF** section, such as `user.profile.email.substringAfter('@') == 'reversinglabs.com'`.**
Any failed attempts will create inactive user accounts in Okta's directory. An alternative involves [inline hooks](https://help.okta.com/oie/en-us/content/topics/automation-hooks/inline-hooks-main.htm?cshid=csh-inlinehooks), making the web service require additional filtering capabilities. This approach should not result in inactive user accounts.
## Customizing the Sign Up Screen
1. In **Customizations > Other**, you can change the error message for failed sign-up attempts, and other error messages.
2. In **Customizations > Brands**, you can configure the appearance of the screens, including the sign in screens and emails sent by Okta.
The sign up form inputs are configured in **Security > Profile Enrollment** by selecting the policy used for the application.
## Allowing Sign Up with other Identity Providers
In **Security > Identity Providers**, you can add a number of identity providers, including Microsoft IdP, Google IdP, and others. They can be assigned to certain applications through the **Routing rules** tab.
## User Management
User management can be done by using both fetch and delete methods through the API. To use the API, you need to generate an API token.
1. In **Security > API**, navigate to the Token tab to generate a new token.
### Fetching Users
Fetching all users assigned to the created application can be done via the `/api/v1/apps/:appId/users` endpoint.
```
GET /api/v1/apps/:appId/users
```
Path parameter:
- `appId`
- The ID of the application.
- Required
Query parameter:
- `expand=user`
- Find user accounts that did not fit the criteria for the sign up, but were still created and are inactive.
- Optional
#### Example
An example of a request to fetch all user IDs, their usernames, and statuses of the users assigned to the application.
```
curl "https://${OKTA_INSTANCE_URL}/api/v1/apps/${APP_ID}/users?expand=user" \
--header 'Authorization: SSWS ${TOKEN_VALUE}' \
--header 'Accept: application/json' | jq '.[] | [.id, .credentials.userName, ._embedded.user.status]'
```
Once the results are fetched, the `STAGED` status indicates that the user account was created, but the user has not yet activated it because they did not match the criteria for the sign up. You can take the IDs of these users and delete them.
### Deleting Users
Deleting users assigned to the created application can be done via the `/api/v1/users/:userId` endpoint.
```
DELETE /api/v1/users/:userId
```
Path parameter:
- `userId`
- The ID of the user to be deleted.
- Required
Query parameter:
- `sendEmail`
- If set to `true`, an email will be sent to the user notifying them of the deletion.
- Optional
#### Example
An example of a request to delete a user with the `STAGED` status.
```
curl -X DELETE "https://${OKTA_INSTANCE_URL}/api/v1/users/${USER_ID}?sendEmail=false" \
--header 'Authorization: SSWS ${TOKEN_VALUE}' \
--header 'Accept: application/json'
```
**Info: You will need to execute the request twice because the first request deprovisions the account, while the second request deletes it.**
---
## Discussion
The *Discussion* page displays the comments that have been added to a sample, either by the user who uploaded it or by other users. The appliance can also automatically add comments to a sample; for example, when a user manually changes its classification.
Users can add new comments and apply some basic formatting, as well as insert links into the comment text field.
Another way to access the *Discussion* page for a sample is to click the *Comments* entry in the expanded details view on the uploads page.
---
## Dynamic Analysis Results
Each dynamic analysis integration adds its own section to the Sample Details page. Depending on the service, you may find:
- Screenshots from the sandbox execution, with a gallery view and slideshow option.
- Dropped files and other artifacts (such as PCAPs and memory strings), available for download within the service's retention period.
- Behavioral and network indicators of compromise (IoCs), including URIs, IP addresses, and domains seen during execution.
- History of past analyses for the same sample, with the ability to download reports for each run.
- Interactive report tabs showing processes, network activity, file system changes, registry modifications, and other runtime behavior.
- Links to full reports in the service's native interface.
- Export options to generate HTML or PDF reports (where supported).
Dynamic analysis services must be configured by the appliance administrator. For more information, see the [Analysis Service Integrations](../dynamic-analysis.md) page.
---
## Extracted Files
The *Extracted Files* page allows browsing through the entire hierarchy of files extracted from a sample. Below the Extracted Files page link in the sidebar, all extracted files are broken down by their classification.
The Spectra Analyze performs recursive sample analysis where each file extracted from a sample is analyzed separately.
The “parent” file then inherits classification (for example, malicious) if the “child” file is deemed malicious. This is also known as **classification propagation**.
There are two views for extracted files:
1. Breadcrumb view.
2. Flat view.
Both views have options for filtering and exporting, while the flat view has additional filters (name, threat, and format).
The **Export** menu contains options to export the whole page or just the files extracted from a sample. For the **Selected** option to become available, one or more files on the page have to be selected.
To export multiple pages of results, browse pages one by one and manually export them.
Data can be exported as CSV, JSON or XML.
To copy only the file hashes for the desired set of extracted files, the menu contains options to copy SHA1, SHA256 and MD5 hashes to the clipboard. Hashes are delimited by a whitespace, so that they can be directly pasted into the search bar.
The exported file can contain one or more of the following columns. They can be enabled in the **Export** menu, under **Show more Export options**
- **Files** - the number of files extracted from a sample (if the sample is a container).
- **Format** - file format of each file in the results grid.
- **Name** - extracted file name
- **Time** - timestamp when a file was extracted
- **Threat** - detected threat name for malicious and suspicious files, formatted according to ReversingLabs Malware Naming Standard.
- **Size** - indicates the size of a file.
- **SHA256, MD5** - additional file hashes that can be included in the exported file. The SHA1 hash is always included by default.
The actions menu (☰) on the right contains options for downloading the sample, reclassifying and reanalyzing it, downloading unpacked files, downloading the top-most container of the selected file, and previewing the selected file (described in the [File Preview / Visualizations](./file-preview.md) section).
When one or more files are selected, another actions menu (☰) appears highlighted to the right of the *Size* column. The menu contains the *Apply tags* and *Subscribe/Unsubscribe* options that can be used on files individually or in bulk.
---
## File Preview / Visualization
There are several ways to preview a file:
- by clicking the “Preview / Visualizations” link in the persistent sample summary above the navigation sidebar
- from the Preview / Visualizations menu item in the sidebar
- by clicking the *View HEX* option in the actions menu (☰) for a file on the *Extracted Files* page
The file preview window contains three tabs: Hex, Structure and Entropy.
For samples that matched a YARA rule, the Hex tab displays a YARA Matches filter, allowing the users to see the exact parts of the file that matched a specific YARA rule. Matches can be filtered by ruleset, rule or matched value.
For supported image formats (PNG, JPG, GIF), an additional “View” will be present, allowing the users to preview the image. The appliance displays a warning message before allowing the image preview.
A similar principle applies for other supported file formats, such as text documents and some script languages, where the code is displayed and can be beautified in the “PREVIEW” tab.
The *Entropy* tab visualizes the amount of entropy per each section of the file. Entropy is used to express “randomness” of the data in a file, or to measure predictability of any character in the file based on preceding character distribution. It is measured in a scale of 1 to 8, where 8 indicates highest entropy (highest measure of randomness). Typical user data, such as text files, rarely exhibits true randomness. On the other hand, encrypted or compressed files have a high measure of entropy. Therefore, entropy can be used to detect encryption and compression in suspicious files.
The *Structure* tab visualizes the sections of a PE/PE+ file, such as PE header, Import table, and Overlay. It is possible to click the items in the list on the right (Virtual, Physical, Import table, Resource table…). Clicking an item redirects the user to the related section of the static analysis results (on the [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis) page).
---
## Sample Details Page
## Types of Sample Details pages
The Sample Details page presents all the available information about a sample.
### Local
For local files, the information is collected from [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis) static analysis results, Spectra Intelligence, dynamic analysis, and auxiliary analysis. Administrators can configure processing settings on the appliance (“Fast”, “Normal”, “Best”). This will impact which file formats will be fully processed and how much information will be presented for them.
### Cloud
For samples that are not local, the scope of information will depend on the information provided by Spectra Intelligence. This is usually a subset of what is available for locally available files: a section of static analysis results and Spectra Intelligence scanning results.
### Network Threat Intelligence
For URLs, domains and IP addresses, the appliance displays a different type of [sample details page focused on Network Threat Intelligence](./network-threat-intelligence.md).
Additionally, information displayed on the Sample Details page differs based on the file type and classification status of each sample.
## Accessing Sample Details pages
To access the Sample Details page for a sample, click the sample name in any of the following pages:
- Search > Local, Cloud and Network results
- Alerts
- YARA > Local and local-retro ruleset matches
The page consists of a navigation sidebar on the left and the main information area on the right. The sidebar can be collapsed or expanded by clicking the Show/Hide Panel button at the top of the sidebar.
At the top of the navigation sidebar, there’s a persistent short summary showing information such as file hash, predicted filename (if it exists), file size, file type and format, and the **Preview / Visualizations** link to open the [File Preview Dialog](./file-preview.md). If the predicted filename exists, it can be found right below the file hash.
The right section of the page is the main information area. Its contents change depending on the section selected in the navigation sidebar.
The navigation sidebar provides quick access to all parts of the analysis report. The sidebar sections are collapsed by default, unless the Sample Details page is accessed via a specific link targeting a section in the sidebar.
## Main Page Actions
When any item from the *File Analysis Detail* section is selected in the sidebar, the main information area will contain the following options in the top right of the page:
### Reanalyze
Opens a floating dialog where users can reanalyze the submission with static, dynamic, or Spectra Intelligence analysis services.
### Similarity
Contains advanced search pivot options to search for similar and [functionally similar](../search-page.md#analyzing-files-with-rha-similarity-algorithm) samples.
### Fetch & Analyze
*Only on cloud samples.*
Opens a dialog with analysis options for the user to choose from. Available analysis options are Static Analysis (always enabled and cannot be modified), Threat Intelligence (Spectra Intelligence), Cloud Sandbox (Dynamic Analysis), Interactive Analysis (interactive RL Cloud Sandbox session) Auxiliary Analysis, and Integration Analysis. This option will download the sample from the Spectra Intelligence cloud and analyze it locally on the appliance. If the sample is not available for download, the button will be disabled.
### Actions Button
Depending on the [type](#types-of-sample-details-pages) of page, different choices are available.
[Local](#local) samples:
- PDF:
- **Create PDF** option exports the whole *Summary* page as a PDF file.
- **Export PDF (Short)** exports a shortened version, with the current [layout](#layouts-).
- Downloading samples (both extracted files and original samples) always uses ZIP archives (optionally password-protected, compatible with modern ZIP tools such as `unzip` 6.00+, Python's `zipfile`, 7-Zip, or `bsdtar`).
- Sample management options:
- editing classification or tags
- subscribing and unsubscribing
- deleting the sample
PDF reports have a retention period of 30 minutes and will not reflect changes that happened after they were generated. If a sample’s classification changed after the PDF report was already created, users must wait for the retention period to expire before requesting it again or use the [PDF Report API](../API%20Documentation/pdf-report-api) endpoints to immediately generate and download an updated PDF report.
**Warning: Because some PDF viewers automatically convert all strings with an `http[s]*` schema into clickable hyperlinks, it is not recommended to click any links in the generated PDF as they may lead to malicious content.**
[Cloud](#cloud) samples:
Only subscribing and unsubscribing is available.
[URLs](#network-threat-intelligence):
- Reanalyze
- Download options:
- Payload: scraped content (if you used *local analysis* when submitting the URL).
- Screenshots and dropped files: OS artifacts taken from [Analysis Service Integrations](../dynamic-analysis#reversinglabs-cloud-sandbox). The artifacts are in a 7z archive (password: `infected`).
### Layouts ⚙
**Info: This button is available only on local samples.**
Click ⚙ and, from the drop-down list, select one of the preconfigured layouts of the report summary page. Optionally, click **Manage Layouts** to edit the existing layouts or create your own.
For more information, see [Layouts Editor](/SpectraAnalyze/Administration/users-personalization/layouts-editor/).
-------
---
## Network Threat Intelligence Page
The Network Threat Intelligence sample details pages are reserved for URLs, IP addresses and domains. They can be accessed by clicking any submission in the Network tab on the Search & Submissions Page, by clicking the Network Threat Intelligence link in the Sample Summary header of samples that correlate to some network resource, or by clicking the Network Threat Intelligence link that is displayed in the search box if the search query contains a single URI.
The report summary section is an overview of all information available for a specific network resource, with additional information accessible using the sidebar menu.
**Info: If Spectra Intelligence is unreachable, misconfigured, or not configured, the Network Threat Intelligence page displays a corresponding error message indicating the issue. Ensure your Spectra Intelligence account is properly configured to access network threat intelligence data. For more information, see [Spectra Intelligence configuration](../../Administration/configuration-update/configuration#spectra-intelligence).**
The Network Threat Intelligence sidebar menu section contains the following items:
- URL Analysis
Contains the top threats found on the URL, as well as historical data for that URL. This data comes from the ReversingLabs [Network Threat Intelligence API](https://docs.reversinglabs.com/SpectraIntelligence/API/NetworkThreatIntel/tca-0403/).
- Domain Analysis
Contains the top threats found on the domain, as well as historical data for that domain. This data comes from the ReversingLabs [Domain Threat Intelligence API](https://docs.reversinglabs.com/SpectraIntelligence/API/NetworkThreatIntel/tca-0405/).
- IP Analysis
Contains the top threats found on the IP address, as well as historical data for that address. This data comes from the ReversingLabs [IP Threat Intelligence API](https://docs.reversinglabs.com/SpectraIntelligence/API/NetworkThreatIntel/tca-0406/).
- Screenshots & DOM
The Screenshots & DOM section shows the raw Document Object Model (DOM) of the analyzed page, a list of extracted links grouped by type (link, script, image, other), and a screenshot of the page as it appeared during analysis. This allows users to review both the underlying code and the rendered view in a single place.
In addition to network threat intelligence, users can also inspect previous ReversingLabs Cloud Sandbox dynamic analysis results, submit the network resource for (re)analysis, or interact with related files.
---
## Sample Details Summary
## Report Summary
The **Report Summary** page highlights the most interesting information from the sample analysis report. It contains several sections with links to more detailed information. Some parts of the page (e.g. threat name, file format, etc.) are clickable links that, when clicked, automatically perform search queries.
The information on the Summary page will be different for every sample analyzed on the appliance, depending on the file type and classification status.
For more information on interpreting the Sample Summary page, see [Interpreting analysis results](../index.md#interpreting-analysis-results).
### Report Summary Header
The sample summary landing page starts with a header section. It is colored according to the sample’s classification, and it contains the most important information about the analyzed file.
#### Risk score and threat name
These tiles show the final classification of the sample. If a sample is goodware, its risk score will be in the 0 - 5 range. For suspicious and malicious files, the risk score will be in the 6 - 10 range. Risk scores depend on the severity of the threat. Read about the [ReversingLabs classification algorithm and risk score](/General/AnalysisAndClassification/Classification/#risk-score).
Threat names follow our [malware naming standard](/General/AnalysisAndClassification/MalwareNamingStandard). Clicking the name scrolls the page down to the Threat Intelligence block with detailed info on the Threat family and actor and links to advanced search and external articles. If the threat is associated with a specific actor, that actor is displayed below the threat name.
#### Classification Reason
The ReversingLabs classification algorithm uses a number of techniques and classifiers to detect threats. This tile shows the classifier that caused the final classification of the sample. More information about classification reasons can be found in the [Threat Classification Descriptions](./threat-classification-sources.md#threat-classification-descriptions) section.
The list of classification reasons can be expanded by enabling the [Risk Tolerance](../Appendix/risktolerance.md) preview feature. When Risk Tolerance is enabled, a header indicator will display **"Risk Tolerance: Low"** to inform users when classification results are influenced by Risk Tolerance.
#### Detections
Shows the number of Community Threat Detections and YARA matches for the sample. Click the tiles for more information.
#### Community Threat Detections
The number of community threat detections for this sample.
#### YARA Matches
The number of YARA rulesets that matched this sample. Visit the [YARA](../yara.md) chapter for more information on using YARA for threat hunting on Spectra Analyze.
---------
Below the header, the page displays a list of available or configurable analysis methods for the sample. Methods can be clicked to open a menu with more details or analysis options.
The method responsible for the sample's classification is highlighted in the final classification color and labeled as (decisive). Not all analysis methods can be decisive for the final sample classification. These are indicated by a (i) tooltip icon saying "Does not impact final classification."
Analysis methods that are configured but not yet performed display an Analyze button, while unconfigured methods offer a link to their configuration page.
### Customizing the Report Summary page
The remainder of the report summary page contains **data blocks**. Each data block contains a shortened report for a specific subject, such as sample attribution and threat intelligence, relationship graphs, or static analysis insights. The layout of data blocks is [configurable](/SpectraAnalyze/Administration/users-personalization/layouts-editor/).
When you hover over the title of a data block, a short explanation is presented in the tooltip.
## Sample Details
The **Sample Details** report section is broken into multiple tabs containing more information about the sample. Tab sections containing a large amount of entries will be paginated, and can be navigated using the arrow buttons in the top right corner of the section.
### Sample Details (tab)
**Tags and Uploads** - lists a sample’s System and User Tags. Clicking the *Add* link opens a dialog where it is possible to add tags to the sample. Each tag is clickable and, when clicked, automatically performs a search query for samples based on the selected tag.
**Capabilities** are displayed as a horizontal bar with icons, but only for supported file formats.
The same information can be found in the *Static Analysis > FileType > Capabilities* section.
**Hash values** for the sample. Hovering over any of the hashes displays a button to copy the hash to clipboard.
SHA1 and SHA256 are shown by default, and the section can be expanded to show the remaining hashes (MD5, IMPHASH, SHA512, SSDEEP, TLSH). Hovering over hash values displays a tooltip button that can be clicked to copy the hash to the clipboard.
**Malware Description / Sample Description** shows a short textual summary (“Storyteller”) that describes the sample’s properties in a user-friendly language. The Storyteller can contain links provided by [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis). Each link leads to the Search & Submissions page, automatically performing a search query for samples based on the selected IOC. Links are also part of the exported PDF report (except those leading outside of the Spectra Analyze instance).
**Show AI Summary** button provides an LLM-generated overview covering the sample’s behavior, classification, and an executive summary. This feature is disabled by default. Contact [ReversingLabs Support](mailto:support@reversinglabs.com) to enable it.
In addition to the Storyteller, this section contains the same malware family/type description from the Threat Intelligence Cards on the Advanced Search results page. Clicking the See Full Details link in the section header opens the Advanced Search results page for the sample’s threat name.
If a sample is not malware, this section is titled Sample Description, and does not contain threat intelligence information about malware type or family. Storyteller text is present in all cases.
**Comments**
This section displays comments that have been added to a sample, either by the user who uploaded it or by other users. The appliance can also automatically add comments to a sample; for example, when a user manually changes its classification.
### How We Caught This
**Prevalence**
The graphs in the *Prevalence* section track the history of malware detections for the sample. The first graph, *Threat Reputation Scans*, shows the percentage of Threat Reputation scanners that have detected the malware over time. The *Malware Prevalence* graph shows how many overall samples have been detected as belonging to the malware family over the last N months, with the total number of unique samples shown underneath it. Hovering over the dots in the graph displays the exact dates and the amount of detections for each date. The *Total* amount displayed below the graph refers to the current month.
The *Uploads* list shows the users who have uploaded the sample, and the number of times the sample has been uploaded. Clicking the number redirects to a search results page with all upload records of this particular sample.
The next part of the *Summary* page contains information about malware prevalence and the results of the RHA File Similarity ([RHA File Similarity](../search-page.md#analyzing-files-with-rha-similarity-algorithm)) analysis, extracted files and the timeline.
**File classifications** - displayed for samples that have been classified as suspicious or malicious. The *Threat Name* information indicates which threat names and classification statuses the sample has received from which classifier. The *File* information indicates the files within the sample that have been classified with each status and threat name. Clicking a link under *File* opens the Sample Details page for the selected file.
**Extracted Files**
The *Extracted Files* section displays the information about the number and type of file(s) extracted from the sample. If a sample has no extracted files, this section is not displayed at all. If there have been issues while extracting the file, this is indicated by “Failed” and “Partial” status labels on the right side.
**Additional sections**
Additional sections may be present on the *Summary* page depending on the metadata extracted from the sample during analysis:
- **Files with indicators**
- **Files with signatures**
- **Files with descriptions**
- **YARA matches** - displayed if the sample matches any of the YARA rules on the appliance.
- **Network references** - samples analyzed by dynamic analysis services can have a *Network connections* section. Clicking any link in the *File* column redirects to the *Interesting strings* section of the file associated with that network reference.
- **Embedded scripts** - offers quick access to the contents of scripts found in the sample. The “eye” icon next to each script opens the floating [File Preview dialog](./file-preview.md). Clicking any of the links (embedded script names) in the *File* column opens the Sample Details page for that script.
- **Malware configurations** - samples with detected malware configurations will have a section with URI stats. Clicking any of the URIs opens the search results page for that URI.
### Analysis Results
**ReversingLabs Analysis** is a collapsible table showing an overview of sample processing activities and results.
The table records and displays the last time when the sample was (re)analyzed by ReversingLabs services - Static Analysis (Spectra Core), Threat Intelligence (Spectra Intelligence) and the ReversingLabs Cloud Sandbox (dynamic analysis).
The method that resulted in the final classification of the sample will be highlighted in the appropriate classification color and marked as the **Decisive Classification Reason**.
This table is collapsed by default, unless processing is still taking place, the sample is missing Spectra Intelligence results, or there is a special point of interest like the sample classification coming from a Local / Spectra Intelligence user override, an extracted file or from goodware overrides.
When applicable, these special/additional classification reasons will be highlighted in a colored bar at the top of the table.
Depending on the current status of the sample and the last analysis time, the table will offer useful suggestions, indicators and possible error messages. For example, it will display a message if Spectra Core was updated to a newer version since the last analysis, if the sample might have outdated Spectra Intelligence classification data, or if the file type is not supported by the Cloud Sandbox.
The far right of the column contains context-dependent buttons for reanalyzing the sample, uploading it to the cloud, or accessing the Spectra Intelligence configuration page. Sample classification can be manually changed by clicking the **OVERRIDE** button in the top right corner of the table. See [Setting Custom Classifications](./threat-classification-sources.md#setting-custom-classification) for more information.
If the appliance detects a possible discrepancy between the Spectra Core and Spectra Intelligence classification results, it will automatically submit the sample for reanalysis. This functionality is available only when the *Enable ReversingLabs File Reputation* option is active in **Administration ‣ Configuration ‣ Spectra Detect Processing Settings**. The classification will not necessarily change after reanalysis.
Keep in mind that samples previously processed by Spectra Intelligence will still retain their analysis result in the table even after Spectra Intelligence configuration is disabled on the appliance
**Integrations Analysis** is a collapsible table showing an overview of dynamic analysis services and results. Items in this section do not affect the final classification of the sample, but can be useful as additional sources of metadata.
The table records and displays the last time when the sample was (re)analyzed by integrated dynamic analysis services, if any are configured. The far right of each table row contains context-dependent buttons for reanalyzing the sample or, if the service is not configured, accessing the configuration page for the respective service.
**Classification Timeline**
The *Timeline* provides a historical overview of activities performed on the sample. It records the dates when the sample was first seen by Spectra Intelligence and on the local appliance, when it was classified by Spectra Core, (re)analyzed by static or dynamic analysis services, and more.
### Attribution Data
The Attribution Data page provides comprehensive threat intelligence about the malware family associated with the analyzed sample. This page offers deeper insights into the threat's origins, behavior, and related indicators.
**Important: The information on this page is predominantly LLM-generated, indicated by the star icon next to the section title. Review the information for accuracy before relying on it.**
The page is organized into several sections:
#### Malware Family
Core identification details including threat name, aliases, first/last seen dates, current version, packer information, targeted operating systems, and industries.
**Detection Statistics** - Weekly ranking, total detected samples, and week-over-week detection trends.
**Top File Types** - Distribution of file formats commonly used by the malware family (e.g., PE executables, DLLs, archives, Office documents).
**Malware Family Prevalence** - timeline graph showing detection activity over the past six months.
**Threat Description** - A detailed narrative explaining the malware's history, capabilities, infection vectors, persistence mechanisms, and communication protocols.
**References** - External sources and research publications for further reading.
#### Sample Attribution
This LLM-generated section maps the sample to known threat actors and campaigns:
**Actor Name** - The threat actor or group attributed to the malware.
**Campaigns** - Known malicious campaigns associated with the sample.
**Victims** - Targeted entities or sectors.
**Vulnerabilities** - CVEs or weaknesses exploited by the malware.
**Sources** - Intelligence sources supporting the attribution.
#### Actor Insights
- Actor description and operational history
- Aliases used across different threat intelligence vendors
- Country of origin (if known)
- Group type (e.g., cybercrime group, APT)
- Known tactics employed by the actor
#### Actor Related IOCs
A table listing indicators of compromise (IOCs) linked to the actor, including IP addresses, domains, and other artifacts. Each entry shows the indicator name and its type.
#### Actor Related Campaigns
A table of campaigns attributed to the actor. Each campaign can be expanded to reveal additional details:
- **Date** - When the campaign was active.
- **Techniques** - Tactics and techniques used during the campaign.
- **IOCs** - Associated indicators including hashes, URLs, IPs, and domains.
#### Actor Related TTPs
A table of tactics, techniques, and procedures (TTPs) associated with the actor. Each entry includes:
- **Name** - The technique or tool identifier.
- **Description** - How the actor employs the technique.
#### Related Vulnerabilities
A list of vulnerabilities exploited by the actor. Each entry shows the CVE identifier and a brief description of how it was used.
#### Referenced Actors
Connections to other threat groups.
#### Sources
Intelligence reports and documentation used to generate the attribution data.
### Network References
The network references tab contains all URLs, IP addresses and domains found *in relation* to the sample. This includes network locations that the file attempted to visit during a dynamic analysis run, IP addresses found inside the sample during static analysis, as well as places where the URL was found (sources).
### MITRE ATT&CK
**MITRE ATT&CK** is a section mapping indicators detected by Spectra Core to MITRE threat IDs. This section can be displayed for all samples regardless of their classification status (malicious / suspicious / known / no threats found), as long as they have indicators that can be appropriately mapped to the ATT&CK framework. Samples without indicators will not have this section on their Sample Details page at all.
The section lists MITRE tactics in the table header. MITRE techniques are grouped under each tactic. Every technique can be clicked to show Spectra Core indicators mapped to it (which can then be clicked to run an Advanced Search for samples with those same indicators). The table can be further filtered to show all techniques or just the detected ones, and technique IDs can be either displayed or hidden.
---
## Sources
The *Sources* page displays different types of sources for the selected sample. Sources are categorized into four tabs, each tab showing relevant information about the origin of the sample. The Spectra Intelligence tab shows a list of all locations from which the sample was retrieved, as well as time and date of retrieval. If available, it also shows additional information about the sample, such as versions or descriptions. The Network References tab shows a list of all locations from which the sample was retrieved, and the Relationships tab shows the top-level containers and direct parents that contain the relevant sample.
---
## Spectra Core - Static Analysis Results
The *[Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis)* page visualizes the static analysis report for every sample. The information is organized into sections which can be expanded using the accordion menus. The amount of information and the available sections vary based on file type.
## File information and statistics
The *Info* section displays basic information such as file type, predicted filename (if it exists), file size, and entropy; file validation; the set of hashes computed for the sample; as well as statistics about other files contained within the original sample.
If there are any errors or warnings detected during sample analysis, they are listed as individual entries in this section.
## File type-specific information
This section contains detailed information about the sample based on the metadata extracted by Spectra Core. As the name implies, the information in this section depends on the file type of the sample.
In the example of an Application (Portable Executable), the following information may be included:
### Identity
Application identity takes whitelisting and certificates into consideration and labels applications with their correct software versions. It removes the ambiguity left by source and certificate whitelisting as it can pinpoint the exact software release. Furthermore, it can identify the correct identity for software that isn’t typically signed or published on a reputable source.
### Capabilities
Capabilities are actions the sample can perform without executing an application. Insight into capabilities is obtained exclusively through static analysis of the sample.
**Tip: To find samples that exhibit specific capabilities, use the **tag** keyword in [Advanced Search](../advanced-search.md). For example, *tag:capability-cryptography* will find samples that can encrypt data. Consult the [full list of supported tags](../advanced-search.md#supported-tags).**
### Analysis
Shows the security grade and detected security issues for the analyzed sample. Depending on the security issues, the sample can get one of the following grades:
- Grade A. Best security grade. The application follows the latest standards and policies.
- Grade B. Good security grade. The application has sufficient security mechanisms implemented, but does not have all the latest features enabled.
- Grade C. Minor security issues detected. The application has some security mechanisms implemented, but is not considered safe to use in all environments.
- Grade D. Major security issues detected. The application should only be executed in secured environments.
- Grade E. Major security issues detected. The application should only be executed in highly secured environments.
- Grade F. Major security issues detected. Consider the application unsafe to run.
### DOS Header
Historical header that serves as a pointer to the *File Header* through *e_lfanew* entry.
### File Header
Important entries in the *File Header* include:
- Machine - target architecture for which the PE file was compiled
- Time Date Stamp - date when the PE file was compiled
- Characteristics – PE file attributes
- Number of Sections, Number of Symbols
### Optional Header
Describes elements such as import and export directories that make it possible to locate and link DLL libraries. Other entries provide structural information about the layout of the file, such as the alignment of its sections.
### Sections
Describes each of the sections making up the file. Sections can contain code, initialized and uninitialized data, resources and any other data.
The following information may be of particular interest to malware analysts:
- Flags show whether the section contains executable code, can be read from, written to or has other properties
- Hashes can be used to correlate with other files
- Entropy can show if a section is encrypted or compressed
**Note: **Physical Size** does not always match the raw size value in the PE header section. It is derived from actual loader behavior and the resulting bytes of the file as loaded into memory.**
Section hashes are calculated using the Physical Size, which may differ from hashes computed with the raw size.
### Imports
Contains an array of import directory entries; one entry for each DLL to which the file refers. Every entry can be expanded to reveal the list of symbols that are being imported.
### Resources
Indicates what resources the file contains, together with all the details about them (such as type, language, and whole resource data hashes).
The language can be an indicator of the machine locale settings used by the person who developed and/or compiled the file. Hashes can be used to look up and correlate which files contain the same resources.
Additional information can include **version info, dynamic libraries, symbols, segments**, and more, depending on the file type.
If the sample is an email message, the sections can include information about from, sender, and reply-to email addresses, email message subject and headers, as well as attachments (if there are any).
If the sample is an image, EXIF metadata will be extracted and included in the sections (for example, camera make and model).
For mobile applications, the sections can include information about the application package, activities, services, receivers, and permissions. Currently supported mobile platforms are iOS, Android, and Windows Phone.
### Software Packages
Relevant information for files recognized as software packages, which are archive files containing an assortment of individual files or resources and related metadata (such as name, vendor, version number, version number) that work together to provide users with a particular functionality.
For the full list of supported package formats, refer to [this article](https://docs.secure.software/concepts/language-coverage).
## Signatures
The *Signatures* section contains tabbed information about signatures, digital certificates and their validation states reported by the Spectra Core engine, including the certificate trust chain with signer and counter-signer details. The chain of trust starts with a certificate authority and ends with the signer. Clicking any of the individual elements in the signer/counter signer chains will show more detailed information below. In case there are multiple signatures found, results will be paginated.
Spectra Core supports classifying samples based on digital certificate blacklists and whitelists. By default, it provides more than 300 CA (Certificate Authority) certificates in its certificate store. The certificate store is a set of trusted CA certificates imported from sources such as Microsoft Windows, Mozilla Firefox, and Apple, which are included in Spectra Core and, by extension, in the Spectra Analyze system.
Samples classified on the basis of their certificates receive the “Classified by Digital Certificate” [threat description](./threat-classification-sources.md#threat-classification-descriptions).
Spectra Analyze also provides information about certificate status. Check the **Sample Details > Static Analysis > Info > Validation** section to see how Spectra Core validated the certificate(s) for a sample.
| Certificate Status | Detailed Status Description |
| --------------------------- | ------------------------------------------------------------ |
| **Valid certificate** | Any certificate with an intact digital certificate chain that confirms the integrity of the signed file. The hash within Signer Info matches the hash of the file contents. |
| **Invalid certificate** | Any certificate with an intact digital certificate chain, but for which the certificate chain validation failed due to other reasons (e.g. because of attribute checks). Without a valid digital certificate chain, the integrity of the signed file cannot be validated. |
| **Bad checksum** | The integrity of the signed file could not be verified, because the hash within Signer Info does not match the hash of the file contents. |
| **Bad signature** | Any certificate with an intact digital certificate chain, but for which the signature validation failed. Without a valid signature, the integrity of the signed file cannot be validated. |
| **Malformed certificate** | Any certificate that does not have an intact digital certificate chain. The digital certificate is corrupted or incomplete, but that doesn’t mean the file is also corrupted. Without a valid digital certificate chain, the integrity of the signed file cannot be validated. |
| **Self-signed certificate** | A self-signed certificate is a certificate that is signed by the same entity whose identity it certifies. In other words, this is a certificate that is used to sign a file, but is its own CA (certificate authority), and doesn’t have a CA that issued it. If CA information is present, but not found within the Spectra Core certificate store, the CA will be considered plausible and files signed with it will be declared valid (i.e., they will not be considered as self-signed). |
| **Impersonation attempt** | Any self-signed certificate is a candidate for an impersonation check. Impersonation means that the signer is trying to misrepresent itself as a trusted party, where “trusted party” is defined by the certificate whitelist. Any self-signed certificate that matches the common name of another certificate on the Spectra Core whitelist is marked as an impersonation attempt. |
| **Expired certificate** | Any certificate with signing time information is checked for expiration. When the time on the local machine indicates that the certificate has passed its “valid to” date and time, the certificate is considered expired. The “Expired” certificate status is merely informative, and expired certificates cannot influence certificate classification. |
| **Untrusted certificate** | Any valid certificate for which the digital certificate chain cannot be validated against a trusted CA. Untrusted certificates are valid certificates, but they cannot be whitelisted because their chain does not terminate with a CA in the Spectra Core certificate store. |
**Tip: To find samples by their certificate status, use the **tag** keyword in [Advanced Search](../advanced-search.md). For example, *tag:cert-invalid* will find samples signed with invalid certificates. Consult the [full list of supported tags](../advanced-search.md#supported-tags).**
## Indicators
Indicators are extracted by Spectra Core during static analysis and displayed as human-readable descriptions of sample behavior. There are many indicators that are common in regular applications, like opening files, writing to files, and so on. The full list of indicator IDs and their descriptions can be found [here](/General/SpectraCore/indicators/). The *Indicators* section shows what a sample is capable of doing, with more significant indicators listed first.
If static analysis indicates that an application contains an encrypted executable or that it is capable of accessing passwords, those indicators will get much higher priority than if the application can just open files. The former indicators are more important in this context and not common at all in legitimate applications. Therefore, they will be listed before other indicators.
Spectra Analyze displays special icons next to indicators that contributed to the final classification by a Machine Learning model. This applies only when Machine Learning is among the engines that classified the file, and is limited to Worm, Ransomware, Keylogger, and Backdoor (RAT) malware types. This indicator is not be displayed if classification is propagated, or if Machine Learning is not on the list of engines used to classify the sample.
**Tip: To find samples with specific indicators, use the **tag** keyword in [Advanced Search](../advanced-search.md). For example, *tag:indicator-macro* will find samples that contain or execute macros. Consult the [full list of supported tags](../advanced-search.md#supported-tags).**
## ATT&CK
The ATT&CK section maps indicators detected by Spectra Core to MITRE threat IDs. This section can be displayed for all samples regardless of their classification status (malicious / suspicious / known / no threats found) as long as they have indicators that can be appropriately mapped to the ATT&CK framework. Samples without indicators will not have this section on their Sample Details page at all.
MITRE tactics are listed as table columns, and MITRE techniques are grouped under each tactic. Every technique can be clicked to show Spectra Core indicators mapped to it.
The same technique can be listed under multiple different tactics.
The mapping is limited to indicators that Spectra Core can detect with static analysis, so it does not cover the full range of MITRE tactics and techniques, but only a subset of it.
Buttons above the table can be used to filter Techniques to only those that were triggered, and to show or hide technique IDs.
## Classification
If the sample has been classified, this section shows its status and a list of scanners that determined the classification.
If the sample has been classified by a YARA rule, this section contains the relevant YARA ruleset metadata.
More information on sample classification can be found on the [Sample Details Summary](./sample-details-summary.md) page.
To find out more about classification methods and reasons, consult the [Threat Classification Descriptions](./threat-classification-sources.md#threat-classification-descriptions) chapter.
## Protection
Shows the protection features with which this file was compiled, and other protection mechanisms that were detected while analyzing the file (such as cryptographic or compression algorithms).
## Strings and Interesting strings
Spectra Analyze extracts all strings from samples and separates *Interesting strings* into their own section. Strings are considered interesting if they contain information related to network resources and addresses (for example IP addresses, HTTP, HTTPS, FTP or SSH). Interesting strings are usually found in binary files, documents and text files.
If available, reputation statistics are displayed next to URIs in the *Interesting strings* section.
In both sections related to strings, results can be searched with regular expression patterns and filtered by string length for more dynamic hunting.
Additionally, Interesting Strings can be filtered by category (all, http, https) and by classification (all, malicious, suspicious, goodware, no threats found).
Strings can be filtered by their origin.
- CARVED - String is generically extracted from the file.
- TABLE - String is found within a file format specific strings table.
- DEEP - String is found within a compressed part of the file or a non-offset accessible location.
Any of these strings can be deemed human readable by a ML model. This filter is available as a separate button.
Very long strings can exceed the display length and appear as if they are cut off. To see the entire string, click the **Show more** button.
## Tags
When Spectra Core analyses a file, it assigns it different [tags](../tags.md) which help when searching for specific capabilities.
## Email
If the analyzed file is an email, the structure extracted by Spectra Core will be presented on this page. This includes email headers (subject, sender, date...).
The content of the email itself is available on the [preview page](file-preview.md).
The attachments are available in the [extracted files](extracted-files.md) section.
---
## Threat Classification Sources
In addition to classification from the [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis) engine included in the Spectra Analyze appliance, the threat classification for samples comes from either the Spectra Intelligence service or an on-premises T1000 File Reputation Appliance.
Appliance administrators should configure access to the desired reputation service (Spectra Intelligence or T1000) via the [System Configuration](/SpectraAnalyze/Administration/configuration-update/configuration/) page. **Only one of those services should be configured, not both. If both are configured, the T1000 service will be used by default.**
If the appliance is not connected to the Spectra Intelligence or to the T1000 appliance, then no classification or AV scan information (malicious, suspicious, known) will be present. However, classifications will still come from Spectra Core (RHA1, signatures and so forth), which is locally installed on the appliance.
When either the Spectra Intelligence or the T1000 reputation service is properly configured, the sample threat status will incorporate data from Spectra Core and from the configured reputation service.
## Threat Classification Descriptions
The following is a list of all possible classification reasons a sample can have. The classification reason specifies which technology detected this threat. It is visible on the [landing page of the Sample Summary page](./sample-details-summary.md) and in the expanded row on the Search & Submissions page. Files will usually have multiple detections from more than one classifier, but the classification reason tile on the Sample Summary page always shows the one that produced the final classification.
**Note: The list of classification reasons can be expanded by enabling the [Risk Tolerance](../Appendix/risktolerance.md) preview feature.**
### **Classified by: Threat Reputation**
The sample was classified by the Threat Reputation scanner.
### **Classified by: Certificate Validation**
Digital signatures include a file integrity validation hash. Validating digital certificates is a multi-step process. Valid certificates have a properly formed digital certificate chain and pass file hash integrity validation. Spectra Core detects signed file tampering and is capable of detecting signer impersonation, certificate malformation and content modification. Failing to comply with any of these checks will classify the file as at least suspicious. The displayed threat name will reflect the detected type of the tampering attempt. When a self-signed certificate is trying to misrepresent itself and emulates a trusted certificate, the displayed threat name will be `{Platform}.Certificate.Impersonation`. On the other hand, when a file fails integrity validation, the threat name can appear as `{Platform}.Certificate.Invalid` or `{Platform}.Certificate.Malformed`. In case of valid signing time, with signature that is created after signing certificate is already expired or revoked by Certificate Authority, threat name will be `{Platform}.Certificate.SignedAfterExpiration` and `{Platform}.Certificate.SignedAfterRevocation` respectively.
### **Classified by: Threat Signature**
Rules, Indicators, Classifications and Capabilities (RICC) is an offline database that applies static analysis rules to analyzed content. Part of its responsibility is to classify files based on signatures and unique metadata properties found only in malicious files. Two such classification technologies are deployed through RICC. Byte Pattern Matches as signatures that detect known threats, and Malware Artifacts Classifier that looks at the metadata for malware clues. Both of these technologies correlate the detection to a named threat. In terms of classification, they are the most specific detection technologies within the engine, and are reserved to be used only for precise threat detections.
### **Classified by: Format Structure**
The sample was classified based on the format structure of the file determined by Spectra Core. Spectra Core contains a large collection of file format parsers. Some file formats are used exclusively by malware, while other, “legit” file formats, can be structured in a suspicious manner. Samples containing those file formats receive this classification.
Unlike file or threat reputation results, this classification method is not constantly updated. New information and signatures for this method can only be obtained by updating the entire appliance to a new release.
### **Classified by: Email Contents**
Email messages are stored in structured file formats. This encapsulation includes email headers, message body and a number of attachments. Any of these components can be malicious and therefore needs to be inspected. Email headers are checked for identity misrepresentation that relates to phishing and BEC attacks. Message bodies are inspected for URLs that could lead to phishing and malware downloads. Attachments are decomposed through static analysis in search for malicious code. Additionally, any attached file is also inspected for embedded URLs that themselves are checked for malicious intent. When this technology detects phishing, it will name the threat as `Email.Phishing.{ServiceName}`. The following services can be identified: Adobe, Amazon, AmericanExpress, Apple, BankOfAmerica, ChaseBank, DocuSign, Dropbox, Ebay, Facebook, Google, LinkedIn, Microsoft, Netflix, PayPal, Twitter and WhatsApp. If the email was detected as malicious due to embedded URL, the threat name can appear as `Email.Hyperlink.Homoglyph`
### **Classified by: Exploit Signature**
During engine analysis, parsed format structure is validated and any departures from specification are reported. Detected malformations are automatically mapped back to exploits that are known to abuse format parsing bugs. Exploit detectors are a special kind of signature detection. They are implemented individually for each supported format, and are made to detect known exploits. Exploit detection is available for images, documents, archives and mobile application package formats. When an exploit is detected within an image format, the reported threat name can be `{Platform}.Exploit.CVE-{ID}`.
### **Classified by: File Contents**
During automated file extraction, the supported formats are decomposed recursively. Unexpected format combinations can be discovered during extraction. For example, documents and multimedia files should never embed executable files. If such unusual format combinations are discovered, the engine will declare those files as suspicious with the following threat name: `{Platform}.Format.Content`.
### **Classified by: Explainable Machine Learning**
Machine learning is a predictive detection technology. Explainable Machine Learning, a concept unique to ReversingLabs, bases its classification on the principles of expandability, transparency and relevancy. Based solely on human readable indicators, machine learning models detect specific threat types and can differentiate between threats and benign files. When the machine learning model predicts that a threat type falls into a recognized category, it will name the threat as `Win[32|64].{ThreatType}.Heuristic`. However, if the model is certain that the file is a threat, but can’t place it into a threat category, it will name the threat as `Win[32|64].Malware.Heuristic`. Machine learning models are made to detect Windows executable and fileless malware types.
### **Classified by: File Similarity**
ReversingLabs Hashing Algorithm (RHA1) is a proprietary functional file similarity algorithm. It is primarily designed for executable formats, and as such it is specifically implemented for each supported format. RHA1 converts functional file features, both the code and its layout, to four precision level hashes. Each precision level represents a 25% increase in similarity between files that share the same hash at the same precision level. Lowest precision is 25% and highest is a 100%. Spectra Core comes with an offline database of blacklisted RHA1 hashes. This technology is capable of detecting polymorphic threats and their variants. Even though threats are detected based on similarity, they are still named after the threat the file is most similar to.
### **Classified by: Embedded HyperLink**
Many file formats enable active linking to content hosted on remote servers. These are commonly referred to as hyperlinks or uniform resource locators (URL). Since the active content is on a remote server, it can change at any time. However, some URLs themselves do contain information that helps to infer the content type to which they are pointing to. With static analysis, Spectra Core can detect various kinds of deceptive links without visiting the content targeted by the URL. Attacker techniques such as typosquatting, domain spoofing, and homoglyphs are detected for more than 5000 popular websites. In addition to deceptive links, the solution includes an offline database of blacklisted domains and known malicious URL patterns. When the engine finds an embedded link that points to a blacklisted domain, it will name the threat as `{Platform}.Hyperlink.Blacklisted`.
### **Classified by: Goodware Override**
Any files extracted from a parent and whitelisted by a high trust certificate, source or user override can no longer be classified as malicious or suspicious. Goodware Overrides propagate from parents to children. The goodware overrides will not apply if the extracted file is found by itself (for example, if an extracted file is rescanned without its container).
### **Classified by: Extracted Files**
The classification of certain samples originates from children samples extracted during analysis. It propagates from children to the parent, for example from a malicious executable file to the zip archive where it originated from. If this is the case, the description beneath the classification will highlight that it was based on an extracted file.
### **Classified by: YARA Rule**
The sample was classified based on YARA rules provided by ReversingLabs or by the user.
### **Classified by: NextGen Antivirus**
Sample was classified by an antivirus engine considered to be next-generation, such as those that use machine learning.
### **Classified by: File Reputation**
The sample was classified by Threat Intelligence Database. It can be obtained from a trusted source, or it was unpacked from the file originating from a trusted source.
### **Classified by: User Classification**
The sample has been manually classified locally or in the Spectra Intelligence cloud, overriding any classification from ReversingLabs. Local classifications only apply to the Spectra Analyze instance they are set on, while cloud overrides get synchronized to other ReversingLabs appliances using the same Spectra Intelligence account and to other cloud accounts with the matching company username segment (u/**company**/user)
### **Classified by: Spectra Core Classification**
The sample was classified by the Spectra Core static analysis engine.
### **Classified by: Certificate Reputation**
Applications, archives, documents and software packages can all be digitally signed. These signatures guarantee integrity and certify the origin of the content they are signing. Spectra Core comes with a customizable list of signers, or identities, that own recognized certificates. These identities can be added to either the Spectra Core certificate blacklist or whitelist. The former will declare signed content as malicious, while the latter will classify analyzed content as goodware. When a file is declared to be malicious due to a blacklisted certificate, the threat name will be displayed as `{Platform}.Certificate.Blacklisted`
### **Classified by: Sandbox**
The sample was classified by the ReversingLabs Cloud Sandbox.
## Setting Custom Classification
Users can manually override a sample’s classification:
- by selecting the **Set classification** option in the actions menu (☰) in the [Results List](../search-page.md#results-list) list, or in the *ACTIONS* menu on the [Sample Details](./sample-details-summary.md) page
- by selecting the **OVERRIDE** option in the *ReversingLabs Analysis Table* on the Sample Details page
Selecting either of those options opens the *Set classification* dialog. It consists of two tabs: **Spectra Intelligence** and **Local**. They are identical in design, but behave differently.
Local classification overrides persist only on the current Spectra Analyze appliance, they are not propagated to any other service or Spectra Analyze instance. Spectra Intelligence overrides get synchronized to other ReversingLabs appliances using the same Spectra Intelligence account, but also to other Spectra Intelligence accounts with the matching company username segment (u/**company**/user).
Samples that have both the local and the Spectra Intelligence override will be classified according to the local override.
Users can change the sample classification by modifying the threat status and trust factor values of the sample. Clicking **Save** in the dialog applies the new classification to the sample.
For every sample classified in this way, manual classification changes are recorded in the **Sample Details > Timeline** section.
Any user of the current Spectra Analyze instance can manually change the classification of any file submitted to the appliance, regardless of who submitted the file.
For both local and Spectra Intelligence overrides, users who wish to closely keep track of classification changes to their important files should [create an alert subscription](../alerts.md#creating-a-new-alert-subscription) to get notified as soon as there is a change (by another user or by any of the ReversingLabs classification methods).
---
## Threat Intelligence (Spectra Intelligence)
The *Cloud Threat Intelligence > Community Threat Detections* page contains statistics about malware detection for the sample based on the results of Threat Reputation scanning in the ReversingLabs Spectra Intelligence system. The information is obtained from a number of AV engines and organized by the time and date of each AV scan.
The upper half of the page contains a graph that shows how malware detections for the sample changed over time. More specifically, the graph indicates changes in the maximum detection rate for the sample. The graph always displays the same time range regardless of the currently selected scan date.
The lower half of the page contains a list of all AV vendors used to scan the sample for each recorded scan date. If an AV engine produced a detection, the detected threat name is listed next to the AV vendor name. Every result on this page is clickable and, when clicked, automatically performs a search query.
Users can navigate between recorded scan dates by clicking the arrows above the list of AV vendors, and compare the differences between each scan. The number of AV engines used can differ between recorded scan dates, depending on which vendors/engines were available at the time of each scan.
Text formatting in the list of AV vendors also carries important information.
- If the name of an AV vendor is greyed out, that indicates their AV engine(s) did not produce a detection for the sample. This can happen for a variety of reasons (e.g. the AV engine does not support the file format of the sample, or it did not have the relevant signature at the time of the scan). In case of goodware, this is the intended behavior.
- If there is a number next to the AV vendor name, that indicates how many AV engines of that vendor were used to scan the sample.
- If an AV vendor name is displayed above the black line in the list, that indicates their AV engines are considered next-generation (such as those that use machine learning).
- If a detection name is red, that indicates it is a new detection for the AV vendor. This means the AV vendor did not produce a detection for the sample in any of the previous scans.
- If a detection name is red with another name crossed-out next to it, that indicates the detection name has changed in the currently selected scan. This means the AV vendor previously produced a different detection for the sample. The crossed-out detection name is the old name, and the red detection name is new.
- If a detection name is crossed-out, but there is no other name next to it, that indicates the AV vendor is no longer producing detections for that particular threat.
Some AV vendors indicate that a threat has been detected in a sample, but they do not expose the full threat name. Their detection still influences the final classification of the sample, and in some cases affects the final threat name assigned to the sample.
**Tip: The information from the Spectra Intelligence section can be used with [Advanced Search](../advanced-search.md) keywords for targeted malware hunting. Use the **av-detection** keyword with any of the detected threat names (*av-detection: Adware/Genieo!OSX*), or specific AV vendor keywords with the threat name detected by a particular vendor (*av-[vendor]/Clovis-A*). To find samples by the number of Community Threat Detections, use the **antivirus** keyword. Consult the [full list of supported search keywords](../advanced-search.md#supported-search-keywords).**
### File Similarity
The *Cloud Threat Intelligence > File Similarity* section of the sidebar displays the amount of [functionally similar samples](../search-page.md#analyzing-files-with-rha-similarity-algorithm), grouped by their threat status. Clicking the links in the File Similarity section redirects to the list of similar samples, where it is possible to download them to the appliance as described in the [Downloading Files from Spectra Intelligence](../search-page.md#downloading-files-from-spectra-intelligence) section.
---
## Advanced Search
## Introduction
The Advanced Search feature introduces rich metadata search capabilities on the ReversingLabs Spectra Analyze appliance, makes it easier to search across large data sets (both locally and in ReversingLabs Spectra Intelligence), and enables faster, more powerful malware discovery with increased coverage.
With 100+ keywords, 30+ anti-virus vendors, 130+ sample types and subtypes and 280+ tags, Advanced Search makes it possible to build more than 500 unique search queries using Boolean operators and keyword auto-completion.
Users can create targeted, multi-conditional queries and combine search criteria using logical operators to quickly identify potential threats.
**The Advanced Search feature can be used to perform local searches without a Spectra Intelligence account. Using Advanced Search to retrieve Spectra Intelligence results is available to customers at additional cost. For more information, contact ReversingLabs Sales Support (insidesales@reversinglabs.com).**
**Important notes about the Advanced Search feature**
1. **Different search queries return results at different speeds** - for some combinations of keywords and operators, it can take longer to load the results. To ensure quicker response times for long and complex queries, returned results may contain fewer samples than are available in the database; i.e., the service will only return the latest matches found within a reasonable timeframe.
**Important: To improve search query responsiveness and performance, Cloud results prioritize *First Seen* within the last month by default. However, this may result in zero results if users specify time ranges outside this time frame. In such cases, the results page provides links to expand the search results. If the query returns some results but there are more in the previous months, clicking the link next to the query summary under the drop-down menu filters broadens the search to encompass a wider time range. Alternatively, users can set the provided drop-down filters to the desired expanded time range.**
1. **Local-only keywords will not work on the Cloud tab, as local-only keywords cannot be used to search for samples in the Spectra Intelligence cloud. Only actual file submissions will be returned as results.** Local-only keywords are: `filecount`, `tag-user`, `submission-user`, `submission-time` and `processing-status`. To perform Spectra Intelligence searches or search for extracted files, remove any local keywords from the query.
2. **The maximum length of a single search query is 1024 characters.** Queries longer than 1024 characters cannot be shared or added to Favorites. Attempting to submit queries longer than 1024 characters will result in an error. This does not apply to Bulk hash search queries.
3. **The maximum amount of Cloud results that can be returned for a search query is 100 000.** Although there may be more samples matching the query in the Spectra Intelligence cloud, the Spectra Analyze will only allow browsing through 100 000 of them.
4. **Currently it is only possible to export a single page of search results.** To export all results from the list, the user would have to browse pages one by one and manually export them. It is possible to adjust the amount of results displayed per page in the navigation bar, thus increasing or decreasing the number of results that will appear in the exported CSV file.
5. **The \*Fetch & Analyze\* option for Cloud results is currently limited to downloading 100 samples at a time, with a daily limit of 10 000 samples in total.** Samples that already exist on Spectra Analyze will not be downloaded again. It is not possible to fetch and analyze all samples in the Cloud results list at once.
6. **Large volumes of data indexed for Advanced Search in the Spectra Intelligence cloud are constantly updated in order to return the most relevant information.** During synchronization of various Spectra Intelligence services, searching for samples the cloud may return inconsistent or incorrect results in some cases. The data is updated multiple times per hour. This can cause discrepancies between the results offered on the Local and Public (Spectra Intelligence) results tabs.
## How to Write Search Queries
**Local-only keywords will not work on the Cloud tab, as local-only keywords cannot be used to search for samples in the Spectra Intelligence cloud. Only actual file submissions will be returned as results.** Local-only keywords are: `filecount`, `tag-user`, `submission-user`, `submission-time` and `processing-status`. To perform Spectra Intelligence searches or search for extracted files, remove any local keywords from the query.
Local-only keywords, when added using the drop-down menus, will not be shown in the Advanced Search box as part of the query, but they will still be applied to the results, saved to the *Recent queries* list, and shared using the *Share query* button.
To create a search query, start typing into the *Advanced search* box. The pull-down list with all matching search keywords or their predefined values will open. The keywords are listed alphabetically.
Every search query must contain at least one keyword and one value. Search queries are built according to the following formula.
```
keyword:value OPERATOR keyword2:value OPERATOR keyword3:[value1,value2,...]
```
The values for a keyword can be typed in manually, or if the keyword supports it, selected from the pull-down list.
Selecting a keyword that supports predefined values (for example, *classification*, *riskscore*) displays all those values in the pull-down list.
Selecting a keyword that supports date and time ranges (such as *lastseen* or *firstseen*) displays the date picker. To add a custom range to the search box, select “Custom” in the date picker and click the *Apply* button.
Keywords have short usage examples in the pull-down list. For a detailed overview of supported keywords and their features, refer to the [Supported Search Keywords section](./advanced-search.md#supported-search-keywords).
Some keywords have aliases - additional forms that can be used to search for the same values. Aliases are indicated in the Supported Search Keywords section in parentheses next to keyword names, and in the interface as illustrated in the screenshot below.
To run a search query, click the *Search* button in the search box, or press Enter.
------
The following is an example of a basic search query that returns all samples classified as suspicious:
```
classification:suspicious
```
What can and cannot be included in a search query depends on the values and operators supported by the keyword, as well as on the restricted words and characters.
The maximum length of a single search query that can be entered into the *Advanced search* box is 1024 characters.
### Restricted Words and Characters
All restricted words and characters should be escaped with double quotation marks in the search query.
Example: a query contains one of the restricted characters **[**, **]**, **(**, **)**, **:**
```
pdb:"C:\Windows*"
```
Example: a query contains one of the restricted words (**AND**, **OR**, **NOT**)
```
cert-subject-name:"AND"
```
If the search query contains spaces, use double quotation marks around it.
```
cert-subject-org:"microsoft corporation"
```
### Searching for Exact Matches
For more precise results, use quotation marks in search queries, especially when looking for a specific string.
The underscore character ( **_** ) is treated as a delimiter. Phrases containing the underscore should be enclosed in quotation marks to get exact matches.
For example, searching for `pe-function:"Py_Initialize"` returns results that match the exact phrase, including the underscore character.
Searching for `pe-function:Py_Initialize` returns results that match either “Py” or “Initialize”, or both.
### Using Wildcards for Partial Matching
Some search keywords support partial matching with wildcard symbols.
The `*` symbol matches any sequence of characters. The `?` symbol matches any single character.
Example: this query returns all samples that have the string “emo” anywhere in their threat name (such as Wemosis, Remora, Temonde).
```
av-detection: *emo*
```
Example: this query returns all samples with the threat name “Emotet” and any other variant where the first letter T is replaced by any other character (such as Emonet, Emoret).
```
av-detection: emo?et
```
### Searching for a Range and Greater/Less-Than Values
For keywords that support searching for a range of values, the formula looks like this.
```
keyword:[value1 TO value2]
size:[50000 TO 70000]
```
To search for greater/less-than values, create an open-ended range using the wildcard symbol `*`
```
keyword:[value TO *] - for greater-than values
keyword:[* TO value] - for less-than values
```
This example returns all samples that have a trust factor lower than and equal to 4.
```
trustfactor:[* TO 4]
```
### Searching for a List of Values
To search for any of the values in a list, the following formula is used.
```
keyword:[value1, value2, value3]
```
The values must be comma-separated.
```
classification:[suspicious, unknown]
av-detection:[emotet,wannacry]
sha1:[91b21fffe934d856c43e35a388c78fccce7471ea,4e8c5b9fc9a6650f541fa0dbe456731309a429e4,
66720a660761e9b3b9b071ba4c16d6ab69c442bb]
```
### Creating Multi-keyword Search Queries
Search operators and parentheses can be used to combine multiple keywords and create advanced search queries.
The following search operators are supported: **AND**, **OR**, **NOT**
If an operator is not provided, **AND** is used as the default. Operators are case-insensitive, so the following queries all return the same results.
```
firstseen:2018-01-01T00:00:00Z AND classification:malicious
firstseen:2018-01-01T00:00:00Z and classification:malicious
firstseen:2018-01-01T00:00:00Z classification:malicious
```
The **NOT** operator excludes search results that match the search criteria. In the following example, malicious and suspicious files will be excluded from the results:
```
av-detection:*linux* NOT classification:[malicious, suspicious]
```
The **OR** operator can be used to look for any of the values supported by a single keyword:
```
classification:suspicious OR classification: malicious
```
It can also be used to look for any of the different keywords and their values:
```
pdb:JigsawRansomware.pdb OR uri:"http://btc.blockr.io/api/v1/"
```
The **OR** operator cannot be used instead of a comma when searching for a list of values. The following example is **not a valid query**:
```
av-detection:[emotet OR wannacry]
```
**Parentheses** can be used to combine keywords. The following two queries show how to format the same request using square brackets versus parentheses:
```
firstseen:2018-01-01T00:00:00Z av-detection:[trojan,wannacry]
firstseen:2018-01-01T00:00:00Z (av-detection:trojan OR av-detection:wannacry)
```
Apart from using parentheses with the same keyword, they can be used to combine multiple different keywords, operators, and even a range:
```
firstseen:2018-01-01T00:00:00Z (av-detection:trojan AND type:binary NOT positives:[* TO 3])
```
### Saving and Sharing Search Queries
There are several ways to save search queries on the Spectra Analyze appliance.
1. Search queries can be saved as Favorites on the Spectra Analyze appliance itself. Run any query and click the star button right of the search box to save it. The query will be listed under *Favorites* in the [Suggestions menu](./search-page.md#show-suggestions). It can be modified to include other search keywords and parameters, or removed from the appliance at any time. The maximum of 20 search queries can be saved in this way.
2. Search queries can be saved using the built-in bookmarking functionality of the web browser. Run any query and bookmark the results page. In this case, any active filtering parameters (such as sorting and number of results per page) are also preserved in the bookmarked URL. A search query saved in this way will only work on the Spectra Analyze instance specified in the bookmarked URL.
Similarly, search queries can be shared in several ways:
1. by using the *Share query* option on the Spectra Analyze appliance. Type in any query and click the *Share* button right of the search box. The *Share Query* dialog opens, where recipient email addresses have to be entered. Clicking the *Share* button in the dialog will send the selected query to provided email addresses. The email *Subject* field will contain the username of the Spectra Analyze user who shared the query.
2. by copying the URL of the search results page from the address bar of the browser, and sending it manually via email or other communication channel. A search query shared in this way will only work if the recipient can log into the same Spectra Analyze instance from which the query was sent.
3. by copying a favorite query to the clipboard (hover over the query in the *Favorites* list and select the *Copy* option from the triple-dot menu), then sharing it manually via email or other communication channel.
### Non-keyword Queries
Advanced search queries can be quickly built without using keywords. Non-keyword search is available only for a particular subset of indicators of compromise:
> - SHA1, SHA256 and MD5 hashes
> - URLs
> - IP addresses
> - domains
> - emails
#### Non-keyword Search Queries
Non-keyword searches can be performed as standalone queries containing one or more non-keyword values, or be combined with traditional keyword searches. Email and IP (IPv4, IPv6) non-keyword queries support wildcard matching.
If a list of non-keyword search values contains invalid entries, search will respond with the message “Unrecognized nonkeyword argument” and return the first invalid non-keyword. In cases where the query contains only hashes, the response returns “Invalid value for hashes field”.
Using commas between non-keyword search values will result in an invalid query. Searching for strings containing commas and other special characters is supported by using quotation marks.
For example, IPV6 addresses or URLs containing colons, commas, or brackets must be enclosed in quotation marks:
```
"2001:0db8:85a3:0000:0000:8a2e:0370:7334"
```
```
"http://www.evildomain.com/gate.php?13,35869"
```
**Single non-keyword search**
This can be any one of the IOCs listed above.
Example: SHA1
```
0000038704cb5f0e1bd87d6a75e904529af0d6ac
```
**Multiple non-keyword search**
To combine multiple non-keyword search values, separate them by space. The whole query will be enclosed in brackets and the spaces will be interpreted as the operator OR. Other operators (AND/NOT) can be explicitly provided to build more complex queries.
Example: IPV4, IPV6 and domain
```
127.0.0.1 "2620:119:35::35" google.com
```
Example: Hashes only
```
0000038704cb5f0e1bd87d6a75e904529af0d6ac 2abcd3fb8b7761526d177ab007c40e74 4dea2daa9a41dd6c4cb172eb6d8d8a1d1811360e21c5fa0c8ce2e20fd6903041
```
**Non-keyword with keyword**
When combining non-keyword search values with keywords, consecutive non-keyword values will be enclosed in brackets and the spaces between them will be interpreted as the operator OR. Spaces between non-keyword search values and keywords will be interpreted using the operator AND, meaning that the order of keywords and non-keyword values in the query is important.
Example: Samples containing the provided URL that are classified as goodware
```
"https://hope-bd.com/googledocs.php" class:goodware
```
**Combining queries with the NOT operator**
The **NOT** operator excludes search results that match the defined criteria.
Example: Query using the operator NOT
> ```
> NOT *@mockmail.com "https://hope-bd.com/googledocs.php" AND NOT 0000038704cb5f0e1bd87d6a75e904529af0d6ac class:MALICIOUS
> ```
#### Non-keyword Search Examples
| Query Type | Example | Syntax | Outcome |
| ----------------------------------------------------------- | ------------------------------------------------------------ | -------------------------- | --------------------------------------------------- |
| Single non-keyword | 0000038704cb5f0e1bd87d6a75e904529af0d6ac | NK | NK |
| Non-keyword search values combined with keywords | “https://hope-bd.com/googledocs.php” class:goodware | NK K | NK **AND** K |
| Multiple non-keyword values (hashes only) | 0000038[…]af0d6ac 2abcd3[…]7c40e74 4dea2da[…]6903041 | NK NK NK NK | (NK **OR** NK **OR** NK **OR** NK) |
| Multiple non-keyword values | 127.0.0.1 “2620:119:35::35” google.com | NK NK NK NK | (NK **OR** NK **OR** NK **OR** NK) |
| Multiple non-keyword values with an AND operator | [mock@mockmail.com](mailto:mock@mockmail.com) 127.0.*.1 AND google.com “https://hope-bd.com/googledocs.php” | NK NK AND NK NK | (NK **OR** NK) **AND** (NK **OR** NK) |
| Multiple keywords combined with multiple non-keyword values | class:MALICIOUS mock@mockmail.com google.com firstseen:2018-04-05T21:11:47Z | K NK NK K | K **AND** (NK **OR** NK) **AND** K |
| Combining queries with the NOT operator | NOT [*@mockmail.com](mailto:*@mockmail.com) “https://hope-bd.com/googledocs.php” AND NOT 0000038[…]af0d6ac class:MALICIOUS | NOT NK NK AND NOT NK AND K | (**NOT** NK **OR** NK) **AND** **NOT** NK **AND** K |
Note
The final, transformed queries will be returned in the *Advanced search* box and added to the *Recent queries* list. They can be saved as favorites by clicking the star button to the right of the search box.
## Supported Search Keywords
### User-friendly modifiers
Some keywords support **modifiers** that serve as shorthand notation for search expressions.
#### Numbers
Keywords that accept numbers as values also accept a trailing plus or minus sign.
For example:
- `5+` (five or more)
- `42-` (fourty-two or less)
Exceptions:
- Spaces are not allowed.
- Prefixes are also not allowed (only trailing plus or minus).
- Modifiers can't be used in range queries. For example, `[3+ to 5-]` is invalid.
List of keywords that accept numbers
- `av-count`
- `av-threatlevel`
- `document-pages`
- `elf-section-count`
- `filecount`
- `macho-section-count`
- `macho-segment-count`
- `pe-section-count`
- `riskscore`
- `size`
- `submissions`
- `threatlevel`
#### Dates
Keywords that accept dates also accept period abbreviations and trailing plus/minus.
Accepted abbreviations:
- `h` for hours
- `d` for days
- `w` for weeks
- `m` for months
- `y` for years
The trailing plus or minus sign behaves just like for numbers.
For example:
- `2023-04-11T08:10:00+` (on April 11 2023 at 08:10, or after that time)
- `3d+` (three days or more)
- `1w-` (one week or less)
Exceptions:
- Spaces are not allowed.
- Prefixes are also not allowed (only trailing plus or minus).
- Modifiers can't be used in range queries. For example, `[3d to 5w]` is invalid.
List of keywords that accept dates
- `firstseen`
- `lastanalysis`
- `lastseen`
- `pe-timestamp`
- `signer-valid-from`
- `signer-valid-to`
- `submission-time`
- `taggant-valid-from`
- `taggant-valid-to`
#### Sizes
Keywords that accept sizes also accept unit abbreviations (KB, MB, GB...) and trailing plus/minus.
The abbreviations are case-insensitive. If an abbreviation is not specified, the expression is evaluated in bytes. [Byte multiples](https://en.wikipedia.org/wiki/Byte#Multiple-byte_units) are supported in both decimal (kilo-, mega-, giga-...) and binary (kibi-, mebi-, gibi-...) form.
For example:
- `5MB+` (five megabytes or larger)
- `13kib-` (thirteen kibibytes or smaller)
Exceptions:
- Spaces are not allowed.
- Prefixes are also not allowed (only trailing plus or minus).
- Modifiers can't be used in range queries if they contain a trailing plus or minus sign. For example, `[3kB+ to 5MB]` is invalid. However, if you use them without a trailing plus/minus, they can be used in a range query. For example, `[3kb TO 5mb]` is allowed.
The only keyword that accepts a size is `size`.
### Group keywords
When using group keywords, the provided search query will be used with all single keywords in the group's respective list. Refer to the single keyword descriptions for more information.
Keyword aliases are enclosed in parentheses.
| `certificate` | Group keyword |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Includes | `cert-issuer-name` `cert-issuer-org` `cert-issuer-unit` `cert-subject-name` `cert-subject-org` `cert-subject-unit` |
| Examples | Case-insensitive wildcard matching is supported.Wildcard: `certificate:*micr*` |
| `certificate-country` | Group keyword |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Includes | `cert-issuer-country` `cert-subject-country` |
| Examples | Case-insensitive wildcard matching is supported.List (any of the values): `certificate-country:[HR, US]` |
| `document` | Group keyword |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Includes | `document-author` `document-subject` `document-title` `document-description` |
| Examples | Case-insensitive wildcard matching is supported.List (any of the values): `document:[adobe, microsoft, *confidencial]`Wildcard: `document:*soft` |
| `mutex` | Group keyword |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Includes | `mutex-config` `mutex-dynamic` |
| Examples | The keyword is case-sensitive and doesn't accept wildcards.Exact: `mutex:111c`List (any of the values): `mutex:[111c, 2124]` |
| `ipv4` (`ip`) | Group keyword |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Includes | `ipv4-static` `ipv4-dynamic` |
| Examples | Wildcard matching supported.Wildcard: `ipv4:192.*`List (any of the values): `ipv4:[1.0.0.0,1.0.2.1]` |
| `ipv6` | Group keyword |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Includes | `ipv6-static` (IPv6 address strings detected by ReversingLabs Dynamic Services) |
| Examples | If the address contains colons or brackets, enclose it in quotation marks.Wildcard matching supported.Wildcard: `ipv6:c*`Exact: `ipv6:"2002::/16"`List (any of the values): `ipv6:["2001:db8*", "3731:54:"]` |
| `section` | Group keyword |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Includes | `pe-section-name` `elf-section-name` `macho-section-name` |
| Examples | Case-insensitive wildcard matching is supported.Wildcard: `section:*data`List (Any of the values): `section:[.ndata, bss]` |
| `segment` | Group keyword |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Includes | `macho-segment` `macho-segment-name` `elf-segment-sha1` |
| Examples | Case-insensitive wildcard matching is supported.Wildcard: `segment:page*`List (any of the values): `segment:[pagezero, text]` |
| `software` | Group keyword |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Includes | `software-package` `software-description` `software-author` |
| Examples | The keyword does not accept wildcards.Exact: `software:"James Newton-King"`List (any of the values): `software:[Microsoft, "This package consists of multiple activities that simplify the processes in Excel."]` |
| `upload-data` | Group keyword |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Includes | `upload-source` `upload-source-tag` |
| Examples | Examples:`upload-data:myapp`, `upload-data:myemail*` |
| `uri` | Group keyword |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Includes | `uri-source` `uri-static` `uri-config` `uri-dynamic` |
| Examples | Case-insensitive wildcard matching is supported. (`uri*` keywords don't support IP addresses. For that, use `ip*` keywords.)Wildcard: `uri:mozilla.org*`List (any of the values): `uri:[\*.tor,*.onion,*.exit]` |
### Single keywords
| `actor` | |
|-------------|---------------------------------------------------------------------------------------------------------|
| Description | Search for files associated with a specific threat actor. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `actor:*APT*`List (any of the values): `actor:[Hellsing, Cycldek]` |
| `android-app-name` | |
|--------------------|----------------------------------------------------------------------------------------------------------------------------|
| Description | Search for Android applications by their process name. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `android-app-name:*SkypeApplication*`List (any of the values): `android-app-name:[MainApp, *alt.ywuajgf*]` |
| `android-features` | |
|--------------------|----------------------------------------------------------------------------------------------------------------------|
| Description | Search for Android applications by their features. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `android-features:*hardware.camera*`List (any of the values): `android-features:[camera, telephony]` |
| `android-import` | |
|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Search for Android applications by one or more shared libraries that the applications are linked against. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `android-import:org.apache.http.legacy*`List (any of the values): `android-import:[sec_fe?ture, *google*]` |
| `android-package` | |
|-------------------|--------------------------------------------------------------------------------------------------------------------------------------|
| Description | Search for Android applications by their package name. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `android-package:*com.picklieapps.player*`List (any of the values): `android-package:[*ruckygames*, *skype.raider*]` |
| `android-permission` ||
|----------------------|------|
| Description | Search for Android applications by their permissions. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `android-permission:*WRITE_SETTINGS*`List (any of the values): `android-permission:[*storage*, *disable_keyguard*]` |
| `appid-company-name` (`appid-author`) ||
|-------------|------|
| Description | Search for applications and libraries by their publisher. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `appid-company-name:"Mozilla Foundation"`List (any of the values): `appid-company-name:["Mozilla Foundation", "Microsoft Corporation"]` |
| `appid-description` ||
|-------------|------|
| Description | Search for applications and libraries by their description. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `appid-description:"*Firefox Plugin Hang UI*"*` |
| `appid-product-name` | |
|-------------|------|
| Description | Search for files with a matching product name. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `appid-product-name:"Mozilla Firefox Plugin Hang UI"`List (any of the values): `appid-product-name:["Mozilla Firefox Plugin Hang UI", "Mozilla Firefox Helper"]` |
| `appid-product-type` (`appid-category`) | |
|-------------|------|
| Description | Search for applications and libraries by their type. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `appid-product-type:browser`List (any of the values): `appid-product-type:[browser, development]` |
| `attack-tactic` | |
|-------------|------|
| Description | Search for files that use a specific Mitre ATT&CK tactic. The keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `attack-tactic:TA0007`List (any of the values): `attack-tactic:[TA0007, TA0005]` |
| `attack-technique` | |
|-------------|------|
| Description | Search for files that use a specific Mitre ATT&CK technique. The keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `attack-technique:T1222`List (any of the values): `attack-technique:[T1222, T1112]` |
| `av-count` (`positives`, `p`, `antivirus`) | |
|-------------|------|
| Description | The number of antivirus scanners that have detected a sample as malicious. Currently supports any integer from 0 to 46 (46 being the number of active AV scanners). |
| Examples | Exact: `av-count:5`Range: `positives:[10 TO 20]`Greater than 5: `positives:[5 TO *]`List (any of the values): `av-count:[5,3]` |
| `av-detection` (`engines`) | |
|-------------|------|
| Description | Detection string generated by the antivirus engines. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `av-detection:micro*`List (any of the values): `av-detection:[W32.Duqu, *Vitro]` |
| `av-` (``) | |
|-------------|------|
| Description | Search for all samples or samples of specific malware detected by a selected antivirus vendor. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `av-[vendor]:*wannacry*`List (any of the values): `[vendor]:[win32, emotet]` |
| `available` (`in`, `shareable`) | |
|-------------|------|
| Description | Indicates whether a sample is available for download from the cloud. The only supported values are true and false (case-insensitive). |
| Examples | `available:TRUE``in: false` |
| `browser-package` | |
|-------------|------|
| Description | Search for web browser extensions by their package name. Supported package formats: Chrome, Safari, Firefox. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `browser-package:*Click2Save*`List (any of the values): `browser-package:[*priiceechOp*, *iCalc*]` |
| `cert-issuer-country` | |
|-------------|------|
| Description | Search for files by the country code in the country name property field of the issuer of the certificate used to sign the file. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `cert-issuer-country: US`List (any of the values): `cert-issuer-country:[Z?,G*]` |
| `cert-issuer-name` | |
|-------------|------|
| Description | Search for files by the name of the certificate authority (CA). Case-insensitive wildcard matching is supported. |
| Examples | Exact: `cert-issuer-name: COMODO`List (any of the values): `cert-issuer-name:[microsoft,*VeriSign*]` |
| `cert-issuer-org` | |
|-------------|------|
| Description | Search for files by the organization name of the certificate issuer. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `cert-issuer-org:*authority`List (any of the values): `cert-issuer-org:[verisign, microsoft]` |
| `cert-issuer-unit` | |
|-------------|------|
| Description | Search for files by the organizational unit name of the issuer unit of the certificate authority (CA). Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `cert-issuer-unit:*root*` List (any of the values): `cert-issuer-unit:["trust network", *root*]` |
| `cert-serial` | |
|-------------|------|
| Description | Search for a file by the serial number of the file certificate provided by the CA that issued the certificate. The keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `cert-serial:6101CF3E00000000000F`List (any of the values): `cert-serial:[,]` |
| `cert-subject-country` | |
|-------------|------|
| Description | Search for files by the country code in the country name property field of the subject to which the certificate has been issued. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `cert-subject-country:DE`List (any of the values): `cert-subject-country:[US, B*]` |
| `cert-subject-name` | |
|-------------|------|
| Description | Search for files by the name of the organization/system to which the certificate has been issued. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `cert-subject-name:Piriform`List (any of the values): `cert-subject-name:[cinectic*, google]` |
| `cert-subject-org` | |
|-------------|------|
| Description | Search for files by the organization name of the certificate authority organization (CA). Case-insensitive wildcard matching is supported. |
| Examples | Exact: `cert-subject-org:apple`List (any of the values): `cert-subject-org:[apple, Microsoft]` |
| `cert-subject-unit` | |
|-------------|------|
| Description | Search for files by the organizational unit name inside the organization to which the certificate has been issued. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `cert-subject-unit:"Developer Relations"`List (any of the values):`cert-subject-unit:[Developer*, "Trust Network"]` |
| `cert-thumbprint` | |
|-------------|------|
| Description | Search for files by their unique certificate thumbprint. A thumbprint of a file certificate is a hash value (SHA256). The keyword doesn't accept wildcards. |
| Examples | Exact: `cert-thumbprint:277D42[...]2A17DD`List (any of the values): `cert-thumbprint:[, ]` |
| `classification` (`class`) | |
|-------------|------|
| Description | Search for files by their Malware Presence status designation. Accepted values: malicious, known, suspicious, unknown (case-insensitive). |
| Examples | Exact: `classification:malicious`List (any of the values): `classification:[KNOWN, suspicious]` |
| `dex-class-name` | |
|-------------|------|
| Description | Search for DEX files by the names of classes they contain. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `dex-class-name:android.content.DialogInterface.On*`List (any of the values): `dex-class-name:[android.content.DialogInterface.On*, android.support.v4.*]` |
| `dex-method-name` | |
|-------------|------|
| Description | Search for DEX files by method names their classes call to perform an action. Method names are indexed regardless of their visibility, meaning both public and private methods are searchable. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `dex-method-name:unregisterCallB*`List (any of the values): `dex-method-name:[getLocation, invok*]` |
| `document-author` | |
|-------------|------|
| Description | Search for files by the contents of their document author metadata property. Case-insensitive wildcard matching is supported. |
| Examples | List (any of the values): `document-author:[adobe, microsoft]`Wildcard: `document-author:*soft` |
| `document-description` (`doc-description`) | |
|-------------|------|
| Description | Search for files by the document description field, as provided by the document author. Case-insensitive wildcard matching is supported. |
| Examples | List (any of the values): `document-description:["Carta personal", *confidencial]`Wildcard: `document-description:*Math*` |
| `document-pages` (`doc-pages`) | |
|-------------|------|
| Description | Search for files by their number of pages. In case of spreadsheet documents, this number represents the number of sheets. The keyword accepts only integer values. |
| Examples | Exact: `document-pages:73`Range: `document-pages:[4 TO 20]`More than 4: `document-pages:[4 TO *]` |
| `document-subject` | |
|-------------|------|
| Description | Search for files by the contents of their document subject metadata property. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `document-subject:*search`List (any of the values): `document-subject:[free, download]` |
| `document-title` | |
|-------------|------|
| Description | Search for files by the contents of their document title metadata property. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `document-title:"Powered by"`List (any of the values): `document-title:[*free*, README]` |
| `document-version` | |
|-------------|------|
| Description | Search for files by the contents of their document version metadata property. Wildcard matching is supported. |
| Examples | Wildcard: `document-version:1.1*`List (any of the values): `document-version:[1.7, 2.*]` |
| `domain` | |
|-------------|------|
| Description | Search for files by any associated domain. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `domain:mozilla.org*`List (any of the values): `domain:[*.tor,google.com,*.exit]` |
| `dotnet-assembly` | |
|-------------|------|
| Description | Search for .NET files by assemblies they reference. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `dotnet-assembly:*mscorlib*`List (any of the values): `dotnet-assembly:[*iJnJWYUQA*, "NanoCore Client"]` |
| `dotnet-method-name` | |
|-------------|------|
| Description | Search for .NET files by method names their classes call to perform an action. Method names are indexed regardless of their visibility, meaning both public and private methods are searchable. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `dotnet-method-name:get_Url`List (any of the values): `dotnet-method-name:[?oadCompl*, *HoldEnd]` |
| `dotnet-module-id` | |
|-------------|------|
| Description | Search for .NET files by IDs of modules they contain. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `dotnet-module-id:*20DEC3DA-523F*`List (any of the values): `dotnet-module-id:[*9249F5D0-1821*, *E133ACC7-60C9*]` |
| `dotnet-module-name` | |
|-------------|------|
| Description | Search for .NET files by names of modules they contain. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `dotnet-module-name:*TeSt.exe*`List (any of the values): `dotnet-module-name:[Posh.exe, adobe.exe]` |
| `dotnet-pinvoke-function` | |
|-------------|------|
| Description | Search for .NET files by pinvoke functions. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `dotnet-pinvoke-function:EncodePointer*`List (any of the values): `dotnet-pinvoke-function:["EncodePointer", "DecodePointer"]` |
| `dotnet-pinvoke-import` | |
|-------------|------|
| Description | Search for .NET files by pinvoke imports. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `dotnet-pinvoke-import:kernel32.dll`List (any of the values): `dotnet-pinvoke-import:["kernel32.dll", "user32.dll"]` |
| `dotnet-resource` | |
|-------------|------|
| Description | Search for .NET files by resources they contain. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `dotnet-resource:"Hidden Tear"`List (any of the values): `dotnet-resource:[*Orcus*, *Clientloaderform*]` |
| `dotnet-type-name` | |
|-------------|------|
| Description | Search for .NET files by type names found in them. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `dotnet-type-name:Form1*`List (any of the values): `dotnet-type-name:[Form1*, NetscapeRevocationUrl]` |
| `elf-section-count` | |
|-------------|------|
| Description | Search for ELF files by the amount of sections they contain. The keyword accepts only integer values. |
| Examples | Exact: `elf-section-count:5`Range: `elf-section-count:[5 TO 15]`More than 5: `elf-section-count:[5 TO *]` |
| `elf-section-name` | |
|-------------|------|
| Description | Search for ELF files by names of the sections they contain. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `elf-section-name:*data`List (any of the values): `elf-section-name:[.rodata, .ndata, .bss]` |
| `elf-segment-sha1` (`elf-segment-hash`) | |
|-------------|------|
| Description | Search for files by the SHA1 hash of their ELF segment. The keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `elf-segment-sha1:116e279b55b58e5b9619aac80a8e85bfa9c839fc` |
| `email-from` | |
|-------------|------|
| Description | Search for files by the sender of an email associated to a file. Includes "from", "reply-to" and "sender" fields. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `email-from:*@kiski.net`List (any of the values): `email-from:[*@domain.com, *@orbitz.com]` |
| `email-static` (`email`) | |
|-------------|------|
| Description | Search for files by associated email address(es) detected by [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis). Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `email-static:*@Compartir.es`List (any of the values): `email-static:[*@gmail.com, *@hotmail.com]` |
| `email-subject` | |
|-------------|------|
| Description | Search for files by the subject of an email associated to a file. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `email-subject:*HackTool`List (any of the values): `email-subject:[Invitation*, *Nova*]` |
| `email-to` | |
|-------------|------|
| Description | Search for files by the receiver of an email associated to a file, specified in the "to" field. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `email-to:*@netnook.com`List (any of the values): `email-to:[*@dekalb.net, *@rogers.com]` |
| `email-x-key` | |
|-------------|------|
| Description | Search for files with non-standard header fields, called X-extensions. Security vendors use X-extensions to annotate emails that have been scanned using their product. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `email-x-key:*MDRemoteIP`List (any of the values): `email-x-key:[*Indiv, *Markup]` |
| `email-x-value` | |
|-------------|------|
| Description | Search for files by values stored in non-standard (X-extension) header fields. Case-insensitive wildcard matching is supported. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `email-x-value:?HAILAND`List (any of the values): `email-x-value:[Produced*, BHUTAN]` |
| `exif` | |
|-------------|------|
| Description | Search for multimedia files by the contents of their EXIF metadata fields. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `exif:Picasa*`List (any of the values): `exif:["Paint.NET v3.5.8", Picasa*]` |
| `exploit` | |
|-------------|------|
| Description | Search for samples that are exploiting a specific vulnerability, identified either by ReversingLabs or by antivirus scanners. |
| Examples | Examples Wildcard: `exploit:cve-2024-*`*List (any of the values): `exploit:["CVE-2014-0114", "CVE-2018-15982"]` |
| `filecount` | |
|-------------|------|
| Description | Search for a file by the number of unpacked files it contains (if it's a container). Accepts any integer number. **Note: this keyword currently returns only Local samples as results.** |
| Examples | Exact: `filecount:25`Range: `filecount:[3 TO 10]`More than 20: `filecount:[20 TO *]` |
| `filename` (`name`) | |
|-------------|------|
| Description | Search for a file by its full or partial file name, predicted file name (generated by Spectra Core for samples without a file name), or file extension. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `filename:notepad.exe`List (any of the values): `filename:[*.PDF, *.epub]` |
| `firstseen` (`fs`) | |
|-------------|------|
| Description | Time when a file was first analyzed by Spectra Intelligence. Supported time format is UTC timestamp. |
| Examples | Exact: `fs:2018-04-03T12:58:27Z`Range (time period):`firstseen:[2017-12-01T11:36:59Z TO 2018-03-06T11:36:59Z]` |
| `hashes` | |
|-------------|------|
| Description | Allows mixing different types of hashes in one search query, without the need to explicitly name the hash type or to group hashes by type. All hash types (MD5, SHA1, SHA256) can be used with this keyword. The maximum length of a single query is 1024 characters. The keyword is case-sensitive and doesn't support wildcards. |
| Examples | Exact: `hashes: `List (any of the values): `hashes:[, , , , ]` |
| `imphash` | |
|-------------|------|
| Description | Hash based on library/API names and their specific order within the executable. Used to find similar PE files. The keyword doesn't support wildcards. |
| Examples | Exact: `imphash:f34d5f2d4577ed6d9ceec516c1f5a744`List (any of the values): `imphash [, ]` |
| `indicators` | |
|-------------|------|
| Description | Search for files by their static analysis behaviors. The keyword is case-sensitive and doesn't accept wildcards. The full list of indicator IDs and their descriptions can be found [here](/General/SpectraCore/indicators/). |
| Examples | Exact: `indicators:"2150"`List (any of the values): `indicators:["2150", "2102"]` |
| `ios-app-name` | |
|-------------|------|
| Description | Search for iOS applications by their name. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `ios-app-name:FruitNinja*`List (any of the values): `ios-app-name:[FruitNinja*, *facebook*]` |
| `ios-author` | |
|-------------|------|
| Description | Search for iOS applications by their author name. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `ios-author:*halfbrick*`List (any of the values): `ios-author:[*halfbrick*, Apple*]` |
| `ios-package` | |
|-------------|------|
| Description | Search for iOS applications by their package name. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `ios-package:*FruitNinja*`List (any of the values): `ios-package:[*FruitNinja*, *facebook*]` |
| `ipv4-dynamic` | |
|-------------|------|
| Description | Search for files by IPv4 address strings detected by ReversingLabs Dynamic Services. Wildcard matching supported. |
| Examples | Wildcard: `ipv4-dynamic:192.*`List (any of the values): `ipv4-dynamic:[1.0.0.0,1.0.2.1]` |
| `ipv4-static` | |
|-------------|------|
| Description | Search for files by IPv4 address strings detected by Spectra Core analysis. Wildcard matching supported. |
| Examples | Wildcard: `ipv4-static:192.*`List (any of the values): `ipv4-static:[1.0.0.0,1.0.2.1]` |
| `ipv6-static` | |
|-------------|------|
| Description | Search for files by IPv6 address strings detected by Spectra Core analysis. If the address contains colons or brackets, enclose it in quotation marks. Wildcard matching supported. |
| Examples | Wildcard: `ipv6-static:c*`Exact: `ipv6-static:"2002::/16"`List (any of the values): `ipv6-static:["2001:db8*", "3731:54:"]` |
| `lastanalysis` (`la`) | |
|-------------|------|
| Description | Search for files by the date and time of their last AV scan. Supported time format is UTC timestamp. |
| Examples | Exact: `lastanalysis:2018-05-17T11:27:19Z`Range (time period):`lastanalysis:[2018-05-17T11:27:19Z TO 2018-05-24T11:27:19Z]` |
| `lastseen` (`ls`) | |
|-------------|------|
| Description | Time when a file was last analyzed by Spectra Intelligence. Supported time format is UTC timestamp. |
| Examples | Exact: `ls:2018-04-03T12:58:27Z`Range (time period):`lastseen:[2017-12-01T11:36:59Z TO 2018-03-06T11:36:59Z]` |
| `macho-import` | |
|-------------|------|
| Description | Search for MachO files by the names of imported libraries found in them. Case-insensitive wildcard matching supported. |
| Examples | Wildcard: `macho-import:*/usr/lib/*`List (any of the values): `macho-import:[/usr/lib/libgcc_s.1.dylib, /usr/lib/libSystem.B.dylib]` |
| `macho-section-count` | |
|-------------|------|
| Description | Search for MachO files by the number of sections they contain. The keyword accepts only integer values. |
| Examples | Exact: `macho-section-count:10`Range: `macho-section-count:[5 TO 15]`More than 5: `macho-section-count:[5 TO *]` |
| `macho-section-name` | |
|-------------|------|
| Description | Search for MachO files by the names of the sections they contain. Case-insensitive wildcard matching supported. |
| Examples | Exact: `macho-section-name:data`List (any of the values): `macho-section-name:[bss, common, data]` |
| `macho-segment` (`macho-segment-name`) | |
|-------------|------|
| Description | Search for MachO files by their segment names. Case-insensitive wildcard matching supported. |
| Examples | Exact: `macho-segment:pagezero`List (any of the values): `macho-segment:[linkedit, pagezero, text]` |
| `macho-segment-count` | |
|-------------|------|
| Description | Search for MachO files by the count of segments they contain. The keyword accepts only integer values. |
| Examples | Exact: `macho-segment-count:30`Range: `macho-segment-count:[2 TO 8]`More than: `macho-segment-count:[11 TO *]` |
| `macho-segment-sha1` (`macho-segment-hash`) | |
|-------------|------|
| Description | Search for files by the SHA1 hash of their MachO segment. The keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `macho-segment-sha1:116e279b55b58e5b9619aac80a8e85bfa9c839fc` |
| `macho-symbol` | |
|-------------|------|
| Description | Search for MachO files by their symbol names. Case-insensitive wildcard matching supported. |
| Examples | Wildcard: `macho-symbol:f*`List (any of the values): `macho-symbol:[exit, malloc, umask]` |
| `md5` | |
|-------------|------|
| Description | String of hexadecimal digits representing a MD5 hash of the file sample. Keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `md5:76baa04885ec40af25294a51d8e7c006`List (any of the values): `md5:[, ]` |
| `mutex-config` | |
|-------------|------|
| Description | Search for files by their malware configuration mutexes detected by Spectra Core. The keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `mutex-config:")!VoqA.I4"`Exact: `mutex-config:"--((Mutex))--"`List (any of the values): `mutex-config:[111c, 2124]` |
| `mutex-dynamic` | |
|-------------|------|
| Description | Search for files by malware configuration mutexes detected by ReversingLabs Dynamic Services. The keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Wildcard: `mutex-dynamic:111c*`List (any of the values): `mutex-dynamic:[111c, 2124]` |
| `pdb-path (pdb)` | |
|-------------|------|
| Description | Search for files associated with specific PDB (program database) paths. Used to find files with the same PDB path created during file sample compilation. If the path contains restricted characters, enclose it in quotation marks. |
| Examples | Exact: `pdb:"D:DevTin7InstallDir"`List (any of the values):`pdb:["C:Windows", "c:Program FilesPerforce"]` |
| `pe-company-name` | |
|-------------|------|
| Description | Search for PE files by the contents of their company name field in the version information metadata. Case-insensitive wildcard matching supported. |
| Examples | Wildcard: `pe-company-name:*enix`List (any of the values): `pe-company-name:[microsoft, ADOBE]` |
| `pe-copyright` | |
|-------------|------|
| Description | Search for PE files by the contents of their legal copyright field in version information metadata. Case-insensitive wildcard matching supported. |
| Examples | Wildcard: `pe-copyright:Copyright*`List (any of the values): `pe-copyright:[*Corporation, regsvr32]` |
| `pe-description` | |
|-------------|------|
| Description | Search for PE files by the contents of their file description field in version information metadata. Case-insensitive wildcard matching supported. |
| Examples | Wildcard: `pe-description:*proged`List (any of the values): `pe-description:[DisplaySwitch, WizardFramework]` |
| `pe-export` (`exports`) | |
|-------------|------|
| Description | Search for PE files by exported symbol names. Case-insensitive wildcard matching supported. |
| Examples | Wildcard: `pe-export:MS*`List (any of the values): `exports:[GetMemoSize, DeleteFile]` |
| `pe-function` | |
|-------------|------|
| Description | Search for PE files by the name of the function that the PE file imports. Case-insensitive wildcard matching supported. |
| Examples | Wildcard: `pe-function:RegEnum*`List (any of the values):`pe-function:[RegEnumKeyW, GetUserNameA]` |
| `pe-import (imports)` | |
|-------------|------|
| Description | Search for PE files by the name of the dynamic link library that the PE file imports. Case-insensitive wildcard matching supported. |
| Examples | Exact: `pe-import:URLMON.DLL`List (any of the values): `imports:[win*, url*]` |
| `pe-language` | |
|-------------|------|
| Description | Find PE files by languages mentioned in the PE file resources. Case-insensitive wildcard matching supported. [Supported Languages for PE and Document Formats](#supported-languages-for-pe-and-document-formats). |
| Examples | Exact: `pe-language:russian`List (any of the values): `pe-language:[eng*, Russian]` |
| `pe-original-name` | |
|-------------|------|
| Description | Search for PE files by the contents of their file description field in version information metadata, and any other fields using the original name of the file. The keyword can be used to investigate how the file was named during compilation. Case-insensitive wildcard matching supported. |
| Examples | Wildcard: `pe-original-name:crack*`List (any of the values): `pe-original-name:[*install.exe, "sample doc.exe"]` |
| `pe-overlay-sha1` (`pe-overlay-hash`) | |
|-------------|------|
| Description | Find PE files by the SHA1 hash calculated for their overlay part. Overlay hashes are calculated by Spectra Core to better represent the true boundary of the file region. Users should use hash values calculated by ReversingLabs products with this keyword. Keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `pe-overlay-sha1:4b4a2436b827d42b204b1f112b45d7a6d1b7ca52`List (any of the values): `pe-overlay-sha1:[, , ]` |
| `pe-product-name` | |
|-------------|------|
| Description | Search for PE files by the contents of their product name field in version information metadata. Case-insensitive wildcard matching supported. |
| Examples | Wildcard: `pe-product-name:*shop`List (any of the values):`pe-product-name:[Firefox, "Microsoft Word"]` |
| `pe-resource` | |
|-------------|------|
| Description | Search for PE files by name or type of resources they contain. Case-insensitive wildcard matching supported. |
| Examples | Exact: `pe-resource:Properties`List (any of the values): `pe-resource:[Tcpview, Aboutbox]` |
| `pe-resource-sha1` (`pe-resource-hash`) | |
|-------------|------|
| Description | Find PE files by the SHA1 hash calculated for their resources part. Keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `pe-resource-sha1:4260284ce14278c397aaf6f389c1609b0ab0ce51`List (any of the values): `pe-resource-sha1:[, ]` |
| `pe-section-count` | |
|-------------|------|
| Description | Search for PE files by the count of sections they contain. The keyword accepts only integer values. |
| Examples | Exact: `pe-section-count:15`Range: `pe-section-count:[2 TO 10]`More than: `pe-section-count:[5 TO *]` |
| `pe-section-name` | |
|-------------|------|
| Description | Search for PE files by names of the sections they contain. The maximum section name length is 8 characters. Case-insensitive wildcard matching supported. |
| Examples | Wildcard: `pe-section-name:*rdata`List (any of the values): `pe-section-name:[.Rdata, .Ndata, *rsrc]` |
| `pe-section-sha1` (`pe-section-hash`) | |
|-------------|------|
| Description | Find PE files by the SHA1 hash calculated for their section part. Section hashes are calculated by Spectra Core to better represent the true boundary of the file region. Users should use hash values calculated by ReversingLabs products with this keyword. Keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `pe-section-sha1:7640a007e39b487bf1dbbde6487724faa131f6a8`List (any of the values): `pe-section-sha1:[, , ]` |
| `pe-timestamp` (`pets`) | |
|-------------|------|
| Description | Search for a PE file by the date when it was compiled. Supported time format is UTC timestamp. |
| Examples | Exact: `pets:2017-06-26T00:00:00Z`Range (newer than): `pets:[2018-03-06T10:57:29Z TO *]` |
| `sampletype` (`filetype`, `type`, `format`) | |
|-------------|------|
| Description | Search for files by type as detected by Spectra Core. Case-insensitive wildcard matching supported. `Appendix B - Supported Sample Types`_ |
| Examples | Exact: `sampletype:Image/None`List (any of the values): `type:[elf*,macho*]` |
| `sha1` | |
|-------------|------|
| Description | String of hexadecimal digits representing a SHA-1 hash of the file. Keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `sha1:f1a62a7092e49577206b7361bf1a7ff0776bb6a4`List (any of the values):`sha1:[, ]` |
| `sha256` | |
|-------------|------|
| Description | String of hexadecimal digits representing a SHA-256 hash of the file sample. Keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `sha256:f35a3(...)1d2d5`List (any of the values): `sha256:[, ]` |
| `signer-valid-from` (`cert-valid-from`) | |
|-------------|------|
| Description | Search for files that have been signed by certificates valid from a specific time. |
| Examples | Range (newer than): `signer-valid-from:[2018-03-06T10:57:29Z TO *]` |
| `signer-valid-to` (`cert-valid-to`) | |
|-------------|------|
| Description | Search for files that have been signed by certificates valid to a specific time. |
| Examples | Range (newer than): `signer-valid-to:[2018-03-06T10:57:29Z TO *]` |
| `similar-to` | |
|-------------|------|
| Description | Search for files that are functionally similar to the requested file hash. Functionally similar files are defined by RHA (ReversingLabs Hashing Algorithm) that identifies code similarity between unknown samples and previously seen malware samples. All hash types (MD5, SHA1, SHA256) can be used with this keyword. Only one similar-to keyword can be used in a single query. The keyword is case-sensitive and doesn't support wildcards. |
| Examples | Exact: `similar-to: ` |
| `size` | |
|-------------|------|
| Description | Search for files by size (in bytes). Accepts integers up to 2147483647. |
| Examples | Exact: `size:30000`Range: `size:[1000 TO 50000]`Greater than: `size:[500000 TO *]` |
| `software-author` | |
|-------------|------|
| Description | Search for software packages by their author/publisher. |
| Examples | Exact: `software-author:"James Newton-King"`List (any of the values): `software-author:["Amazon Web Services", Microsoft]` |
| `software-description` | |
|-------------|------|
| Description | Search for software packages by their description. |
| Examples | Exact: `software-description:"This package consists of multiple activities that simplify the processes in Excel."` |
| `software-package` | |
|-------------|------|
| Description | Search for specific software packages. The keyword is case-sensitive and doesn't accept wildcards. |
| Examples | Exact: `software-package:tidal`List (any of the values): `software-package:[tidal, "AWSSDK.WorkLink"]` |
| `submissions` | |
|-------------|------|
| Description | Search for files by the amount of times they have been submitted for analysis. The keyword accepts only integer values. |
| Examples | Exact: `submissions:3`Greater than: `submissions:[3 TO *]`Less than: `submissions:[* TO 4]` |
| `tag` | |
|-------------|------|
| Description | Search for files by metadata tags generated by Spectra Core. Tags identify interesting properties of a sample, such as being packed, password-protected, or digitally signed. [Supported Tags](#supported-tags). |
| Examples | Exact: `tag:packed`List (any of the values): `tag:[capability-execution, cert, crypto]` |
| `tag-yara` | |
|-------------|------|
| Description | YARA supports adding custom tags to rules. Files that match those rules get automatically tagged after analysis. This keyword looks for files tagged by YARA rules, including those that were classified by YARA tags ("malicious" and "suspicious"). Case-insensitive wildcard matching is supported. Note that changes to YARA tags are not immediately reflected in search results. For example, if a tag is removed from a YARA rule, it will still return search results until files that match the rule are reanalyzed with Spectra Core. |
| Examples | Exact: `tag-yara:malicious`List (any of the values): `tag-yara:[malicious, suspicious]` |
| `taggant-name` | |
|-------------|------|
| Description | Search for PE files by name of the packer that was used to pack them. Taggant is a technology that guarantees the packed file came from a reliable source. Case-insensitive wildcard matching supported. |
| Examples | Exact: `taggant-name:themida`List (any of the values): `taggant-name:[enigma*, vmprotect*]` |
| `taggant-valid-from` | |
|-------------|------|
| Description | Search for files by the time it was signed using taggant. |
| Examples | Range (newer than): `taggant-valid-from:[2018-03-06T10:57:29Z TO *]` |
| `taggant-valid-to` | |
|-------------|------|
| Description | Search for files by the expiry time provided by taggant. |
| Examples | Range (newer than): `taggant-valid-to:[2018-03-06T10:57:29Z TO *]` |
| `third-party-library` | |
|-------------|------|
| Description | Search for PE files by the name(s) of third-party libraries they contain. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `third-party-library:Microsoft.WindowsAPICodePack-Core`List (any of the values): `third-party-library:[*oak-json*, Microsoft.Web.WebJobs*]` |
| `third-party-publisher` | |
|-------------|------|
| Description | Search for PE files by publishers of the third-party libraries found in the files. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `third-party-publisher:Microsoft*`List (any of the values): `third-party-publisher:[Microsoft*, "Xamarin Inc."]` |
| `threatlevel` | |
|-------------|------|
| Description | Search for files by ReversingLabs scale of threat severity. Higher number indicates higher severity. Accepted values are 0-5. |
| Examples | Exact: `threatlevel:3`Greater than: `threatlevel:[2 TO *]`Range: `threatlevel:[0 TO 3]`List (any of the values): `threatlevel:[2, 3]` |
| `threatname` | |
|-------------|------|
| Description | Search for files by malware threat name according to [ReversingLabs malware naming standard](/General/AnalysisAndClassification/MalwareNamingStandard). Case-insensitive wildcard matching supported. |
| Examples | Exact: `threatname:Win32.PUA.Casonline`List (any of the values):`threatname:["WIN32.PUA.casino eldorado", *crytex]` |
| `trustfactor` | |
|-------------|------|
| Description | Search for files by the ReversingLabs trust factor. Trust factor indicates the trustworthiness of files. Lower number means higher trust. Accepted values are 0-5. |
| Examples | Exact: `trustfactor:1`List (any of the values): `trustfactor:[4, 5]`Range: `trustfactor:[1 TO 3]`Greater than: `trustfactor:[3 TO *]` |
| `upload-source` | |
|-------------|------|
| Description | Search for samples that were uploaded with a specific source parameter. Possible sources: `s3`, `fileshare`, `azure-data-lake`, `smtp`, `abusebox`, `icap-proxy`, `falcon`, `api`, `rlsdk` |
| Examples | `upload-source:api`, `upload-source:s3` |
| `upload-source-tag` | |
|-------------|------|
| Description | Search for samples uploaded with a specific user-defined source tag. |
| Examples | `upload-source-tag:myapp`, `upload-source-tag:myemail*` |
| `uri-config` (`c2`) | |
|-------------|------|
| Description | Malware configuration C&C (Command & Control), extracted by Spectra Core. C&C infrastructure is used to control malware, particularly botnets. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `c2:*dns*`List (any of the values): `uri-config:[dydns.org, hldns.ru]` |
| `uri-dynamic` | |
|-------------|------|
| Description | Search for files by URI strings (URLs, domains) detected by ReversingLabs Dynamic Services. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `uri-dynamic:mozilla.org*`List (any of the values): `uri-dynamic:[*.tor,*.onion,*.exit]` |
| `uri-source` (`itw`) | |
|-------------|------|
| Description | Search for files by the URI source from which they were downloaded. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `uri-source:*warez*`List (any of the values): `itw:[softonic.com, *cnet.com]` |
| `uri-static` | |
|-------------|------|
| Description | Search for files by URI strings (URLs, domains) detected by Spectra Core. Case-insensitive wildcard matching is supported. |
| Examples | Wildcard: `uri-static:mozilla.org*`List (any of the values): `uri-static:[*.tor,*.onion,*.exit]` |
| `vertical` | |
|-------------|------|
| Description | Search for files by the type of vertical feed in which they were found. Case-insensitive wildcard matching is supported. |
| Examples | Exact: `vertical:ransomware`List (any of the values): `vertical:[ransomware,apt,financial]` |
### Supported File Types and Subtypes
- [Native files and subtypes](/General/SpectraCore/report-section/)
- [Native binary file types and identifications](/General/SpectraCore/report-native-binary/)
- [Native PE file types and identifications](/General/SpectraCore/report-native-pe/)
- [Native PE SFX file types and identifications](/General/SpectraCore/report-native-pe-sfx/)
- [Native multimedia file types and identifications](/General/SpectraCore/report-native-multimedia/)
- [Native text file types and identifications](/General/SpectraCore/report-native-text/)
- [Native ELF file types and identifications](/General/SpectraCore/report-native-elf/)
- [Native ELF SFX file types and identifications](/General/SpectraCore/report-native-elf-sfx/)
- [Native script file types and identifications](/General/SpectraCore/report-native-script/)
- [Verified software and package identities](/General/SpectraCore/appid-software/)
- [Known vulnerabilities](/General/SpectraCore/cve-list/)
- [Supported unpacking format list](/General/SpectraCore/report-unpacking/)
- [Spectra Core certificate trust store](/General/SpectraCore/cert-trust-store/)
### Supported Tags
See the complete list of [supported tags](/General/SpectraCore/core-tags/).
### Indicators
See the complete list of [Spectra Core Indicators](/General/SpectraCore/indicators/).
### Supported Languages for PE and Document Formats
| | | |
| -------------------------- | --------------------------- | ----------------------- |
| afrikaans | english belize | kannada |
| albanian | english can | kashmiri india |
| arabic algeria | english caribbean | kashmiri sasia |
| arabic bahrain | english eire | kashmiri |
| arabic egypt | english jamaica | kazak |
| arabic iraq | english nz | konkani |
| arabic jordan | english philippines | korean |
| arabic kuwait | english south africa | korean |
| arabic lebanon | english trinidad | kyrgyz |
| arabic libya | english uk | latvian |
| arabic morocco | english us | lithuanian classic |
| arabic oman | english zimbabwe | lithuanian |
| arabic qatar | english | lithuanian |
| arabic saudi arabia | esperanto | macedonian |
| arabic syria | estonian | malay brunei darussalam |
| arabic tunisia | faeroese | malay malaysia |
| arabic uae | farsi | malay |
| arabic yemen | finnish | malayalam |
| arabic | french belgian | maltese |
| armenian | french canadian | manipuri |
| assamese | french luxembourg | maori |
| azeri cyrillic | french monaco | marathi |
| azeri latin | french swiss | mongolian |
| azeri | french | nepali india |
| basque | french | nepali |
| belarusian | gaelic manx gaelic scottish | neutral |
| bengali | gaelic | norwegian bokmal |
| breton | gaelic | norwegian nynorsk |
| bulgarian | galician | norwegian |
| catalan | georgian | oriya |
| chinese hongkong | german austrian | polish |
| chinese macau | german liechtenstein | portuguese brazilian |
| chinese simplified | german luxembourg | portuguese |
| chinese singapore | german swiss | portuguese |
| chinese traditional | german | punjabi |
| chinese | german | rhaeto_romance |
| cornish | greek | romanian moldavia |
| croatian | gujarati | romanian |
| croatian | hebrew | romanian |
| czech | hindi | russian moldavia |
| danish | hungarian | russian |
| default | icelandic | russian |
| divehi | indonesian | saami |
| dutch belgian | invariant | sanskrit |
| dutch surinam | italian swiss | serbian cyrillic |
| dutch | italian | serbian latin |
| dutch | italian | serbian |
| english aus | japanese | sindhi |
| slovak | spanish peru | tswana |
| slovenian | spanish puerto rico | turkish |
| sorbian | spanish uruguay | ukrainian |
| spanish argentina | spanish venezuela | urdu india |
| spanish bolivia | spanish | urdu pakistan |
| spanish chile | spanish | urdu |
| spanish colombia | sutu | uzbek cyrillic |
| spanish costa rica | swahili | uzbek latin |
| spanish dominican republic | swedish finland | uzbek |
| spanish ecuador | swedish | venda |
| spanish el salvador | swedish | vietnamese |
| spanish guatemala | syriac | walon |
| spanish honduras | sys default | welsh |
| spanish mexican | tamil | xhosa |
| spanish modern | tatar | zulu |
| spanish nicaragua | telugu | |
| spanish panama | thai | |
| spanish paraguay | tsonga | |
---
## Spectra Analyze Alerts — Subscriptions, Delivery Methods & Notifications
The Alerts feature allows real-time monitoring to track changes in malware classification and analysis results. It automates notifications for specific events, allowing users to utilize their time more efficiently and be informed of malware status changes on-the-go.
Users can receive notifications about changes related to the samples on the appliance and in Spectra Intelligence. The notifications make it easy to monitor and track various malware analysis activities even when the users are away from the appliance. Users can choose how often they want to be notified, and where they want to receive the notifications. [Unresolved](#marking-alerts-as-resolved) alerts are indicated by a red badge on the alerts indicator in the top right of the interface, and by blue stripes to the left of the alerts grid.
The conditions that define when an alert should be generated are called **subscriptions**. Every subscription can be associated with one or more **delivery methods**.
Users can create and modify alert subscriptions from the [Subscriptions and Actions Management page](#managing-alerts). It is also possible to [create alert subscriptions for individual samples](#creating-a-new-alert-subscription) in the GUI.
Every alert subscription can have one or more delivery methods. Users can create and modify actions from the [Subscriptions and Actions Management page](./alerts.md#managing-alerts). When an alert is triggered, the notification is delivered to the destination(s) specified in the associated action(s).
If an alert subscription doesn’t have any associated delivery methods, the alert will only be visible on the Alerts page. The Alerts page provides an overview of all events on the appliance, including the ones generated by user-defined subscriptions. Users can filter the Alerts page to display only the alerts related to specific alert subscriptions.
**Important notes about the Alerts feature**
1. Alerts are sent only if there is a new event matching the conditions configured in the subscription. Alerts cannot be sent for events that occurred before a subscription was created.
2. Multiple alerts triggered for one subscription in the selected notification period will be aggregated and sent in a single email message.
3. The SMTP service must be configured on the appliance in order to receive emails about new alerts.
4. The maximum amount of hashes that the user can add to one subscription is 1000.
5. Only SHA1 hashes can be added to alert subscriptions.
6. The maximum amount of subscriptions a user can create is 10 000. This limit is not user-configurable. When the limit is reached, a notification appears in the GUI, warning the user that some old subscriptions should be removed in order to create new ones.
7. Alert subscriptions are private and visible only to the user who created them. When other users are logged into their accounts, they will not be able to see or modify subscriptions created by other users.
## Alert Types
The following table lists the currently supported types of alerts (notifications). To set up an alert and get notified when it is triggered, users have to [create a new subscription](./alerts.md#creating-a-new-alert-subscription).
| Alert Type | Alert Trigger |
|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Analysis Alerts | Analysis Alerts include notifications for Static Analysis, Threat Intelligence and RL Cloud Sandbox, tracking the progress of automated analysis. It also covers third-party sandbox integrations like Cuckoo and Joe Sandbox. |
| Classification change | A sample’s threat status has changed (e.g., from “suspicious” to “malicious”). |
| Sample available for download | A previously unavailable sample has become available for download from the Spectra Intelligence cloud. |
| YARA matches | A new sample has matched one or more YARA rulesets. [YARA Retroactive Hunting matches](./yara-retro.md) are also included. |
## Managing Alert Subscriptions and Delivery Methods
Users can view and manage their alert subscriptions from the [Alerts Configuration](#managing-alerts) page.
To access the page, click *Configure* on the Alerts page.
Alternatively, select **User menu > User profile** from the main menu. This opens the [User Settings](./initial-configuration.md#user-settings) page.
Alternatively, click *Configure* on the Alerts page.
The *Alerts Configuration* page is divided into two sections: *Alerts* and *Delivery Methods*.
All currently active subscriptions are listed in the *Alerts* section. Users can modify existing subscriptions by clicking *Edit*, or [create new ones](#creating-a-new-alert-subscription) by clicking **New Alert**.
Similarly, all actions that can be associated with alert subscriptions are listed in the *Delivery Methods* section. Users can modify existing actions by clicking *Edit*, or [create new ones](#creating-a-delivery-method) by clicking **New Method**.
### Creating a New Alert Subscription
To create a new alert subscription, open the *Alerts Configuration* page, and click **New Alert**.
The *New Subscription* dialog allows users to choose one or more event types and the associated delivery methods. Users can also add a custom name and description to every subscription, which makes it easier to distinguish between subscriptions and quickly check their scope.
In order to associate an alert subscription with a delivery method, users must first [create some delivery methods](#creating-a-delivery-method). When a delivery method is associated with an alert subscription, the details configured for the delivery method apply to that particular subscription. Any method can be associated with any number of active alert subscriptions. Likewise, any subscription can have more than one delivery method associated with it.
For example, if an action can define that email should be sent to *test@user.example* every 2 hours, any associated alert subscription will send alerts to that particular address at that particular frequency.
Saving the alert subscription makes it active on the appliance.
### Event Types
Depending on the selected event types, additional options become available in the *New Subscription* dialog.
**Analysis Alerts**
Subscribe to notifications for ReversingLabs services (Static Analysis, Threat Intelligence and RL Cloud Sandbox) and third-party services. Available alert stages depend on the analysis method and may include *Started*, *Finished*, and/or *Failed*.
**Classification Changes**
The Classification Changes event type allows choosing which changes in sample threat status will trigger an alert (for example, from goodware and suspicious to malicious). It is possible to select multiple threat status values in both configuration fields.
There are several optional checkboxes that allow setting up more fine-grained alerting criteria.
1. **On Risk Score change** - becomes visible for this event type when threat status values that support it are selected. Selecting the checkbox sends an alert when there is a transition in the [risk score](/General/AnalysisAndClassification/Classification/#risk-score) of a sample (for example, from low (6) to medium (7)), even if the threat status does not change.
For example, a sample's risk score can increase from 6 to 9, but the sample will still be classified as malicious. The alert is not sent when the risk score transition is within the same severity range (for example, medium (8) to medium (7)). Transitions in risk score values for goodware samples do not generate alerts.
2. **On threat name change** - selecting it will send an alert when the threat name of a sample changes, even if its threat status remains unchanged.
3. **Notify on specific hash(es)** - when this checkbox is selected, an additional *Sample hash values* text field becomes available. If any SHA1 hashes are entered into the text field, the alert is sent only for classification changes to those samples. When this checkbox is not selected, and no SHA1 hashes are provided, the alert is sent for classification changes to all samples on the appliance.
**Sample Available for Download**
The Sample available for download event type requires users to provide a list of at most 100 SHA1 hashes to monitor for availability.
If **Fetch and analyze** is enabled, samples will automatically be downloaded to the appliance when they become available.
**YARA Matches**
The YARA Matches event type accepts a list of YARA rulesets that a sample should match to trigger the alert. There is an autocomplete pull-down list with names of all YARA rulesets on the appliance. The maximum number of YARA rulesets is 20.
### Creating a Delivery Method
To create a new delivery method, open the *Alerts Configuration* page, and click **New Delivery Method**.
The *New Delivery Method* dialog allows users to choose the delivery method (where to send alerts about triggered events) and set the notification frequency (how often the alerts should be sent). Users can also add a custom name for every action.
Currently supported delivery methods include *E-mail* and *Syslog*.
Clicking *Save* saves the method, making it visible in the *Delivery Methods* section and available when creating or modifying an alert subscription
#### Creating a New Email Delivery Method
When the *E-mail* method is selected, an additional checkbox **Deliver to logged in user** becomes available. Selecting this checkbox will send alerts to the currently logged-in user, in addition to other email addresses provided in the *Additional email addresses* field. Each address should be in its own line in the text field.
The SMTP service must be configured on the appliance in order to receive alert emails from it. Appliance administrators should make sure the settings are properly configured in the **Administration > Configuration > SMTP** dialog.
When delivered to the configured address, the alert email contains information about which subscriptions have new alerts, and how many new alerts were generated for each subscription. The email also contains a link for each subscription. The link leads to the Alerts page on the appliance, filtered to display only alerts for the specified subscription.
#### Creating a New Syslog Delivery Method
When the *Syslog* method is selected, additional options become available in the dialog.
**Host** - requires the user to input the host address of the syslog server that should receive alerts
**Port** - requires the user to configure the port on which the syslog server should listen for alerts.
**Transport protocol** - allows choosing which communication protocol should be used to send alerts to the syslog server. Supported protocols are TCP and UDP. The protocol selected here affects which port number can be configured in the previous field
The **Message format** option allows users to customize how the alerts will appear in the logs. Users can combine any number of supported fields with custom text to adjust the contents of each alert. The default format (``*{sha1} - {alert_type} - {description}*``) is already configured here when creating a new action.
**Custom Message Examples**
```
{sha1} - {alert_type} - {description}
b8b3b60c13d3fbb6e1932dab72264410bab0a2ce - classification_change - Threat Status changed from 2 to 1 via Spectra Intelligence
```
```
The alert {label} was triggered on sample {sha1}
The alert New Malicious Detection was triggered on sample b8b3b60c13d3fbb6e1932dab72264410bab0a2ce
```
```
New {alert_type} alert received on file {sha1} with status {threat_status}
New classification_change alert received on file b8b3b60c13d3fbb6e1932dab72264410bab0a2ce with status 1
```
**Supported Message Fields**
| FIELD NAME | DESCRIPTION | TYPE |
| ---------------------- | ------------------------------------------------------------ | ------------- |
| alert_type | Type of the triggered alert - can be one of the currently supported types: classification_change, sample_available, ticloud_analysis_complete, ticloud_upload_complete, cuckoo_analysis_complete, yara_match | string |
| category | File category of the sample for which the alert was triggered, expressed as a number. The numbers correspond to the following categories: 0 - Other, 1 - Application, 2 - Mobile, 3 - Document, 4 - Web, 5 - Archive, 6 - Media, 7 - Email | integer |
| classification | Classification of the sample in human-readable format. | string |
| threat_status | Threat status assigned to the sample that triggered the alert, expressed as a number. The numbers correspond to the following threat statuses: 0 - No Threats Found, 1- Good, 2 - Suspicious, 3 - Malicious | integer |
| classification_reason | Reason for the classification that the sample received, expressed as a number. The numbers correspond to the following classification reasons: 0 - No Threats Found, 1 - Antivirus, 2 - Signature, 3 - Certificate, 4 - Format, 5 - Exploit, 6 - YARA, 7 - RHA1, 128 - User, 256 - Cloud | integer |
| threat_name | Detected malware threat name for the sample that triggered the alert (for example, Win32.Trojan.Adams). | string |
| classification_source | Source of the classification for the sample that triggered the alert, expressed as a number. The numbers correspond to the following sources: 0 - None, 1 - Spectra Intelligence, 2 - [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis), 4 - User, 257 - Spectra Intelligence from Parent, 258 - Spectra Core from Parent, 260 - User from Parent, 513 - Spectra Intelligence from Child, 514 - Spectra Core from Child, 516 - User from Child | integer |
| description | The full description of the triggered alert, as displayed in the *Details* column on the Alerts page. Depending on the alert, it may include the username of the user who submitted the sample for analysis, the analysis duration, analysis parameters, or the reasons the analysis failed (for example, "Static Intelligence Analysis Started for 72bbd2513901b1bda0f3a0fdc257d347531a8e7a by admin" or "Threat Intelligence analysis complete with classification Goodware."). | string | | string |
| factor | The risk score value, expressed as a number from 0 to 10, where 0 indicates the most trusted samples, and 10 indicates the most dangerous threats. | integer |
| family_name | The malware family name part of the threat name detected for the sample (for example, Marsdaemon, Orcus, Androrat…). | string |
| file_size | Size of the sample for which the alert was triggered, expressed in bytes. | integer |
| file_subtype | Subtype of the sample for which the alert was triggered, as detected by ReversingLabs static analysis (for example, TIFF, Clojure, HTML…). [See full list of file subtypes](./advanced-search.md#supported-file-types-and-subtypes) | string |
| file_type | Type of the sample for which the alert was triggered, as detected by ReversingLabs static analysis (for example, Document, Image, PE…). [See full list of file types](./advanced-search.md#supported-file-types-and-subtypes) | integer |
| hostname | Hostname of the system on which the sample that triggered the alert was analyzed or submitted. |
| identification_name | Identification of the sample for which the alert was triggered, as detected by ReversingLabs static analysis. Identification is not generated for all file types and subtypes; it is an optional field in the static analysis report that indicates a more detailed (usually signature-based) file detection. | string |
| identification_version | Version of the identified file format for the sample that triggered the alert (for example, Generic, 1.0, Container…). This is an optional field that is not generated for all file types and subtypes. | string |
| json | Returns all available information about the alert, serialized in JSON format. | string |
| label | Name of the alert subscription provided in the *Name* field of the *New Subscription* dialog. Users can modify the name for all alert subscriptions on the appliance. | string |
| malware_type | The malware type part of the threat name detected for the sample that triggered the alert (for example, Trojan, Adware, Rootkit…). | string |
| platform | The platform part of the threat name detected for the sample that triggered the alert (for example, Win32, Script-PHP, Linux…). | string |
| sha1 | SHA1 hash of the sample for which the alert was triggered. | string |
| subplatform | The subplatform part of the threat name detected for the sample that triggered the alert (for example, HTML, Macro, PDF…). The subplatform part is present in the threat name only for specific platforms (ByteCode, Document, Script). | string |
| timestamp | Date and time when the alert was triggered. | UTC timestamp |
| uuid | Unique string identifying the triggered alert. | string |
### Modifying Existing Alert Subscriptions
Only the user who created a subscription can modify it.
To modify an existing alert subscription, click the *Edit* link next to the subscription name in the *Subscriptions* tab on the *Subscriptions and Actions Management* page. The dialog that opens is the same as for [creating a new subscription](#creating-a-new-alert-subscription).
Here you can enable more, or modify any existing event types, or add/remove delivery methods.
If a YARA ruleset with an active subscription gets deleted from the appliance, the dialog will warn the user when modifying the subscription for the missing ruleset.
### Deactivating Alert Subscriptions
There are several ways to deactivate an existing alert subscription.
1. Click the *Edit* link next to the subscription name in the *Subscriptions* tab. In the dialog that opens, modify the *Actions* field and remove all selected actions from it. The subscription itself remains on the appliance, and can be reactivated at any point by adding new actions.
2. Click the *Delete* link next to the subscription name in the *Subscriptions* tab. This completely removes the subscription from the appliance. Alerts for the removed subscription will no longer be sent.
## Managing Alerts
The Alerts page displays all generated events on the appliance. Users receive alert emails only for those events that match the criteria defined in their subscriptions.
Alerts are displayed in a list and sorted by the time when they occurred (in descending order, with newest alerts at the top). The list contains information about every alert, including:
- alert resolution status (unresolved alerts are indicated by a blue stripe to the left of the table)
- type of alert;
- threat status indicator of the sample associated with the alert;
- time when the alert was triggered;
- full notification text
- threat name (if detected);
- file format and size;
Clicking the sample name in the notification column opens the [Sample Details](./Sample%20Details/sample-details-summary.md) page for the selected sample. Clicking any of the sample rows will expand it, showing additional information about a sample like in other pages on the appliance.
The action menu (☰) to the right of the *Resolved* column contains the *Configure* item, which opens the [Subscriptions and Actions Management page](#managing-alerts).
The total amount of triggered alerts on the appliance is displayed in the pagination section at the bottom of the page.
### Filtering Alerts
The toolbar above the list of alerts allows the users to filter alerts:
- by status (All, Resolved, Unresolved)
- by event type (All, Classification change, Sample available for download, YARA match, Cuckoo analysis complete, Spectra Intelligence upload complete, Spectra Intelligence analysis complete);
- by classification of the sample associated with an alert (All, Unknown, Goodware, Suspicious, Malicious);
- by the time when the alert was triggered (All, Custom, Today, Last Week…);
- by user or by alert subscription
When a subscription is deleted from the appliance, it is no longer visible in the user/subscription filtering menu. However, alerts triggered by that subscription will still be visible when the *My Alerts* option is selected.
Filters can be combined to get a more precise overview of the triggered alerts (for example, show all YARA match alerts for subscriptions created this week that returned malicious samples).
When the *Classification change* alert type is selected in the toolbar, there is an additional option to choose which classification changes should be listed (for example, from no threats found to malicious or from suspicious to malicious).
For the *YARA match* alert type, an additional field *Enter ruleset name* becomes available, allowing users to display only the alerts related to a specific YARA ruleset.
### Exporting Alerts
The *Export* pull-down menu in the toolbar allows copying the list of SHA1 hashes or exporting the list of alerts as a CSV file. Users can select which columns should be included in the exported CSV file.
Only the current page will be copied/exported, not the entire list of all alerts on the appliance. The number of alerts per page - that is, the number of alerts that will be included in each exported file - can be increased or decreased in the navigation bar at the bottom of the Alerts page.
### Marking Alerts as Resolved
When an incoming alert has been acknowledged and dealt with, it is possible to mark it as *Resolved* to keep the Alerts page up-to-date. To mark an alert as *Resolved*, select the *Resolve* option in the action menu on the right. The blue highlight will then be removed from the alert.
It is also possible to resolve multiple alerts at once. This is done by selecting several alerts and choosing the *Resolve selected* option from the topmost action menu (☰) in the Alerts page toolbar.
Only the current page of alerts can be resolved. Up to 1000 alerts can be resolved at once by increasing the amount of alerts per page in the navigation toolbar to 1000, then selecting and resolving all alerts on the page.
When the selected alerts are resolved, a notification appears with the total number of resolved alerts. If some alerts had previously been resolved, the appliance will detect this and will not count them towards the total.
Filtering the Alerts page by resolution status will show only resolved alerts, hide resolved alerts, or show all alerts on the appliance. The filter can also be used to show and export all resolved alerts as described in the [Exporting Alerts](#exporting-alerts) section.
Users can also undo the alert resolution by clicking *Unresolve* (for a single alert) or *Unresolve Selected* (for multiple alerts) in the action menu on the Alerts page.
### Automatically Removing Alerts
**Only appliance administrators can enable this option.** Users who would like to enable this option should contact their appliance administrator.
Depending on the number of alert subscriptions configured on the appliance, alerts can quickly accumulate, making it difficult to browse the Alerts page.
To prevent this, appliance administrators can define how long the alerts should be kept on the appliance. When the alerts are older than the configured period, they are automatically removed from the appliance.
The alert retention period can be configured in the **Administration > Configuration > Alert Management** dialog. By default, alerts are kept for 3 months and automatically deleted after that period. Other supported options are 1 month and 6 months.
## Monitoring Samples with Alerts
Apart from creating and editing alert subscriptions on the [Subscriptions and Actions Management page](#managing-alerts), users can quickly modify subscriptions by adding new samples from different sections of the GUI. This is useful for adding interesting samples to an existing alert, or for creating a new alert that will monitor the activity on multiple samples.
The following table lists the interface sections where samples can be added to a subscription using the *Subscribe* option, or removed from a subscription using the *Unsubscribe* option. The table also indicates which sections support bulk actions (adding/removing multiple samples to/from a subscription).
| Section | Supported Alert Types | Bulk Actions |
| -------------------------------- | ---------------------------------------------------- | ------------ |
| Advanced Search Results - Local | Classification change, Sample available for download | Yes |
| Advanced Search Results - Cloud | Classification change, Sample available for download | Yes |
| YARA ruleset matches | Classification change, Sample available for download | Yes |
| Sample Details | Classification change, Sample available for download | No |
| Sample Details > RHA results | Classification change, Sample available for download | Yes |
| Sample Details > Extracted Files | Classification change, Sample available for download | Yes |
| Tags | Classification change, Sample available for download | Yes |
To start monitoring a sample, open the action menu (☰) on the right side of the sample and select the *Subscribe* option.
This opens the *Subscribe to Hash Alert* dialog that allows creating a new alert or selecting an existing alert from the pull-down list.
Supported alert types are **Classification change** and **Sample available for download**. The dialog for creating a new alert is the same as in the [Creating a New Alert Subscription](#creating-a-new-alert-subscription) section.
If an existing alert is chosen in the pull-down list, the SHA1 hash of the selected sample is automatically added to the alert subscription. Users can then modify other fields in the subscription dialog, such as actions, before clicking *Submit* to save changes.
### Subscribing to Samples in Bulk
It is also possible to add more than one sample to an existing subscription, or to create a new subscription that will monitor several samples.
When multiple samples are selected on a page, the bulk actions menu (☰) is available in the header row of the sample list. To add the selected samples to an alert subscription, click the *Subscribe* item in the bulk actions menu.
Sample hashes can also be added to an existing alert subscription manually. To do that, access the *Subscriptions* tab on the [Subscriptions and Actions Management page](#managing-alerts) and click the *Edit* link next to the desired subscription.
In the dialog that opens, paste the SHA1 sample hashes into the *Sample hash values* text field and click *Submit*. Each hash should be in its own line in the text field.
### Removing Samples from Alert Subscriptions
Samples can also be removed from existing subscriptions. To remove one or more samples, use the *Unsubscribe* item from the sample action menu (or the bulk actions menu, if two or more samples are selected). A dialog appears, prompting the user to confirm the action.
Clicking *Unsubscribe* in the confirmation dialog removes the selected sample hashes from all subscriptions to which they were added. The subscriptions themselves are not removed or deactivated, and if they were configured to monitor other samples, the alerts will still be sent out for those samples.
Alternatively, samples can be removed from alert subscriptions manually, by editing the subscription from the *Subscriptions* tab. Click the *Edit* link next to a subscription, and in the dialog that opens, remove sample hashes from the *Sample hash values* text field.
## Tracking Unknown Hashes with Alerts
When searching for sample hashes on the appliance, the results can sometimes include unknown hashes. Those are hashes of samples that have not yet been found in the ReversingLabs system, or that are not available locally. (Note: this does not refer to hashes found in the system, but classified as Unknown.)
If the list of search results includes unknown hashes, they will be listed separately and accessible by clicking the *Not Found* filter/tab on the search results page. Users can subscribe to those hashes and get notified when they appear in the ReversingLabs system for the first time.
Supported alert types for unknown hashes are **Classification change** and **Sample available for download**. Unknown hashes can be added to new or existing alert subscriptions in the same way as described in the [Monitoring Samples with Alerts](#monitoring-samples-with-alerts) section.
## Setting Up Alerts for New YARA Ruleset Matches
The list of YARA rulesets on the YARA page also integrates with the Alerts feature. Apart from subscribing to individual samples from the list of matches on a YARA ruleset, it is also possible to subscribe to rulesets themselves. This type of alert is triggered when there is a new match for the subscribed ruleset.
To subscribe to a YARA ruleset from the YARA page, open the action menu (☰) on the right side of the ruleset and select the *Subscribe* option.
This opens the [New Alert dialog](#creating-a-new-alert-subscription) with the YARA Matches event type enabled, and the selected YARA ruleset automatically filled in.
Alternatively, users can create YARA ruleset match alert subscriptions from the [Alerts Configuration page](#managing-alerts).
---
## Spectra Analyze Dashboard — Submission Stats, Trends & PDF Reports
The **Dashboard** displays statistics related to the amount and type of files that have been [submitted](./file-submissions.md) and processed on the appliance within a specified time range.
## Dashboard UI
| UI element | Description |
| ---------- | ------------------- |
|  | [Advanced Search box](./#advanced-search-box) |
|  | [Time range filter](./#time-range-filter) |
|  | [Download Report button](./#download-report-button) |
### Advanced Search box
The [Advanced Search box](./advanced-search.md) is a text field where users can enter search queries and get a list of all supported keywords. Recent search queries are preserved across the **Dashboard** and [**Search & Submissions page**](./search-page.md).
Advanced search also supports [non-keyword](../advanced-search/#non-keyword-queries) searches, allowing the users to quickly build queries without using keywords.
### Time range filter
The time range filter allows users to set the period for which the data is displayed on the dashboard page. All time values refer to UTC time. By default, the time range filter is set to **Last Week**.
### Download Report button
Clicking the **Download Report** button exports the current state of the dashboard page into a PDF file.
## Analysis Statistics
**Analysis Statistics** breaks down the number of files submitted to the appliance into the total number of submitted files, total number of files extracted from submitted files, and total size of all submitted files. These are further categorized into analyzed emails, archives, apps and other file types.
Finally, this section also displays the [classification distribution](/General/AnalysisAndClassification/Classification) of analyzed files in the selected time range and their corresponding graphs. Hovering over the graphs displays the number of samples with that classification at specific points in time.
## Top Malicious Family Detections by Malware Type
**Top Malicious Family Detections by Malware Type** displays the most common malware types detected in files analyzed in the specified time range. The most prevalent threat families for each malware type are listed with the count of samples they were detected in. Clicking any of the entries in this section opens the advanced search page with local search results for the selected threat name and time range criteria.
## YARA Matches
**YARA Matches** show an overview of YARA hunting activities on the appliance and in the Spectra Intelligence cloud. Users can see a list of their [**Favorite**](../yara/#results) YARA rulesets or **Last Matched** rulesets. If there are no favorited YARA rulesets, the table defaults to the **Last Matched** view.
Both table views can be further filtered by match sources. Filtering can be configured to show **All**, **Local**, **Cloud**, **Local Retro**, or **Cloud Retro** matches.
Each table row shows the YARA ruleset name, its owner, one or more match sources, the number of matches per classification, the latest match time, and the number of new matches in the last 24 hours/7 days/30 days. Rules with matches in the last 24 hours have the label **NEW**.
Clicking a specific ruleset name opens the ruleset on the YARA page.
## Timeline Analysis for Detected Malware Samples
**Timeline Analysis for Detected Malware Samples** displays all malicious samples present on the appliance, highlighting the difference between their local and cloud classification times. This section always shows all available information as it is not affected by the time range filter at the top of this page.
The data set displayed here includes all malicious samples on the appliance, regardless of whether they were submitted to the appliance by the users or downloaded from Spectra Intelligence.
Depending on the time difference between the local and cloud classification times, all malicious samples available on the appliance fall into one of the following categories.
| Category | Description |
| --------------------- | ------------------------------------------------------------ |
| **Never Seen** | Samples classified as malicious by the appliance that were never seen in the Spectra Intelligence cloud. If the appliance is not connected to Spectra Intelligence, all malicious samples are categorized as **Never Seen**. |
| **More Than 30 Days** | Samples that were first seen in the Spectra Intelligence cloud more than 30 days after local classification as malicious. |
| **30 Days Prior** | Malicious samples that were first seen in the Spectra Intelligence cloud 7-30 days after local classification as malicious. Apart from the aggregate number of samples on top, this section is broken down into columns with daily totals. |
| **7 Days Prior** | Malicious samples that were first seen in the Spectra Intelligence cloud up to 7 days after local classification as malicious. Apart from the aggregate number of samples on top, this section is broken down into columns with daily totals. |
| **Same Day** | Samples that were locally classified as malicious and first seen in the Spectra Intelligence cloud on the same day. |
| **7 Days After** | Malicious samples that were first seen in the Spectra Intelligence cloud up to 7 days prior to local classification as malicious. Apart from the aggregate number of samples on top, this section is broken down into columns with daily totals. |
| **30 Days After** | Malicious samples that were first seen in the Spectra Intelligence cloud 7-30 days prior to local classification as malicious. Apart from the aggregate number of samples on top, this section is broken down into columns with daily totals. |
| **More Than 30 Days** | Malicious samples that were first seen in the Spectra Intelligence cloud 30-90 days prior to local classification as malicious. |
| **More Than 90 Days** | Malicious samples that were first seen in the Spectra Intelligence cloud more than 90 days prior to local classification as malicious. |
## Top Email Threats Collected During Sample Analysis
**Top Email Threats Collected During Sample Analysis** shows the list of email samples grouped by email address or email subject. It can be filtered and exported using the following options:
- **Classification filter**: by default, the table shows email samples classified as malicious, but it can be filtered to show goodware, suspicious, or samples with no threats found. Setting this filter to *All Classified* shows all email samples regardless of classification. If this filter option is selected, some table columns are left empty because every extracted email address/subject can originate from samples with varying classifications, and data can’t be aggregated in a meaningful way.
- **Filter by Email Address/Subject and Threat Name**: text fields that can be used to filter results by threat name and, depending on the option selected under *Pivot by*, either email address or subject. Both fields support autocompletion, and suggest only those options that exist in the table. Filtering by threat name is possible only when the table is filtered to show malicious or suspicious samples.
- **Pivot by**: drop-down list which controls the contents of the *Pivoting Information* column in the table (email address or email subject), and affects what can be filtered using the email filter text field.
- **Email address type filter**: available only when you select *Pivot by Email address*. This filter can be used to display samples that have the extracted email address in either the *To* or *From* field. This filter is disabled when the table is filtered to *Pivot by Email Subject*.
- **Export**: export the entire table as a CSV file. To export a single page, select it by clicking the checkbox on the far left, and then click *Export*. Selecting and exporting individual table rows is currently not supported.
The table data is organized into the following columns:
- **Checkbox**: click to select a single page when exporting data. Selecting and exporting individual table rows is currently not supported.
- **Risk Score**: all emails are assigned a [risk score](/General/AnalysisAndClassification/Classification/#risk-score) that corresponds to the severity value of the most prevalent threat name detected in samples containing the extracted email address or subject.
- **Last Seen**: indicates when the appliance last recorded the sample(s) containing the threat.
- **Threat Name/Threat Count**: the name of the threat with the most detections related to each entry, and the number of samples containing both the pivoting information and the detected threat. Click the threat name in this column to perform an [Advanced Search](./advanced-search.md) query.
- **Total Classified**: shows the number of classified email samples that contain the listed pivoting information. The title of this column dynamically changes to match the classification selected in the *Classification filter*.
- **Type**: this column is visible when using *Pivot by Email Address* and shows the type of email.
- **Pivoting Information**: contains the email addresses/subjects, depending on the option selected in the *Pivot by* filter. To see a list of samples containing a specific address/subject, click the links. Email-related tags are displayed below each of the entries. Click any of the links or tags to perform an [Advanced Search](./advanced-search.md) query.
- **Total Emails**: total number of samples containing the pivoting information.
## Top URIs Collected During Sample Analysis
**Top URIs Collected During Sample Analysis** shows a list of malicious and/or interesting URIs extracted from files analyzed in the specified time range. It can be filtered and exported using the following options:
- **Filter by Threat Name**: select a threat name from the drop-down list, or type a threat name into the text field. This field supports autocompletion, and suggests only those threat names that can be found in the table. To reset the filter, select “–” from the drop-down list.
- **Type**: from the drop-down list, select **Domain**, **Link** or **IP** to show URIs recognized as domains, links or IPv4 or IPv6 addresses. Click **All** to reset the filter to show all URIs.
- **Origin**: from the drop-down list, select whether to see URIs extracted as a result of static analysis, dynamic analysis, and/or those that have been extracted from malware configuration files. All three origin sources are enabled by default.
- **Export**: export the entire table as a CSV file. To export a single page, select it by clicking the checkbox on the far left, and then click *Export*. Selecting and exporting individual table rows is currently not supported.
The table data is organized into the following columns:
- **Checkbox**: click to select a single page when exporting data. Selecting and exporting individual table rows is currently not supported.
- **Risk Score**: all URIs are assigned a [risk score](/General/AnalysisAndClassification/Classification/#risk-score) that corresponds to the severity value of the most prevalent threat name detected in samples containing the extracted URI.
- **Last Seen**: indicates when the appliance last recorded the sample(s) containing the URI.
- **Threat Name/Threat Count**: if any threats are found within samples containing a specific URI, this column lists the most prevalent threat name, and the number of samples containing both the URI and the detected threat. Click the threat name in this column to perform an [Advanced Search](./advanced-search.md) query.
- **Total Count**: shows the number of samples containing the URI. Click the URI in the *Pivoting Information* column to perform an [Advanced Search](./advanced-search.md) query.
- **Type**: categorizes the URI as *Domain*, *Link*, or *IP*. URIs recognized as links have a **Download** button next to them, allowing the user to download and submit the URI for analysis. If the URI points to a web page, the appliance crawls its contents and downloads the web page as a compressed file. The page is crawled one level deep, regardless of the domain. URIs pointing to files are treated as single file downloads/submissions. All downloaded URIs can be found on the [Advanced Search](./advanced-search.md) page.
- **Pivoting Information**: contains all or specific URIs extracted from files on the appliance, depending on the option selected in the *Type* filter. To see a list of samples containing a specific URI, click the links. URI-related tags are displayed below each of the entries. Click any of the tags to perform an [Advanced Search](./advanced-search.md) query to find all files tagged with the same System Tag in the time range selected on the dashboard.
- **Origin**: indicates the source from which the appliance extracted each URI. Supported sources are static analysis results, dynamic analysis results, and malware configuration files.
---
## Analysis services
## Overview
Spectra Analyze supports optional integration with multiple first-party and third-party static and dynamic analysis services. Through these integrations, samples can be automatically submitted for dynamic analysis or reanalyzed on demand using any of the supported services.
All integrations work with samples submitted through the graphical user interface, as well as with those submitted via the [Submissions API](../API%20Documentation/submissions/). Analysis results are organized by analysis type in the navigation bar on the left of the [Sample Details Page](../Sample%20Details).
First-party integrations are:
- [ReversingLabs Cloud Sandbox](#reversinglabs-cloud-sandbox) for dynamic analysis.
- [ReversingLabs Auxiliary Analysis](#static-analysis) for static analysis.
Third-party integrations are always used for dynamic analysis, and they are:
- [CAPE Sandbox](#cape-sandbox)
- [Cisco Secure Malware Analytics](#cisco-secure-malware-analytics)
- [Cuckoo Sandbox](#cuckoo-sandbox)
- [FireEye Sandbox](#fireeye-sandbox)
- [Joe Sandbox](#joe-sandbox)
- [VMRay](#vmray)
## Integrations configuration
Analysis services must be configured on the **Administration > Integrations & Connectors > Integrations** page by an administrator. For more information, see [Integrations](../Administration/integrations-connectors/integrations).
### Notes on configuration options
#### Submitting distinct files
Some analysis services have the option to submit only distinct files; however, it is disabled by default.
Administrators can [enable this option](../Administration/integrations-connectors/integrations) to allow submitting only distinct files to an analysis service. When this option is enabled, if a file has already been submitted to Spectra Analyze and analyzed, it is not sent for reanalysis when it is submitted again. This option applies to files submitted using the GUI and the API. It does not affect the reanalysis feature - you can still submit files for reanalysis with any of the integrations even if the files have already been analyzed.
#### Queue limits and behavior
Some analysis services have queue limit for how many submissions can be simultaneously queued for analysis. Samples are considered queued if they are waiting for analysis or, in some cases, if they are in a processing state. If the queue is full, the appliance attempts to resubmit a sample up to five times, with a delay of 20 seconds between each attempt, before timing out. If it fails to resubmit the sample, that sample is removed from the queue.
## Dynamic analysis
### ReversingLabs Cloud Sandbox
For more information about configuring this integration, see [ReversingLabs Cloud Sandbox](../Administration/integrations-connectors/integrations#reversinglabs-cloud-sandbox).
Spectra Analyze is integrated with the ReversingLabs dynamic analysis API, providing historical information on all dynamic analyses performed on the detonated sample, with detected indicators of compromise available through [Advanced Search](./advanced-search.md) using the `uri-dynamic` and `ipv4-dynamic` keywords, as well as through sections on the [Sample Details Summary](../Sample%20Details/sample-details-summary/) page.
**Warning: Prerequisites**
For this service to be available, the appliance has to be connected to [Spectra Intelligence](../Administration/configuration-update/configuration/#spectra-intelligence).
If the service is enabled, historic dynamic analysis results are shown for all samples that have them.
#### Dynamic analysis reports
Full report details consist of:
- **General file details**: file name, hash, classification and other information.
- **Screenshot gallery**: click the thumbnail on the right to open a gallery of all collected screenshots, with the option to automatically advance through them in a slideshow. At the top of the gallery dialog, users can switch between different analyses to see the related screenshots.
- **History of dynamic analysis results**: table with the option to download dropped files and other artifacts for every individual analysis. These files are available for download for 1 year. If the analyzed sample is an email, this table also contains expandable sections with analysis reports for attachments and URLs found within the analyzed email sample.
- **Additional information**: available in a tabbed section with specific information obtained in dynamic analysis. This section can be filtered to show information from all performed analyses, or from a specific analysis. See the [ReversingLabs Cloud Sandbox API sections](/SpectraIntelligence/API/DynamicAnalysis) for a detailed explanation of individual fields.
On this page, you can also click the buttons in the top right corner to do the following:
- **Reanalyze**: reanalyze the sample using the ReversingLabs Cloud Sandbox.
- **Actions**:
- **Create PDF/HTML**: download the report as HTML or PDF. When a PDF or HTML report is created, a new one cannot be created before 30 minutes have expired. Downloading HTML or PDF reports for dynamic analysis is also possible via API. If a new report export is necessary before the 30 minute period expires, use the [Dynamic Analysis Report API](./API%20Documentation/dynamic-analysis-api.md).
- **Download Latest Dropped Files**: download the latest dropped files.
- **Send Latest Dropped Files to Static Analysis**: send the latest dropped files to static analysis.
#### Downloading artifacts
After a dynamic analysis run is completed, the following artifacts are available for download:
- **Screenshots**
- **PCAP file**
- **Memstrings**
- **Dropped files**
Downloading artifacts is possible only through the GUI.
The artifacts depend on each dynamic analysis run and can be downloaded from the **History of Dynamic Analysis Results** table, while the dropped files are available for download in the **Dropped Files** tab. These files are available for download for 1 year, the standard retention period for the Cloud Sandbox. The artifacts are downloaded as `.7zip` archives and their password is ***infected***.
#### Analysis options
| Option | Description |
|--------|-------------|
| **Platform** | Determines the platform the sample is executed on. Available as a per-analysis setting during file submission, and default settings per file type can be configured under [Administration > Integrations & Connectors > Integrations](../Administration/integrations-connectors/integrations). |
| **Timeout** | How long in seconds a sample can run in the sandbox virtual machine. Default: `200`, Min: `30`, Max: `500`. ReversingLabs Cloud Sandbox may allow the VM to run longer if additional runtime could extract more intelligence. The **timeout** value may differ from the total analysis time which is reported as **duration**, and which includes sample execution including any extra time granted by RLCS, VM restore, client setup, and post-processing, for example, sending dropped files to the host. |
| **Custom filename** | A custom filename that helps track the file across ReversingLabs services. If omitted, the system applies smart sample naming automatically. |
| **Internet simulation** | Defaults to `false`. If set to `true`, dynamic analysis is performed without connecting to the internet and uses a simulated network instead. Setting to `false` is the same as omitting it from the request. HTTPS traffic information is not monitored when using this parameter. |
| **Network traffic obfuscation** | When internet simulation is disabled/omitted and samples are allowed to connect to the internet, network traffic obfuscation measures are implemented to protect the analysis infrastructure. Traffic obfuscation is achieved through VPN routing that masks the origin of network requests, preventing external entities from identifying the analysis environment. |
| **Geolocation** | Geographic location associated with the sample's network activity, reflecting the configured country from which the network traffic is egressed, set via VPN or similar routing methods. |
| **Interactive analysis** | Execute the sample and interact with it in an interactive session. Only available through **Analyze/Reanalyze** dialogs. If selected, a new tab opens with the interactive session. Once the session expires or is stopped by the user, its results are visible under [Dynamic Analysis > Cloud Sandbox](../Sample%20Details/dynamic-analysis-results/). |
#### Configuration settings
For more information about configuring this integration, see [ReversingLabs Cloud Sandbox](../Administration/integrations-connectors/integrations#reversinglabs-cloud-sandbox).
By default, Spectra Analyze automatically retrieves existing ReversingLabs Cloud Sandbox reports for files submitted to the appliance. If a file wasn’t previously scanned in the ReversingLabs Cloud Sandbox, it can be manually uploaded for dynamic analysis, or you can enable [Automatic upload](../Administration/integrations-connectors/integrations#integrations) to do this automatically.
**Important: While the retrieval of existing reports is a basic Spectra Analyze feature, submitting files for dynamic analysis using the ReversingLabs Cloud Sandbox is available only as a feature preview with an upload limit of five samples per day. When the analysis quota is exceeded, the appliance shows a warning message whenever a new file is manually submitted for analysis. **
Full access to this feature is available at additional cost. For more information, contact [ReversingLabs Sales Support](mailto:insidesales@reversinglabs.com).
If the [Automatic file retrieval](../Administration/integrations-connectors/integrations#integrations) option is enabled, all files dropped during dynamic analysis that are within configured file size limits are downloaded to the appliance and analyzed locally.
To allow dynamic analysis results to affect the final sample classification, enable the [Include in classification](../Administration/integrations-connectors/integrations#integrations) option. When enabled, all future sample uploads, as well as any reanalyzed samples, may receive their final classification from the ReversingLabs Cloud Sandbox. Samples that already had a recent dynamic analysis classification before the option was enabled update their classification once their [Sample Details Summary](../Sample%20Details/sample-details-summary/) page is opened, or during regular appliance synchronizations with Spectra Intelligence.
Only ReversingLabs Cloud Sandbox can be configured to affect the final sample classification. Other analysis results do not affect the overall final classification of the sample, but are, rather, another source of information for analysts.
Administrators can also specify which [File types](../Administration/integrations-connectors/integrations#file-types) are automatically submitted for dynamic analysis. The maximum supported file size of each individual sample submitted to the ReversingLabs Cloud Sandbox is 400 MB.
### CAPE Sandbox
For more information about configuring this integration, see [Integrations - CAPE Sandbox](../Administration/integrations-connectors/integrations#cape-sandbox).
| Maximum supported file size | Submitting only distinct files | Queue limit & behavior |
| --------------------------- | ------------------------------ | ---------------------- |
| 400 MiB | [Supported](#submitting-distinct-files) | Up to 60 submissions. Samples are considered queued if waiting for analysis. Running/processing samples do not count towards limit. For more information, see [Queue limits and behavior](#queue-limits-and-behavior). |
CAPE analysis reports are added under [Dynamic Analysis > CAPE](../Sample%20Details/dynamic-analysis-results/). CAPE offers two types of analysis: *Behavioral* and *Network*.
If enabled by an administrator, there is also a **See Task on CAPE** button at the top right of the section. This button redirects to the CAPE web interface, where it is possible to see more information about the file, and compare it to other analysis results.
### Cisco Secure Malware Analytics
For more information about configuring this integration, see [Integrations - Cisco Secure Malware Analytics](../Administration/integrations-connectors/integrations#cisco-secure-malware-analytics).
| Maximum supported file size | Submitting only distinct files |
| ------------------------------ | ------------------------------ |
| 250 MiB | Not supported |
When Cisco Secure Malware Analytics finishes processing a sample, a report with the analysis results is sent to the Spectra Analyze appliance. This report can be accessed under [Dynamic Analysis > Cisco Secure Malware Analytics](../Sample%20Details/dynamic-analysis-results/).
Available reports from this integration include:
- **Dropped files**
- **Indicators of compromise**
- **Networking**
### Cuckoo Sandbox
For more information about configuring this integration, see [Integrations - Cuckoo Sandbox](../Administration/integrations-connectors/integrations#cuckoo-sandbox).
| Maximum supported file size | Submitting only distinct files | Queue limit & behavior |
| ---------------------------- | ------------------------------ | ---------------------- |
| 400 MiB | Not supported | Up to 60 submissions. Samples are considered queued if waiting for analysis. Running/processing samples do not count towards limit. For more information, see [Queue limits and behavior](#queue-limits-and-behavior). |
Cuckoo reports are added under [Dynamic Analysis > Cuckoo](../Sample%20Details/dynamic-analysis-results/). Cuckoo offers two types of analysis: *Behavioral* and *Network*.
If enabled by an administrator, there is also a **See Task on Cuckoo** button at the top right of the section. This button redirects to the Cuckoo interface, where it is possible to see more information about the file, and compare it to other analysis results.
### FireEye Sandbox
For more information about configuring this integration, see [Integrations - FireEye Sandbox](../Administration/integrations-connectors/integrations#fireeye-sandbox).
| Maximum supported file size | Submitting only distinct files | Queue limit & behavior |
| ---------------------------- | ------------------------------ | ---------------------- |
| 100 MiB | Not supported | Up to 100 submissions. Samples are considered queued if waiting for analysis or already being processed. For more information, see [Queue limits and behavior](#queue-limits-and-behavior). |
If FireEye is enabled by an administrator, the **Fetch profiles** button retrieves a list of profiles available on the FireEye instance. Supported file types can be assigned to profiles that are used for dynamic analysis. Each file type can be assigned to only one profile.
New samples of the supported file type assigned to a profile are automatically sent for dynamic analysis.
When FireEye finishes processing a sample, a report with the analysis results is sent to the Spectra Analyze appliance. This report can be accessed under [Dynamic Analysis > FireEye](../Sample%20Details/dynamic-analysis-results/).
For more details on configuring and using the FireEye integration, contact ReversingLabs Support ([support@reversinglabs.com](mailto:support@reversinglabs.com)).
### Joe Sandbox
For more information about configuring this integration, see [Integrations - Joe Sandbox](../Administration/integrations-connectors/integrations#joe-sandbox).
| Maximum supported file size | Submitting only distinct files | Queue limit & behavior |
| ---------------------------- | ------------------------------ | ---------------------- |
| 400 MiB | [Supported](#submitting-distinct-files) | Up to 20 submissions. Samples are considered queued if waiting for analysis. Running/processing samples do not count towards limit. On timeout, displays "Failed Upload" status message under [Dynamic Analysis > Joe Sandbox](../Sample%20Details/dynamic-analysis-results/). If this happens, the failed sample no longer remains in the queue. For more information, see [Queue limits and behavior](#queue-limits-and-behavior). |
If Joe Sandbox is enabled by an administrator, the **Fetch profiles** button retrieves a list of profiles available on the Joe Sandbox instance. Supported file types can be assigned to profiles that are used for dynamic analysis. Each file type can be assigned to only one profile.
New samples of the supported file type assigned to a profile are automatically sent for dynamic analysis.
Appliance administrators can check the status of the Joe Sandbox service on the [System Status](/SpectraAnalyze/Administration/usage-alerts/system-status/) page, under **External Services Connectivity**.
Joe Sandbox analysis reports are added under [Dynamic Analysis > Joe Sandbox](../Sample%20Details/dynamic-analysis-results/). Clicking the section name in the sidebar opens the page with general information about Joe Sandbox, and details about the latest analysis.
If enabled by an administrator, there is also a **See Task on Joe Sandbox** button at the top right of the page.
The **Behavior Analysis** tab contains the process tree menu obtained from the Joe Sandbox JSON report.
The **Network Analysis** tab displays all network activity detected during dynamic analysis. The following protocols are listed: TCP, UDP, DNS, HTTP, HTTPS, FTP, ICMP, IRC and SMTP.
The **Domains/IPs/URLs** tab shows the extracted URIs in three separate tabs as they are differentiated in the HTML report. Public and private IP addresses are not in separate tabs; instead, they have a boolean attribute *Private* visible in the list.
### VMRay
For more information about configuring this integration, see [Integrations - VMRay](../Administration/integrations-connectors/integrations#vmray).
| Maximum supported file size | Submitting only distinct files |
| ------------------------------ | ------------------------------ |
| 305 MiB | Not supported |
There is no need to retrieve available profiles/environments from VMRay and assign file types to specific platforms. Samples are sent to dynamic analysis according to how the VMRay instance is configured.
When VMRay finishes processing a sample, a report with the analysis results is sent to the Spectra Analyze appliance. This report can be accessed under [Dynamic Analysis > VMRay](../Sample%20Details/dynamic-analysis-results/).
## Static analysis
For more information about configuring this integration, see [Integrations - Static analysis](../Administration/integrations-connectors/integrations#static-analysis).
### Auxiliary analysis reports
| Maximum supported file size | Submitting only distinct files |
| ------------------------------ | ------------------------------ |
| 100 MiB | Not supported |
When ReversingLabs Auxiliary analysis finishes processing a sample, a report with the analysis results is sent to the Spectra Analyze appliance. This report can be accessed from the [Sample Details page](../Sample%20Details) under **Auxiliary Analysis**.
The report for this integration includes the following report fields, including, but not limited to: general sample information, detected heuristics, ATT&CK information, extracted files, IOCs, threat score, and more.
The threat score of each file, including the sample and all extracted files, indicates its severity and helps interpret the classification.
| Score | Classification interpretation |
|-----------|-------------------------------|
| - 1000 | Clean |
| 0 - 299 | Informational |
| 300 - 699 | Suspicious |
| 700 - 999 | Highly suspicious |
| >= 1000 | Malicious |
### Auxiliary analysis services
| Service name | Speciality |
|:---------------------|:-------------------|
| APKaye | Android APK |
| Ancestry | File genealogy |
| Batchdeobfuscator | Deobfuscation |
| CAPA | Windows binaries |
| Characterize | Entropy analysis |
| ConfigExtractor | IoC extraction |
| DeobfuScripter | Deobfuscation |
| DocumentPreview | Visualization |
| EmlParser | Email |
| Espresso | Java |
| Extract | Compressed file |
| Floss | IoC extraction |
| FrankenStrings | String extraction |
| JsJaws | Javascript |
| MetaPeek | Meta data analysis |
| Oletools | Office documents |
| Overpower | PowerShell |
| PDFId | PDF |
| PE | Windows binaries |
| PeePDF | PDF |
| PixAxe | Images |
| Swiffer | Adobe Shockwave |
| TorrentSlicer | Torrent files |
| Unpacker | UPX Unpacker |
| ViperMonkey | Office documents |
| XLMMacroDeobfuscator | Office documents |
---
## File and URL Submissions
## Submitting Files for Analysis
Files can be submitted to the appliance:
- [manually](#manual-uploads) through the graphical user interface:
- as a direct file upload
- as a link to the file (which the appliance then downloads)
- using the [Submissions API](API%20Documentation/submissions.md)
- using [Connectors](/SpectraAnalyze/Administration/integrations-connectors/connectors/), which pull files from one or more configured sources
- by pivoting from a previously analyzed sample:
- from the [Spectra Detect Manager dashboard](/SpectraDetect/Usage/Dashboard/#product-integration-with-spectra-analyze)
- from an S3 file link in a [Spectra Detect Worker report](/SpectraDetect/Usage/Analysis)
- using the [ReversingLabs browser extension](https://chromewebstore.google.com/detail/reversinglabs-browser-ext/hdnaiimefhaiglkbjdcioegcoofbnomm).
**Tip: The ReversingLabs browser extension is available on the [Chrome Web Store](https://chromewebstore.google.com/detail/reversinglabs-browser-ext/hdnaiimefhaiglkbjdcioegcoofbnomm). It enables you to query domains, URLs, IP addresses, and hashes from web pages and submit files for analysis.**
### Manual uploads
Samples can be manually uploaded to Spectra Analyze from any page in the interface by clicking the **Submit** button in the header bar and selecting **File Analysis**. Alternatively, you can submit files programmatically using the [Submissions API](./API%20Documentation/submissions.md) as part of an automated workflow.
In the File Analysis dialog, click **Browse Files** to upload files from your local system, or enter a direct File URL. Then click **Submit** to process the files using the current appliance configuration.
To customize the submission, use the [link below](#advanced-analysis-options) the form to choose specific analysis services.
If you're using the RL Cloud Sandbox, you can also specify a custom filename, the target platform, locale, geolocation, toggle Internet Simulation on/off, and set an execution timeout (between `30` and `500` seconds, the default value is `200`). and request an interactive analysis session.
A progress bar in the header indicates the upload status while files are uploading. Navigating away from the page or refreshing the browser tab during upload is not supported and will cancel the upload.
#### Advanced Analysis Options
Uploaded samples will follow your current appliance settings, but you can make a one-time adjustment for each upload, such as sending the file to Threat Intelligence (Spectra Intelligence) for threat reputation info, or using one of the sandbox integrations.
- If **Local Only Analysis** is selected, the file is analyzed exclusively on the appliance. The sample is **not** sent to any configured integrations, sandboxes, or Spectra Intelligence services.
- **Protected File**: Some security solutions opt to put suspicious and malicious files, such as email attachments, into password-protected archives before passing them on for further analysis, using the archive format as a secure means of transport. If you're submitting such a password-protected archive, you can also provide a one-time password here.
**Note: This feature expects the ZIP file to contain **only one file** and will, upon successful extraction, upload only the extracted file and discard the archive. Only CRC32 encrypted ZIP files are supported. AES encryption is not supported at this time.**
This specific unpacking mechanism is triggered by providing a password. For general password-protected archive usage uploads (where multiple files can be extracted and processed), perform a regular upload with a preconfigured password list (*Administration > Configuration > Password List*).
### File Processing
When a file is submitted to the appliance, it is [processed with Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis). Depending on the appliance configuration, samples with supported file types can be automatically sent to dynamic analysis services after they are submitted to the appliance. The file becomes visible in the **Local** tab on the **Search & Submissions** page.
Detailed analysis results can be viewed in the [Expanded Details](./search-page.md#expanded-details) section, or on the file's [Sample Details](./Sample%20Details/index.md) page.
The duration of the analysis depends on file sizes and file types, as well as the number of files extracted during analysis. Extracted files are also analyzed separately.
After initial processing by Spectra Core, users can optionally [submit it to Spectra Intelligence and/or supported dynamic analysis services](./search-page.md#reanalyzing-files-and-urls), if configured on the appliance. Spectra Intelligence scanners that support archive unpacking and heuristic analysis automatically perform those steps during processing.
**Note: For CAPE and Joe Sandbox, previously analyzed files will not be automatically sent for analysis again if the *Submit only distinct files* option is configured. Administrators can configure this on the **Administration ‣ Integrations** page.**
### File Size Restrictions
- The maximum supported file size for upload on Spectra Analyze is 10 GB. This value can be configured in *Administration > Configuration > General > File Size Limit.*
- Files larger than 400 MB cannot be submitted for dynamic analysis (individual dynamic analysis integrations have even lower limits).
- YARA rulesets are not applied to extracted files larger than 700 MB.
New files cannot be submitted to Spectra Analyze if the disk space usage on the appliance exceeds the set value.
If this happens:
- [manually remove old samples](./search-page.md#deleting-submitted-files-and-urls)
- ask the administrator to run the [Backup and Purge](/SpectraAnalyze/Administration/configuration-update/backup-purge/) action before continuing to submit new files
- increase the disk size in *Administration > Configuration > Resource Usage Limits* (see [System Configuration](/SpectraAnalyze/Administration/configuration-update/configuration/#resource-usage-limits) for more information).
### Pivoting from Spectra Detect
If Spectra Analyze is connected to Spectra Detect (either to individual Workers, or a cluster managed by Spectra Detect Manager), it can pull files from a preconfigured S3 bucket or directly from Spectra Detect Manager. Both of these options must first be [configured](/SpectraDetect/Usage/Dashboard#product-integration-with-spectra-analyze) on Spectra Detect.
The pivot link is present in the dashboard of Spectra Detect Manager, as well as in the Worker JSON report under `file_link`. When you open the link, Spectra Analyze will pull the previously analyzed file from the preconfigured source and will reanalyze it.
Imported files will be [tagged](../tags) with the `spectra_detect` tag.
## Submitting URLs for Analysis
The URL analysis service provides comprehensive analysis of submitted URLs through advanced web intelligence gathering and threat detection capabilities. The service performs DOM analysis to detect malicious content, captures visual evidence, maps network infrastructure (IP addresses, DNS, SSL/TLS certificates, domain registration), and executes URLs in sandbox environments to observe runtime behavior and track redirection chains.
URLs can be manually uploaded to the Spectra Analyze from any page of the interface by clicking the **Submit** button on the header bar and selecting **URL Analysis** from the menu, or via the [Submissions API](./API%20Documentation/submissions.md) as part of an automated workflow.
In the URL submission dialog that opens, enter the full URL of a website including the protocol (*https://www.example.org*), or a full link to a single file (*http://www.example.org/documents/reports/year-report.pdf*). Supported protocols are HTTP and HTTPS.
**Important**: Files are downloaded only from the submitted URL with no recursion (crawl depth = 1). For example, if you submit `http://www.example.com/freshcontent`, only that specific URL will be analyzed—`http://www.example.com/freshcontent/newest` will not be included.
The service downloads and analyzes up to 50 samples per analysis (each up to 100 MB), with files processed through the ReversingLabs threat detection pipeline.
### Crawling Methods
### Crawling Methods
Optionally, users can enable URL Crawling to download and analyze files from a submitted URL.
- **Spectra Intelligence**: By default, URLs are crawled using the **Spectra Intelligence** crawling method. This requires Spectra Intelligence to be configured on the appliance.
When using the Spectra Intelligence crawling method, users have the additional option of submitting the URL for [dynamic analysis](./dynamic-analysis.md#reversinglabs-cloud-sandbox) to the ReversingLabs Cloud Sandbox. In addition to automated dynamic analysis, users can choose to enable [interactive analysis](./dynamic-analysis.md#interactive-analysis), which provides manual control over the browser session during execution.
- **Local**: If enabled by the appliance administrator, users can also select the **Local** crawling method. This method doesn't require Spectra Intelligence to be configured, and disables all Spectra Intelligence features, such as dynamic and interactive analysis.
**Important: Privacy**
For more information on these methods, refer to the [Privacy of Submitted Files and URLs](#privacy-of-submitted-files-and-urls) chapter.
Click **OK** to confirm URL submission, or **Cancel** to close the submission dialog. The submission cannot be confirmed if the URL is invalid.
The [Search & Submissions](./search-page.md) page displays comprehensive analysis results for the submitted URL, including all downloaded files, network intelligence data, visual evidence, and behavioral analysis findings. If any of the analyzed components are malicious or suspicious, the overall verdict for the URL reflects the highest threat level detected.
The submission type indicator icon on the left side of the page helps distinguish between files downloaded to the appliance via a URL (the link icon) and files directly submitted to the appliance (the folder icon).
**Analyzing Data from Submitted URLs**
The analysis duration depends on multiple factors including the number of files downloaded (up to 50), their sizes and file types, DOM complexity, network infrastructure resolution, and dynamic execution requirements. Each downloaded file is also analyzed separately through the complete threat detection pipeline. The timeout for URL submissions is 45 minutes.
URL submissions undergo comprehensive analysis including static file analysis with the Spectra Core engine, network infrastructure mapping, DOM analysis, and visual documentation. Users can manually send components for additional analysis to Spectra Intelligence and/or configured dynamic analysis services using the [Reanalyze option](./search-page.md#reanalyzing-files-and-urls). This integration with Spectra Intelligence and dynamic analysis services must be configured by appliance administrators.
All files and websites downloaded to the appliance via the URL submission dialog are automatically assigned the *URL Download* User Tag. This tag is visible in the Expanded Details and on the Sample Details page for every file and website. Clicking the tag opens the Tags page filtered to display all files with the *URL Download* tag. Users can then sort the files and perform bulk actions, such as reanalyzing them or adding them to alert subscriptions.
### URL Submission Restrictions
The URL analysis service has the following limitations:
- **File Limits**: Up to 50 files can be downloaded and analyzed per URL submission, with each individual file limited to 100 MB
- **Total Data Limit**: The maximum allowed size of all data downloaded from submitted URLs can be configured by the appliance administrator. By default, it is limited to 200 MB. This value is configurable by appliance administrators in the **Administration ‣ Configuration ‣ URL Analysis** dialog. The maximum configurable value is 700 MB.
- **Crawl Depth**: Analysis is limited to the submitted URL only (crawl depth = 1) with no recursive crawling of linked pages
In addition to these limits, submitting a URL using the Spectra Intelligence crawling method will also compare individual components of the submitted URL to the Maximum Fetch File Size value in **Administration > Configuration > Spectra Intelligence**. Any files going over this limit will be skipped. The maximum configurable value is 2000 MiB.
If the download request fails, the URL submission is marked as failed. Users can attempt to reanalyze the submission by selecting the **Retry analysis** option in the actions menu (☰). This option is available for individual submissions only (not for multiple submissions at once).
## Privacy of Submitted Files and URLs
**Note: Refer to the [Privacy](/General/SecurityAndAccessControl/Privacy/) chapter for more information and best practices.**
### File Submissions
All files submitted to the appliance are accessible to all users with accounts on that Spectra Analyze instance.
While each submission is associated with a particular user (the one who submitted the file or URL), actual files on the local appliance system are not owned by any of the users in the traditional sense of file ownership. Therefore, all users on the Spectra Analyze instance can download, reanalyze, subscribe/unsubscribe, add tags, and manually change classification for any file uploaded by another user.
### URL Submissions
When submitting URLs for analysis, be aware of the following privacy implications:
- URL analysis can only access and analyze publicly reachable online resources
- All submitted URLs and downloaded files are treated as public and accessible to all Spectra Intelligence users
- URLs are automatically normalized during submission, which may remove or convert duplicate and empty elements
#### Crawling Methods
Depending on which crawling method is selected, files obtained from the submitted URLs are treated differently.
- The `Spectra Intelligence` crawling method (default) is more reliable when working in restricted network conditions and ensures fewer failed URL analyses. However, all downloaded files are treated as public, and will be visible and accessible to all Spectra Intelligence users. **The prerequisite for this is a properly configured Spectra Intelligence account on the appliance.**
- The `Local` crawling method will treat the URL as any other locally submitted file. The contents of the URL are crawled and downloaded directly. This method can be used without a Spectra Intelligence account and must be enabled by the appliance administrator. If Spectra Intelligence is configured and is using a proxy, the same proxy will be used to crawl the URLs when using this method.
Appliance administrators can delete files submitted by other users. Regular users can only delete their own submissions.
### Spectra Intelligence
If the appliance is connected to Spectra Intelligence, all submissions can be:
- Manually uploaded to be analyzed with AV engines. This is done with the [Reanalyze option](./search-page.md#reanalyzing-files-and-urls).
- Automatically uploaded (*Administration > Configuration > Spectra Intelligence > Automatic Upload to Spectra Intelligence*). This is disabled by default.
Whether submitted files will be shared with other ReversingLabs customers depends on the role configured for the Spectra Intelligence account used by the appliance.
**Spectra Intelligence accounts created to be used with Spectra Analyze appliances are always configured as private (non-shareable)**, meaning that other ReversingLabs customers may only be able to access analysis results for the files, but not retrieve their contents.
However, if those same files are uploaded to Spectra Intelligence as shareable from another source, they will cease to be treated as private. In that case, other ReversingLabs customers may be able to download the files, their metadata, and their analysis results through other ReversingLabs solutions (such as APIs and Feeds).
If Spectra Intelligence is not configured on Spectra Analyze, files are only preserved on the local appliance system and accessible only to users on that instance.
### ReversingLabs Cloud Sandbox
Whether submitted files, PCAP files, dropped files, and memory string dumps will be shared with other ReversingLabs customers depends on the role configured for the Spectra Intelligence account used to upload files.
If the account is configured to upload all files as not shareable (private), other ReversingLabs customers will only be able to access analysis results, but not retrieve the actual contents of uploaded files, dropped files, PCAP files or memory string dumps. **This is the default setting for Spectra Intelligence accounts created to be used on Spectra Analyze appliances.**
If the account is configured to upload all files as shareable (not private), other ReversingLabs customers will be able to access analysis results, but also download the uploaded files, dropped files, PCAP files, and memory string dumps generated during file execution.
---
## Getting started with Spectra Analyze
This guide walks you through your first malware analysis with Spectra Analyze. You will configure the Spectra Intelligence cloud connection, upload a file, view the analysis report, and understand the classification result.
## Prerequisites
Before you begin:
- Spectra Analyze is deployed and accessible on your network (hardware appliance, OVA, or cloud instance)
- You have login credentials (username and password)
- Your browser is up to date (Chrome recommended)
If you have not yet deployed Spectra Analyze, see [Setup and initial configuration](./initial-configuration.md).
**Tip: Initial credentials**
Your initial administrator username and password are provided by [ReversingLabs Support](mailto:support@reversinglabs.com). Change the default password after your first login.
## Step 1: Configure the Spectra Intelligence cloud connection
Spectra Analyze enriches every analyzed file with data from [Spectra Intelligence](/SpectraIntelligence/) — a cloud threat intelligence service that provides scanner results, threat names, and community classifications. Without this connection, Spectra Analyze still performs local static analysis, but enrichment data will be missing from reports.
1. Navigate to **Administration > Configuration > Spectra Intelligence**.
2. Enter your Spectra Intelligence **username** and **password**.
3. Select **Test connection** to confirm the appliance can reach `appliance-api.reversinglabs.com`.
4. Select **Save**.
If the connection test fails, verify that your network allows outbound HTTPS (port 443) to `appliance-api.reversinglabs.com`. You may also need to allowlist the Cloudflare IP ranges and `185.64.132.0/22`. See [IP/domain allowlisting](./initial-configuration.md#ipdomain-allowlisting) for details.
**Note: If you do not yet have Spectra Intelligence credentials, contact [ReversingLabs Support](mailto:support@reversinglabs.com).**
## Step 2: Access the web interface
Open your browser and navigate to the Spectra Analyze appliance URL provided by your administrator (for example, `https://spectra-analyze.example.com`).
Log in with your credentials. After logging in, you land on the **Dashboard**, which shows recent analysis activity and system status.
## Step 3: Upload a file for analysis
1. Select **Submit** from the header bar.
2. Select the file you want to analyze. Supported formats include executables, archives, documents, and mobile apps — over 400 formats in total.
3. Optionally add a comment or tags to help organize your results later.
4. Select **Upload**.
Spectra Analyze submits the file to [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis) for static analysis. Most files complete analysis within seconds.
## Step 4: View the analysis report
When analysis completes, the file appears in your results list. Select the file to open its **Sample Details** page.
The report includes:
- **Classification** — Malicious, Suspicious, Goodware, or Unknown, with a risk score from 0 to 10
- **Threat name** — For malicious files, the malware family name
- **Indicators** — Extracted behavioral indicators mapped to [MITRE ATT&CK](https://attack.mitre.org/) tactics
- **Extracted files** — Child files unpacked from archives or installers
- **Metadata** — File hashes, format details, certificate information
See [Sample Details](./Sample%20Details/index.md) for a full explanation of every report field.
## Step 5: Understand your results
Spectra Analyze classifies every analyzed file and assigns a risk score. This section explains how to read and interpret that classification.
**Info: Read more about the ReversingLabs [classification algorithm](/General/AnalysisAndClassification/Classification).**
### Color coding and sample status
Spectra Analyze uses consistent color coding throughout the interface to indicate sample classification and risk.
Inside each symbol is the sample's risk score. Samples with no threats found do not have a risk score.
Samples with a risk score of 5 are represented using a unique icon. The indicators found during analysis were deemed insufficient to classify the file as definitively malicious or benign. These samples have a higher chance of changing classification if new information becomes available.
Color-coded indicators appear in the following parts of the interface:
- **YARA page** — statistics about ruleset matches
- **Sample Details page** — as the background color of the Report Summary Header
- **How We Caught This tab** — in the File Similarity and File Classifications sections
- **URI stats** — on the Interesting Strings, Network References, and Malware Configurations tabs
### Understanding the risk score
The risk score is a numerical value from 0 to 10 that indicates the severity of the classification.
| Risk score | Classification | Meaning |
|---|---|---|
| 0 | Unknown | Not enough information to classify |
| 1 | Goodware | Known-clean file |
| 2–4 | Suspicious | Concerning indicators, not confirmed malicious |
| 5 | Suspicious | Insufficient indicators to confirm malicious or benign; classification may change |
| 6–10 | Malicious | Confirmed malware; higher scores indicate greater severity |
Risk scores are assigned by the severity of the detected threat. Values from 0 to 5 are reserved for samples classified as goodware or known. Lesser threats like adware get a risk score of 6, while ransomware and trojans always get a risk score of 10.
Some users may choose to ignore lower risk classifications, but those samples are still classified as malicious to warn about potential threats, such as installers that have embedded adware.
Some Spectra Analyze APIs return sample classification as a numerical value: `0` for unknown, `1` for goodware, `2` for suspicious, and `3` for malicious.
### Understanding the classification reason
The classification reason specifies which technology detected a threat. Files usually have multiple detections from more than one classifier, but the classification reason tile specifies which one produced the final classification.
The final classification always matches one of the classifiers, but individual classifiers may have differing results between them. Due to differences in how different malicious samples and malware families behave, some samples might end up classified as malicious by one technology, and still be considered goodware by others. This does not negate or diminish the final classification — it is why Spectra Analyze uses multiple sources to classify files.
Overlooking the classification reason may result in confusion. For example, adding custom YARA rules to Spectra Analyze is a powerful malware hunting feature, but improperly written rulesets can be too broad and result in a large number of samples suddenly getting classified as malicious by a YARA rule, even though everything else points to goodware.
On the **Sample Details** page, the **How We Caught This** tab shows:
- **File Similarity** — whether the file matches known malicious or clean samples in the Spectra Intelligence database
- **File Classifications** — the specific YARA rules, threat names, or scanner results that contributed to the classification
Reviewing the classification reason helps you assess whether the result is expected and whether further investigation is needed.
### Understanding threat propagation
Threat propagation is the mechanism by which classification spreads from a child file to its parent. When Spectra Analyze unpacks an archive or installer, it analyzes every contained object. If a child file is classified as malicious, that classification propagates upward to the parent.
This means a container file such as a ZIP archive can receive a malicious classification even if the archive itself contains no malicious code — the threat is in its contents. The **Extracted Files** section of the Sample Details page shows the full unpacked file tree and the classification of each object.
### Administering classification overrides
Classifications can be overridden either through Goodware Overrides, where the classification of a high-trust parent sample is propagated down to extracted files, or manually by using the Spectra Analyze override feature.
If you disagree with a classification, you can override it manually. Overrides are useful when a file is misclassified due to incomplete intelligence data or when internal tooling triggers a false positive.
To override a classification:
1. Open the **Sample Details** page for the file.
2. Select **Override classification**.
3. Select the correct classification and provide a reason.
4. Select **Save**.
In cases where the classification was set by the user, it is considered final and displayed in the header, as well as in the table below. Local classification overrides are visible as final to all appliance users, while the Spectra Intelligence overrides are additionally synchronized with other appliances using the same Spectra Intelligence account, and other Spectra Intelligence accounts belonging to the same company, indicated by the middle segment of the username — `u/company/user`. In cases where a sample has both overrides, the local override is displayed as the final classification.
Overrides are visible to all users on the appliance and are logged for audit purposes. See [Classification](/General/AnalysisAndClassification/Classification/) for details on how scoring works and how overrides interact with threat propagation.
### Understanding the overall classification
The overall classification shown at the top of the Sample Details page represents the final verdict for the submitted file, taking into account:
- The file's own static analysis results
- Threat propagation from any extracted child files
- Any applied classification overrides
- Enrichment data from Spectra Intelligence
In most cases, analysis results are overwhelmingly biased towards a certain classification: a malicious file will be detected as such by Spectra Core and backed up by a large percentage (not necessarily 100%) of scanner detections. It will probably have an exact threat name, naming the malware type or the specific malware family. Certain file types might belong to a RHA File Similarity bucket with other malicious files. Even if such files get some negative results from specific technologies, it is highly unlikely that they are not malicious.
On some occasions, a sample classified as goodware can still have some Spectra Intelligence scanner detections, but not enough to affect the final classification. These detections are most likely false positives, but users are still advised to check the scanner list to see which scanners detected a threat.
In conclusion, while false detections are not impossible, they are much easier to identify if all of the important factors are considered and understood. For more information, see [Classification](/General/AnalysisAndClassification/Classification/) and [Risk Score Table](/General/AnalysisAndClassification/RiskScoreTable/).
When a file has been overridden, the interface distinguishes between the original classification and the overridden classification so you can always see both the automated result and the manual correction.
### MITRE ATT&CK integration
Spectra Analyze maps indicators detected during static analysis to the MITRE ATT&CK framework. When a sample's analysis reveals indicators that correspond to known ATT&CK tactics and techniques, they are displayed in the ATT&CK section of the Sample Details page. This mapping helps analysts correlate file-level findings with adversary behaviors documented in the ATT&CK knowledge base.
## Next steps
- [Search for files](./search-page.md) — query your analyzed file collection
- [YARA rules](./yara.md) — write and deploy custom detection rules
- [API Documentation](./API%20Documentation/index.md) — automate file submissions and retrieve results programmatically
- [Dashboard](./dashboard.md) — monitor appliance health and throughput
---
## Graph — Spectra Analyze [PREVIEW]
The Graph page provides an interactive visualization of relationships between malware samples, files, domains, IPs, and other entities. Users can create, view, and manage graphs to explore these connections.
The landing page displays a list of saved graphs, each represented by a thumbnail preview, name, creator, and last modified date. Users can search for graphs using the search bar at the top.
Select any existing graph or create a new one to get started.
### Graph Navigation
Use the mouse to navigate: click and drag the empty canvas to move around, scroll to zoom in or out. Click and drag the nodes to move them around.
Users can interact with nodes by clicking and dragging them. Select a node to open a [sidebar](#sidebar) on the right side of the canvas, providing information on that specific node. Right-click a node to access the context menu with options specific to that node. [Control nodes](#control-nodes), for example, offer options to load more child nodes or export a list of them.
### Nodes
#### Root Nodes
For graphs created by adding a single hash or by navigating from the sample summary page, the icon in the center of the graph represents the sample. Sample nodes will also be referred to as [root nodes](#root-nodes), as they serve as the starting points in the graph.
To add more root nodes to the graph, use the search bar at the top of the page, or promote an existing file node to a new root node.
File nodes can be promoted to root nodes via the sidebar or right-click menu. Selecting **Expand** or **Fetch & Analyze** (for cloud samples) transforms the node into a new root node, adding [control nodes](#control-nodes) and integrating its relationships into the existing graph.
#### Control Nodes
Root nodes branch into control nodes, each representing a distinct type of relationship.
Control nodes act as entry points for exploring data. Each node is visualized as a color-coded pie chart showing the number of subnodes per classification: goodware, suspicious, malicious, or unknown. Initially, each control node displays up to 20 unique subnodes.
For cloud samples, fewer control nodes are available until the sample is fetched and analyzed from either the node sidebar or the search page to display additional relationship data.
The available control nodes are:
- Dropped files
- Extracted Files
- Parents and Sources
- (RHA) Similarity
- Static Network References
- Dynamic Network References
- Network References: Contacted URLs, Domains and IPs
### Sidebar
The sidebar provides details and actions based on the selected node. Control nodes show statistics on subnodes, extracted file nodes display file reputation and threat names, and network reference nodes provide third-party reputations and classification reasons. When available, network reference nodes for extracted and contacted IP addresses display their country of origin.
To load more subnodes, select a control node and click **Show more**.
Highlighted and underlined items in the sidebar can be clicked to navigate to a different sample summary page, or to perform an advanced search query.
### Filtering
Graphs can be filtered by classification, file type or file name. The filtering options are accessible via the **Show Filters** button in the top left of the canvas.
## Saving and Updating
Click **Save** when working on a new graph to open the save dialog, allowing you to choose a name. When you open a saved graph, it will load all references from the previous session, plus any new ones discovered since then.
---
## Spectra Analyze — Malware Analysis for Threat Analysts
Spectra Analyze is a malware analysis solution designed for individual analysts and small teams. It combines deep static file analysis with cloud threat intelligence to accelerate threat detection, investigation, and collaboration.
Spectra Analyze is available as a hardware/software appliance or as a cloud-based service.
## Introduction
Spectra Analyze is powered by [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis), the ReversingLabs engine for automated static decomposition and analysis of binary files.
When you submit a file, Spectra Core unpacks it and extracts all available information from every contained object. The unpacking process supports all variants of more than 400 formats, including PE packers, archives, installation packages, firmware images, documents, and mobile applications.
Once unpacked, Spectra Core extracts metadata from each file: strings, format header details, function names, library dependencies, file segments, and static behavior analysis with capability information. This data is combined with threat intelligence from Spectra Intelligence, a cloud service that provides scanner results, threat names, and community classifications, to produce a complete analysis report.
The result is a classification of each analyzed file as malicious, suspicious, goodware, or unknown, along with a risk score and the indicators that drove the result.
For more information about the latest features, see the [Spectra Analyze website](https://www.reversinglabs.com/products/spectra-analyze).
**Tip: New to Spectra Analyze?**
See [Getting Started](./getting-started.md) to configure your first cloud connection, upload a file, and interpret your first analysis report.
## Navigating the Interface
This section describes the layout of the Spectra Analyze interface, including the terminology and visual indicators used throughout the appliance and its documentation.
### Global Header Bar
The global header bar runs across the top of every page in the Spectra Analyze interface. It contains the most commonly used controls and the main navigation menu.
From left to right:
**Search Samples** is a text field for entering search queries. Clicking the field expands it across the header bar and hides other menu items to give more space for constructing queries. Performing a search navigates to the **Advanced Search** page. See [Advanced Search](./advanced-search.md).
**Submit** opens the file and URL submission dialog. An upload progress bar appears in the header bar while files are uploading. Navigating away from the page or refreshing the browser during an upload will cancel it. See [File and URL Submissions](./file-submissions.md).
**Dashboard** displays submission and processing statistics for a specified time range. See [Dashboard](./dashboard.md).
**Search & Submissions** provides access to the Advanced Search feature for querying analyzed files across local and global Spectra Intelligence data sets. See [Search & Submissions Page](./search-page.md).
**YARA** allows rule-based identification and classification of files using text or binary patterns. If this item is not visible, it can be enabled under **Administration > User Roles**. See [YARA Hunting](./yara.md).
**Graph** provides an interactive visualization of relationships between malware samples, files, domains, IPs, and other entities. See [Graph Page](graph.md).
**Help** contains links to appliance documentation, ReversingLabs support, and the legend for risk score indicators.
**Quota Indicator** (pie chart icon) shows the current usage status of all ReversingLabs APIs configured on the appliance that have a limited quota.
**Alerts Indicator** enables real-time monitoring of changes in malware classification and analysis results. If there are unresolved alerts, their count appears as a red badge on the indicator. See [Alerts](./alerts.md).
**Health Status Indicator** shows the current status of the appliance. See [Health Status Indicator](#health-status-indicator) below.
**User menu** shows the current username and provides access to Administration, User Profile, and Log Out.
**Risk Tolerance** shows the current risk tolerance level for the appliance, if enabled. See [Risk Tolerance](./Appendix/risktolerance.md).
### Health Status Indicator
The second to last item in the main appliance menu is the health status indicator, pointing out issues with the system load and showing if the appliance is connected to a file reputation service, and if the service is reachable or not. Administrators can click the icon to open a pop-up with a more granular look at the system resources: Disk Usage, Memory usage, CPU utilization, outstanding alerts and issues, and Spectra Detect Manager connection status. The pop-up also contains a link to [Open System Status page](./Administration/usage-alerts/system-status/) with detailed information on all the system monitoring services.
Thresholds for these services, such as CPU/memory/disk usage or queue sizes, are configured on the [Administration > Configuration > System Health](./Administration/configuration-update/configuration/#system-health) page.
If there are no issues with the system load and if the appliance is connected to Spectra Intelligence or the T1000 File Reputation Appliance, this is indicated by a black icon.
A red icon with a small exclamation mark means that the reputation service is not configured or reachable or that CPU/memory/disk usage or queue sizes went over the configured thresholds. In this case, hovering over the icon lists the detected issues.
The services used to deliver file reputation data (Spectra Intelligence or T1000 File Reputation Appliance) can be configured under **Administration > Configuration** in the [Spectra Intelligence](./Administration/configuration-update/configuration/#spectra-intelligence) and [T1000 File Reputation Appliance](./Administration/configuration-update/configuration/#t1000-file-reputation-appliance) dialogs.
---
## Setup and initial configuration
## Setup and configuration checklist
✅ Ensure [system requirements](#system-requirements) are met.
✅ [Import](#importing-the-appliance-image) the appliance image.
✅ Perform the [initial configuration](#initial-system-configuration-via-console) via console.
✅ [Log in](#first-login-to-spectra-analyze) and [update administrator credentials](#change-default-administrator-credentials).
✅ [License](#appliance-licensing) the appliance.
✅ Update your [user profile](#user-profile) as needed.
**Info: For assistance with Spectra Analyze setup, contact [ReversingLabs Support](mailto:support@reversinglabs.com).**
## System requirements
### Minimum system requirements
The minimum system requirements are:
- 1 TB of SSD storage
- 8 CPU cores
- 32 GB RAM
These are the minimum resource settings, and are fine for average use with dozens of samples per day. The settings might have to be adjusted upwards depending on the expected usage.
### Recommended system requirements
For heavier usage, the recommended settings are:
- 2 TB of SSD storage
- 12 CPU cores
- 64 GB RAM
**Info: Spectra Analyze configured to use the recommended settings can analyze 7 or more samples per minute. File retention should be set to 7 days, as the performance drops off by 5-10% per week with longer retention times.**
### Hosted instances
For hosted instances, ReversingLabs provides the following resources:
- 512 GB of storage
- 16 CPU cores
- 64 GB RAM
Hosted instances support up to 10 000 files per day with a 3-month retention period depending on the file size.
## Importing the appliance image
The package contains the following files:
```
a1000.md5
a1000.ova
```
The .md5 file contains the plain text MD5 hash of the .ova file for file integrity verification. The .ova file utilizes the VMDK disk format and can be imported by ESXi version 5.5 or higher.
The following screenshots show how to import the .ova file in vSphere Version 5.5, hypervisor ESXi 5.5:
## Initial system configuration via console
For physical appliances, first connect a keyboard, mouse and display to access and interact with the console menu.
When the appliance is running, either as a physical device or in the virtual environment, the following configuration screen is used to configure it after completing the installation.
To select an option, enter the menu item number and follow the prompts. The menu contains the following options:
1. Change the hostname.
2. Select the network interface.
3. Set static IP. Mutually exclusive setting with dynamic IP via DHCP.
4. Set dynamic IP via DHCP. Mutually exclusive setting with static IP.
5. Configure 2 DNS servers.
6. Configure up to 4 NTP servers.
7. Configure SNMP and set the SNMP community string.
8. Change the password for the "admin" user.
9. Shut down or restart the appliance.
To restart the appliance after modifying the settings, enter the number next to `Shutdown / Restart`, then answer "n" to the shutdown question and "y" to the restart question.
The console configuration tool does not provide any detailed success messages in response to configuring the network settings. To continue working with the appliance after the initial setup, open the web browser and enter the appliance IP address displayed in the console configuration tool.
### Network ports
The Spectra Analyze appliance supports the following ports for inbound connections:
- 80/TCP and 443/TCP for connecting to the web interface.
- 161/UDP for SNMP monitoring.
Outgoing connections to the internet via the following ports are also supported:
- 53/UDP for DNS.
- 123/UDP for NTP.
However, it is strongly recommended that users configure the system to use their own DNS and NTP infrastructure if necessary.
For outgoing connections to Spectra Intelligence at **https://appliance-api.reversinglabs.com**, the destination port is 443/TCP. The DNS name is **appliance-api.reversinglabs.com** and the connection supports HTTPS only.
### IP/domain allowlisting
It is necessary to allowlist certain IP ranges and domains for connectivity with our cloud-based services. The primary range to allowlist is Cloudflare's public IP range, as outlined in their [official documentation](https://www.cloudflare.com/en-gb/ips/).
Additionally, allowlist the IP range `185.64.132.0/22`, which covers various ReversingLabs endpoints crucial for full functionality and communication between your systems and the Spectra Analyze appliance.
Furthermore, if the **Enable Spectra Analyze Networking Toolkit** option is enabled, the appliance attempts to gather additional network data from trusted sources such as `whois`, `bgpview.io`, `GeoLite City`, and DNS services.
## First login to Spectra Analyze
From a web browser, visit the host address configured in the [Initial system configuration via console](./initial-configuration.md#initial-system-configuration-via-console) section to access the login screen of the Spectra Analyze web interface. If the Spectra Analyze is configured to support OpenID authentication, additional login options are displayed under the default login form.
Log in using the default case-sensitive administrator credentials for the Spectra Analyze web application, provided by [ReversingLabs Support](mailto:support@reversinglabs.com). Failed login attempts are recorded in the appliance logs and visible in the `/var/log/rlapp/rlapp.log` file.
Once the user logs in, a popup window is displayed for all accounts on the appliance. The popup contains the latest release highlights, informing the users about the changes delivered in the new Spectra Analyze version. Users can dismiss the popup, and it is not displayed on subsequent logins.
To view the popup again at any time, go to the appliance footer, and click **What’s New**.
### Change default administrator credentials
#### Password
After logging in, look for the password change notice at the top of the page. Click the ***your password*** link and change the administrator account password in the dialog that opens. Alternatively, from the top navigation bar go to the 👤 **> [User Profile](#user-profile)** page with additional configuration options, and update your password from there.
If password requirements are configured on the appliance under [Administration > Configuration > Configuration & Update > Authentication](../Administration/configuration-update/configuration/#authentication), the new administrator account password must comply with them.
#### Email
The email address associated with the default administrator account should also be changed. If you need to reset your password, on the [Login](#first-login-to-spectra-analyze) screen, click the ***Forgot your password?*** link. The emails sent from the appliance go to the email address associated with the administrator account.
To change the email address, go to [Administration > Users & Personalization > Users](../Administration/users-personalization/users/) and [search](../Administration/users-personalization/users/#searching-for-users) for the "admin" user. Click it to open the **Change user** dialog and [modify](../Administration/users-personalization/users/#editing-users) the email address specified there.
## Appliance licensing
On first login after installing or updating the appliance, the appliance must be licensed.
For detailed instructions, see [Licensing](../Administration/configuration-update/licensing/).
## User Profile
To update the current user's profile, go to 👤 **> User Profile**.
The **User Profile** page contains options for configuring the profile of the user currently logged into the appliance, and for managing alert subscriptions.
### Profile
Under **Profile**, modify the current user's profile. Apart from setting a first name, last name, and email address, users can also change the password for logging into the appliance.
If password requirements are configured on the appliance, the new user account password must comply with them. The **Profile** section displays a warning if the new password does not satisfy the configured password requirements.
To save your changes, click **Submit**.
### Alerts Configuration
Under **Alerts Configuration**, you can see all alert subscriptions for the current user. For more information, see [Managing Alert Subscriptions and Delivery Methods](../alerts/#managing-alert-subscriptions-and-delivery-methods).
---
## Search & Submissions Page
The Search & Submissions page is accessible from the top navigation menu.
At the top of the page is the [Advanced Search Box](#advanced-search-box). It is functionally identical to the one embedded in the global header bar on the other pages.
Below the search box is the list of [recent submissions](#results-list) in the **Files** tab. The Files tab contains both local submissions and Spectra Intelligence results, which can be filtered using the Local/Cloud filter options.
The **Network** tab lists URL, Domain and IP submissions. The appliance also crawls and downloads the submitted URLs to analyze them as files in the Files tab, so this makes it easier to distinguish between the downloaded content in the Files tab and the reputation of the network location itself.
## Advanced Search Box
The *Advanced Search* box is a text field where users enter [search queries](./advanced-search.md#how-to-write-search-queries) and get a pull-down list of all [supported keywords](./advanced-search.md#supported-search-keywords). To quickly position the cursor into the search box, press ALT+S. This also applies to the search box present on the other pages of the Spectra Analyze interface.
Alternatively, use the [Quick Search](#quick-search) dialog to construct a query, or the filters below the search box to add more search criteria. Read more about the filtering features in the [Filtering Results](#filtering-results) section.
The maximum length of a single search query that can be entered into the *Advanced search* box is 1024 characters.
For keywords that support searching by date, a date picker will open instead of the pull-down list.
The *Advanced search* also has the following buttons:
- the **preferences** button opens the [Quick Search](#quick-search): dialog where users can construct search queries using a graphical interface, perform [bulk searches](#bulk-search), and browse through suggested, recent and favorited search queries.
- the **suggestions** button opens the Quick Search screen straight to the [Show Suggestions](#show-suggestions) tab.
- the **share button** opens the dialog for sending the current query to other users via email. Available only when the users types into the *Advanced search* box.
- the **star button** adds the current query and filter configuration to the list of Favorites displayed in the [Suggestions](#show-suggestions) tab of the [Quick Search](#quick-search) dialog. If the current page state is already saved as a favorite, the star will be yellow and open the “Edit favorite query” on click. Favorite queries can also be used as [a default filter](#changing-the-default-search-page-behavior) for the Search page.
- the **Search** button (magnifying glass) runs the search query. Once the query is running, an option to stop it appears next to the **Files** and **Network** tabs below the search box.
### Quick Search
The Quick Search dialog can be opened by clicking the Preferences button inside the Advanced Search box, or by pressing the ALT+Q keyboard shortcut. It contains multiple tabs.
#### Files
The Files tab can be used to construct search queries without having to type them out manually. Users can fill out the form by entering values and picking options from drop-down menus, and then click the Search button in the bottom right of the dialog.
#### Network
The Network tab offers URL/Domain/IP search capabilities. Query can be filtered by classification, first seen date and resource type.
#### Bulk Search
The Bulk Search tab allows users to input up to 10 000 SHA1, SHA256, or MD5 hashes and search for them all at once. The results will be sorted into the Local and Cloud sections, depending on their availability.
The list of hashes can be uploaded as a file or typed into the text field. In both cases, hashes should be separated by commas, spaces, or newlines.
Mixing hash types is allowed, so all supported types of hashes can be submitted in one search request.
The following examples illustrate different ways to separate hashes:
```
hash1,hash2,hash3,hash4 (...) hash1000,hash1001
```
```
hash1 hash2 hash3 hash4 (...) hash1000 hash1001
```
```
hash1
hash2
hash3
```
To perform a bulk hash search, click the *Search* button in the dialog. Clicking *Cancel* closes the dialog.
**Note: Bulk hash search differs from regular Advanced Search in several ways.****
- Bulk hash queries cannot be bookmarked in the browser or saved as favorites on the Spectra Analyze appliance.
- Bulk hash queries do not appear in the *Recent queries* list.
- Pivoting and combining search keywords with bulk hash queries is not possible.
- Bulk hash search can take up to one minute, depending on the number of requested hashes.
- Due to the way samples are processed in the Spectra Intelligence cloud, some discrepancy can arise between sample metadata in bulk search results versus regular search results.
- By default, bulk hash search results are sorted by *First Seen* in descending order (most recent to oldest). This cannot be changed; the results page for bulk hash search does not support custom sorting by columns.
- Different types of hashes can be submitted in one bulk hash query, but subscribing is only supported for SHA1 hashes. If multiple different hash types are selected in the list of search results, and the user attempts to subscribe to them, only the SHA1 hashes will be added to the subscription. Other hash types will be automatically filtered out from the subscription.
**Tip: Instead of using the Bulk hash search dialog to look up large numbers of different hash types, the **hashes** keyword can be used for a similar purpose. The **hashes** keyword allows mixing different types of hashes in one search query, without the need to explicitly name the hash type or to group hashes by type. All hash types (MD5, SHA1, SHA256) can be used with this keyword.**
An example query:
`hashes: [, , , , , ]`
When the **hashes** keyword is used (or when a query contains only hashes), the search automatically switches to Bulk Search, bypassing the 1024-character limit of standard queries.
### Show Suggestions
Clicking the `Suggestions` button to the right of the search box will open the Quick Search pop-up window directly to the Suggestions tab, containing trending, recent and favorite advanced search queries.
The tab is divided into three sections, from left to right:
- **Interesting search examples** - predefined search queries that users can run to get a better understanding of the data in the results.
- **Recent queries** - a list of up to 20 latest search queries performed on the Spectra Analyze instance. Clicking on any of the queries in the list automatically runs that query again, and moves it to the top of the list. Recent queries are deduplicated, so consecutively running the same query does not cause duplicate entries in the list. All recent queries from this list are also displayed in the pull-down keyword list when the user starts typing into the search box. The list of recent queries is private and visible only to the Spectra Analyze user who performed them, not to all Spectra Analyze users.
- **Favorites** - a list of up to 20 user-defined favorite search queries. Users can save any query as a favorite by clicking the star button in the search box when the query is active. When a query is added to the Favorites list, clicking it automatically runs that query. Hovering over a favorite in the list displays a triple-dot menu with options to edit the query (change its name, search keywords, parameters…), copy it to clipboard, remove it from the Favorites list, or share it via email. The list of favorites is private and visible only to the Spectra Analyze user who created it; in other words, every user has their own Favorites list. Favorite queries can also be used as [a default filter](#changing-the-default-search-page-behavior) for the Search page.
To start using Advanced Search, click any of the predefined search examples, or start typing into the *Advanced search* box to [create a custom search query](./advanced-search.md#how-to-write-search-queries).
### Keyword Auto-Suggestion Pull-Down List
As soon as the user starts typing into the search box, the auto-suggestion pull-down list matching either the [supported search keywords](./advanced-search.md#supported-search-keywords) or their predefined values will open.
User queries will be matched against keywords and their predefined values starting from any position, and not only from the beginning. For example, entering `aliciou` as a search query will match and return the entire `classification:malicious` keyword and value pair.
Click the *…more* link to expand the list of keywords.
Every keyword has a short explanation with examples on the right side of the list. Some keywords offer predefined values that the user can select from the pull-down list.
The pull-down list also displays 20 most recent search queries performed on the Spectra Analyze appliance. Recent queries are offered as auto-suggestions when the user starts typing into the search box (if they match some of the text the user has typed).
### Date and time picker
When a keyword that supports searching by date and time is typed into the search box, the date picker menu opens instead of the usual pull-down list. The user can select any of the predefined date and time values, or click “Custom” to enter their own date and time range.
### Query Builder [PREVIEW]
Query Builder is an alternative way of constructing and writing search queries. When activated in the gear menu on the Search Page, queries are represented as tags or blocks, allowing for better context awareness and auto-completion when adding new items in the middle of the query. Hovering the mouse between any two blocks displays a “+” button which can be used to insert an additional item anywhere in the query. Clicking the “X” button on a specific block deletes it. While the search box is focused, tags can be navigated using the arrow keys on the keyboard, and deleted using Backspace or Delete.
## Threat Intelligence Cards
Threat Intelligence Cards make use of extensive ReversingLabs file metadata to provide an informative, educational overview and analytics on malware types and families in an easily accessible format on the Search page. The prerequisite for this feature is a properly configured Spectra Intelligence account on the appliance.
When users perform an exact search with the `threatname` keyword for a single threat name or a list of threat names, one or more collapsible sections become available above the list of search results. At most 10 cards will be displayed, even if more threat names were provided in the query.
Depending on available data, Threat Intelligence Cards will either show information about a specific malware family (for example, Emotet), or a more generalized description of the family type (trojan).
Cards can contain all, or a subset, of the following information:
- first and last seen dates
- current latest version
- packer
- targeted OS
- targeted industries
- threat name
- threat name alias
- actor aliases
- malware family/type description
- reference links
- malware prevalence graph
- top file types used by this malware family
- weekly rankings for the current and the previous week
- overall total number of unique samples containing this threat.
To better reflect the popularity of the malware family in the Spectra Intelligence cloud, the **Current week** and **Last week** columns count all sample uploads and increase on repeated uploads of the same sample. The **Total number of detected samples** column shows a deduplicated count of unique samples belonging to that malware family.
The malware family/type descriptions displayed here are also visible on the Sample Details > Summary page in the Malware Description section.
## Results List
**Note: The terms “samples”, “files”, “submissions”, and “search results” are often used interchangeably in the appliance interface and in this documentation.**
The list of files and URLs submitted to the Spectra Analyze can be found on the Search page, below the [Search box](#advanced-search-box). Drop-down menus under the Search box allow [filtering](#filtering-results) of the results list by multiple criteria.
The results section of the page is divided into these general sections:
1. The action bar with the filter tabs. The action bar allows filtering the results by location (local or cloud) and availability (public or private); exporting them; configuring how the dates will be displayed in the results grid and if optional columns will be displayed.
2. Filter tabs:
- **Files**
- **Local** - filters the search results to display only the samples found on the local Spectra Analyze instance. The tab also shows the number of results.
- **Cloud** - applies only to Spectra Intelligence search results. The maximum amount of Cloud results that can be returned for a search query is 100 000. Although the number may indicate there are more samples in the Spectra Intelligence cloud, Spectra Analyze will only allow browsing through 100 000 of them.
- **Network** - lists URL, Domain and IP submissions. The appliance also crawls and downloads the submitted URLs to analyze them as files in the Local tab, so this makes it easier to distinguish between the downloaded content in the Local tab and the reputation of the network location itself.
3. Bulk Hash search only tabs:
- **Not found** - displayed only when the list of results contains hashes that were not found in the ReversingLabs system. For Local results, *Not found* refers to hashes not found on the current Spectra Analyze instance. For Cloud results, *Not found* refers to hashes not found in the Spectra Intelligence cloud.
- **Invalid** - displayed only when the list of results contains incomplete or erroneous hashes. It helps users identify potential formatting mistakes in their lists of hashes.
4. The samples/results list
5. The navigation bar at the bottom
The samples/results list contains basic information about submitted files and URLs, or matching local/Spectra Intelligence search results after performing a search. Local results are sorted by *Last Submitted* by default, even if that column is disabled in the gear icon menu in the top right of the submissions grid. Spectra Intelligence results are sorted by *First Seen* date. Selecting the main checkbox in the topmost row will select all submissions on the current page. When submissions are selected, their highlight color changes to yellow.
**Note: To improve search query responsiveness and performance, Cloud results prioritize *First Seen* within the last month by default. In case there are no results, the results page automatically extends the search query backward up to one year, until there are results. If still no results are found, users can choose to expand the search further by clicking the `Extend Search Timeframe` option. This progressively expands the search, year by year, until first results are found.**
The list consists of the following columns:
**Selection checkbox** - for selecting individual submissions on the page to perform bulk actions on them. When one or more items are selected on the page, an additional actions menu (☰) with bulk actions becomes active to the right of the *Size* column.
**Submission type indicator** - the icon indicating whether the submission is a file or a URL.
**Classification indicator** - classification status of submitted files and URLs is indicated by colored symbols: red square is malicious, orange rhombus is suspicious, green circle is goodware, black square with a circle cutout is no threats found.
Inside of each of these symbols is the sample’s [risk score](/General/AnalysisAndClassification/Classification/#risk-score). Samples with no threats found (samples without classification) don’t have a risk score.
Samples with a risk score of 5 are represented using a unique icon, as the indicators found during analysis were deemed insufficient to convict the file as definitively malicious or benign. These samples may be of interest, as they have a higher chance of changing classification and/or risk factor as soon as any new information becomes available.
**First Seen** - time when a sample was first received by Spectra Intelligence (for Cloud results) or uploaded and analyzed on the appliance (for Local results). Open the gear icon menu next to the *Export* button on the far right of the page to change how the dates are displayed in this column (exact or relative dates).
**Threat** - detected threat name for a submission, formatted according to the [Malware naming standard](/General/AnalysisAndClassification/Classification/#malware-naming-standard). Threat names are displayed only for malicious and suspicious samples. If the threat name is not detected for a suspicious submission, it receives a generic “Suspicious” threat name label. Clicking the name performs an Advanced Search for samples with the same threat name.
**Name** - file name of the submission (as uploaded). For URLs, the file name corresponds to the URL submitted by the user. If the file name doesn’t contain any of the standard characters ([A-Z, a-z, 0-9]); for example, if the file name is !!!, its SHA1 hash is displayed instead to make it easier to click. Clicking the name opens the [Sample Details](./Sample%20Details/index.md) page with more information about the submission.
Predicted filenames are displayed under the original filenames. They are generated by [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis), and can be helpful for distinguishing files that only have a hash value as their filename. Clicking a predicted filename redirects to the Advanced Search page and performs a search query to find other samples with the same predicted filename. The predicted filename won’t be shown if it’s a hash value.
**Last Submitted** - indicates when the submission was last submitted to the appliance. Open the gear icon menu next to the *Export* button on the far right of the page to change how the dates are displayed in this column (exact or relative dates). The **Last Submitted** column can also be enabled/disabled from this menu.
**Username** - indicates which Spectra Analyze user submitted each file or URL. This column can be enabled/disabled by clicking the gear icon next to the Export button.
**Format** - file format of the submission, either represented as a combination of file type and subtype (e.g., PE/EXE) or as an identified format (e.g., NSIS, PDF). URLs submissions not pointing to a single file are represented as ZIP files in this column.
**Files** - total count of files extracted from the submission, including the original uploaded file.
**Size** - indicates the size of the submitted file, or of the contents downloaded from a submitted URL. If the file size is undefined for a Cloud result, the “Sample size currently unknown” message is displayed in the *Size* column on the Cloud results page. Those samples will be unavailable for download (the *Fetch & Analyze* option will be disabled) because it cannot be determined whether they exceed the maximum file size that can be downloaded from Spectra Intelligence (500 MB).
### Local Sample Actions
**Actions menu** (☰) - contains various actions the users can perform on each submission.
The actions include:
- **Download sample** – downloads the submission from Spectra Analyze to local storage (compatible with modern ZIP tools such as `unzip` 6.00+, Python's `zipfile`, 7-Zip, or `bsdtar`).
- **Download container** - if the file is a child (extracted from another file during analysis), downloads its top-most parent from Spectra Analyze to the local storage.
- **Set classification** - opens a dialog where users can manually override the classification assigned to a submission.
- **Subscribe** and **Unsubscribe** - adds or removes the sample from alert subscriptions.
- **Reanalyze** - opens a floating dialog where users can reanalyze the submission with static, dynamic, or Spectra Intelligence analysis services.
- **Delete sample** - removes the submission from Spectra Analyze. This action is visible to users only for files and URLs they have submitted themselves. Regular users cannot delete files and URLs submitted by other users. Administrators can see this menu item for all submissions, and delete all submissions regardless of who created them.
- **Copy to my submissions** - displayed only if the sample was submitted by a different user. Selecting this adds the sample to the submissions for the current user.
- **Download Extracted Files** - displayed if the sample has any extracted files. Selecting this downloads files extracted from the sample to local storage.
**URL** submissions have a differently organized menu with mostly the same options. The menu is split into two sections: **Payload actions** which features the options above (as well as the option to open the [Sample Summary page](/SpectraAnalyze/Sample%20Details/sample-details-summary/#report-summary) for the payload), and **URL actions** with the option to reanalyze the URL.
### Expanded Details
Each result row on the Search page can be expanded to see more details about a submission. Click anywhere in a row when the cursor changes to an up-down arrow. Expanded rows for local samples contain more information and different actions than those of samples available in the Spectra Intelligence cloud.
This section describes local results. For more information on Public/Private Spectra Intelligence results, refer to the [Differences Between Local and Cloud Results chapter](#differences-between-local-and-public-cloud-results).
The information displayed here depends on the file type, and can include:
- sample hashes
- sample sources
- first and last seen times (on the appliance and/or in the Spectra Intelligence cloud)
- link to the parent file (if the file was extracted from another file)
- RHA statistics (for supported file types)
- User Tags and System Tags
- comments for the sample (if any)
- classification reason (see the [Threat Classification Descriptions](./Sample%20Details/threat-classification-sources.md#threat-classification-descriptions) section for more information about classification reasons)
- number and percentage of Community Threat Detections
- file format details
- document metadata
- email metadata
- capabilities
- indicators of interest
- certificate information
To add User Tags to a sample directly from the expanded details, click the **Add** link in the list of User Tags. Clicking the **Hex Preview** button opens the [Preview Sample / Visualization](./Sample%20Details/file-preview.md) pop-up modal.
To see more information about a sample, click the file name to open the [Sample Details](./Sample%20Details/index.md) page.
## Filtering Results
Users can filter samples by uploader (user accounts and connector services), as well as by a number of filtering criteria using the appropriate drop-down menus below the Search box.
These filters vary depending on where the search query is being performed.
When looking at **local** files, available filters are: time type and range, classification, submission user, processing status, and sample origin.
Alternatively, instead of drop-down filters, use the following **local-only** search keywords:
- `submission-user`
- `submission-time`
- `processing-status`
- `tag-user` (not available as a menu selection)
Being local-only, these keywords do not work on the **Cloud** tab. The classification filter uses the globally available `classification` keyword.
The **Cloud** file list contains the time type and range filters, classification, and the cloud search dropdown, allowing the users to search for all cloud data, or just for private/public samples.
**Note: Typing these keywords in a query will override and disable the respective drop-down menu under the search bar, to avoid filtering conflicts.**
When added using the drop-down menus, the keywords will not be shown in the Advanced Search box as part of the query, but they will still be applied to the results, saved to the Recent queries list, and shared using the Share query button.
In addition to these keywords, users can use any of the [supported keywords](./advanced-search.md#supported-search-keywords) to write [search queries](./advanced-search.md#how-to-write-search-queries) and search for samples available locally or in the Spectra Intelligence cloud.
To reset the existing query and filters, click the **Clear** button next to the filters.
The page also provides access to analysis reports ([Sample Details](./Sample%20Details/index.md)) and various actions that can be performed on each submission.
### Changing the default Search page behavior
When the search page is opened, all of the configured filters on the page return to their default values. The gear icon next to the Export menu contains **Initial Search Results** options to change the default search page behavior:
- **Use Default Filters**: If this option is selected, the search page will apply the default filters.
- **Use Last Query**: If this option is selected, the search page will save the query and any filter configurations of the last performed query, and restore those values when the page is next opened.
- **Use Favorite Query**: If this option is selected, users can choose a specific favorited search query from a dropdown list. This favorite will be used to configure the filters and populate the search box when the search page is next opened.
- **Automatically Expand Search Period**: If this option is selected, the search period will expand until some results are found.
This selection persists between sessions, and applies only to the current user.
## Exporting Results
The **Export** menu contains options to export the whole page or just the selected samples. For the **Selected** samples option to become available, one or more samples on the page have to be selected.
To export multiple pages of results, browse pages one by one and manually export them. It is possible to adjust the amount of results displayed per page in the navigation bar, thus increasing or decreasing the number of results that will appear in the exported file when exporting the entire page.
Data can be exported as CSV, JSON or XML.
To copy only the sample hashes for the desired set of samples, the menu contains options to copy SHA1, SHA256 and MD5 hashes to the clipboard. Hashes are delimited by a whitespace, so that they can be directly pasted into the search bar.
The exported file can contain one or more of the following columns. They can be enabled in the **Export** menu, under **Show more Export options**.
- **Files** - the number of files extracted from a sample (if the sample is a container). For Cloud results, this number is always 0, and they cannot be searched using the local-only **filecount** keyword. However, the Spectra Analyze interface displays `--` in the *Files* column for all Cloud results. For Local files, the correct file count is displayed, and extracted files can be browsed by clicking the file name and selecting the *Extracted Files* option on the Sample Details page.
- **Format** - file format of each sample in the results grid.
- **Name** - name under which a sample was uploaded to the appliance or to Spectra Intelligence.
- **Threat** - detected threat name for malicious and suspicious samples, formatted according to ReversingLabs Malware Naming Standard.
- **First seen** - time when a sample was first received by Spectra Intelligence (for Cloud results) or uploaded and analyzed on the appliance (for Local results).
- **Size** - indicates the size of a sample.
- **Available** - Spectra Intelligence results only. Indicates whether a sample can be downloaded from Spectra Intelligence.
- **Classification** - indicates the classification status (malicious, suspicious, goodware, no threats found) assigned to a sample by any of the ReversingLabs classification sources and technologies.
- **Last seen** - time when a sample was last received by Spectra Intelligence (for Cloud results) or uploaded and analyzed on the appliance (for Local results).
- **Community Detections** - indicates the number of AV scanners that were used to analyze a sample in the Spectra Intelligence cloud.
- **Risk Score** - the [numerical value assigned to a sample](/General/AnalysisAndClassification/Classification/#risk-score), representing its trustworthiness or malicious severity.
- **SHA256, MD5** - additional sample hashes that can be included in the exported file. The SHA1 hash is always included by default.
- **Last Submitted, Username** - available only for local results. If selected for Cloud results, the fields will be empty.
## Differences between Local and Public (Cloud) Results
### Spectra Intelligence Results List
#### File format information
In some cases, file format displayed on the Local files view can be different from the file format displayed on the Cloud files view for the same sample. Some samples will not have file format information at all. This happens when the information about a sample is returned from different sources.
#### Extracted files information
The number of extracted files for Cloud search results is always 0, but the Spectra Analyze interface displays `--` in the *Files* column for all Cloud results.
#### Browsing and sorting Cloud results
The maximum amount of Cloud results that can be returned for a search query is 100 000. Although there may be more samples matching the query in the Spectra Intelligence cloud, Spectra Analyze will only allow browsing through 100 000 of them.
If the list of search results has more than 2000 samples, it is not possible to sort the results by any of the columns.
### Expanded Row Information
Clicking a sample’s row in the list of results expands it to display more information about the sample.
For Local results, this information includes the Spectra Core analysis report, and is generally more detailed.
For Cloud results, the information in the expanded row includes sample classification received from Spectra Intelligence, sample hashes, first and last seen dates, and the results of AV scanning.
Clicking the file name opens the Spectra Intelligence version of the [Sample Details](./Sample%20Details/index.md) page with more information about the sample. The **See All Scans** link leads directly to the Community Threat Detections page on the sample’s Summary page.
### Sample Availability
The Local files view includes only those samples that are currently available on the local Spectra Analyze instance.
The Cloud tab includes samples found in the Spectra Intelligence cloud. Select **Cloud Search** and pick *All Cloud Data* or further differentiate between public and private results. Private results may include files that have been deleted and are no longer available for download. Selecting **Public Cloud Data** shows data uploaded to Spectra Intelligence as shareable that may be available for download to the local Spectra Analyze instance. Alternatively, use the `available:true` keyword in the search query.
Sample availability is indicated by a cloud icon on the left side of the results page. Samples with a black cloud icon are available for download; those with a grey icon are not.
### Spectra Intelligence Sample Actions
The Cloud results page offers only the **Fetch and Analyze**, **Fetch and Analyze (Advanced)**, **Reanalyze in Spectra Intelligence** and **Subscribe/Unsubscribe** actions for each sample. **Fetch and Analyze**, **Fetch and Analyze (Advanced)**, and **Reanalyze in Spectra Intelligence** are available only for public and available samples (indicated by a black cloud icon).
To learn how to subscribe to or unsubscribe from samples in the search results list, consult the [Alerts](./alerts.md) section.
### Bulk Actions for Managing Search Results
Both Local and Cloud views allow users to select multiple samples at once and perform some actions on them.
- **Local files view:**
- Reanalyze
- Download samples
- Download Extracted Files
- Apply User Tags
- Set Classification
- Delete
- Subscribe
- Unsubscribe
- **Cloud files view:**
- Fetch & Analyze (public results only)
- Fetch & Analyze (Advanced) (public results only)
- Subscribe
- Unsubscribe
To perform bulk actions, first select a number of samples to activate the bulk actions menu (☰).
There are several ways to select multiple samples.
1. Manually select the checkbox on the left side of every sample.
2. Click the *Select all N samples* link that appears at the top when one or more samples are selected. This will select all samples on all pages in the results list.
3. Click the *Select All* checkbox in the top left corner of the results table. This will select all samples on the current page. Click the checkbox again to deselect all selected samples.
When multiple samples are selected, a new bulk actions menu (☰) appears on the right side of the results page. Select the desired option in the menu.
## Downloading Files from Spectra Analyze to Local Storage
**Important: - Submissions selected for download are compressed and downloaded as a single ZIP file protected by a user-defined password.**
- Currently, bulk downloads are limited to 15 000 files at once. The total combined size of all files selected for download should not exceed 4 GB.
- If the appliance is unable to create the ZIP file within 20 minutes, the download process will time out.
Files on the Spectra Analyze appliance can be downloaded to the local storage using the *Download sample* option from the actions menu (☰) for every submission (compatible with modern ZIP tools such as `unzip` 6.00+, Python's `zipfile`, 7-Zip, or `bsdtar`).
Apart from downloading submissions one by one, users can also download multiple submissions at once (bulk download) to their local storage.
This option is available from the **Local search results** on the **Advanced Search page\***, **YARA ruleset matches**, **Sample Details > File Similarity > Local** and from the **Submissions page**.
There are several ways to select multiple items on the Search page:
1. Manually select the checkbox on the left side of every submission.
2. Select one or more submissions, then click the **Select all N samples** link that appears at the top of the page. This will select all submissions on all currently accessible pages.
3. Click the main checkbox in the topmost row of the submissions list. This will select all submissions on the current page. Click the checkbox again to deselect all selected submissions.
When one or more items are selected, an additional actions menu (☰) appears highlighted on the right side of the page. Select the **Download samples** option in the menu.
When the download process starts, a notification appears in the Spectra Analyze interface. The notification contains a link for canceling the download process. If the notification is dismissed (by clicking the X button), it will appear again when the page is refreshed, or when the user navigates to another part of the Spectra Analyze interface.
When the download process is done, another notification appears even if previous notifications were dismissed.
## Downloading Container Files
When a file is extracted from another file during analysis, the file from which it was extracted is referred to as its “container”.
Extracted files have the **Download container** option in their action menu (☰) on the Search page. Selecting this option downloads the top-most container of the extracted file from Spectra Analyze to the local storage.
If a file has been extracted from multiple different containers, the oldest one found on the appliance will be downloaded. Extracted files for which the top-most container has been removed from the appliance do not have this option in their action menu.
The option to download the container is also available on the **YARA ruleset matches**, **Sample Details > Summary**, **Sample Details > Extracted Files**, **File Similarity > Local**, and on the **Local search results** page of the Advanced Search page.
## Downloading Files from Spectra Intelligence
Apart from submitting files to the appliance manually or [through the API](./API%20Documentation/submissions.md), users can also obtain new files by downloading them from Spectra Intelligence. Downloaded files are stored on the appliance, and accessible from the **Local** files view on the Search page.
The prerequisite is that the appliance is connected to Spectra Intelligence.
In order to download a file from Spectra Intelligence, it has to be marked as available (in other words, uploaded to the cloud as shareable). The interface indicates this with a black cloud icon. Files with a gray cloud icon are marked as private, and are not available for download.
Keep in mind that appliance administrators can configure the allowed file size for downloads from Spectra Intelligence. When this is configured, users can’t download files exceeding that file size. Regardless of the configuration, the maximum allowed file size is 500 MB per file. Files that are too large to be downloaded from Spectra Intelligence will have a special indicator icon instead of the black/gray cloud icon.
Files can be downloaded from Spectra Intelligence to the Spectra Analyze appliance on the following pages:
- Advanced Search results - Public tab
- YARA > ruleset matches
- Sample Details > File Similarity > Spectra Intelligence filter
- Submissions > search results > Spectra Intelligence filter
On each of the pages, files can be selected in several ways, depending on the page:
1. Manually select individual checkboxes on the left side of each file.
2. Select one or more files, then click the **Select all N samples** link that appears at the top of the page. This will select all files on all currently accessible pages.
3. Click the main checkbox (usually at the top left of the list). This will select all files on the current page. Click the checkbox again to deselect all selected files.
When one or more files are selected, an additional actions menu (☰) appears highlighted on the right side of the page. Depending on the page, the following options may be available in the menu:
- *Fetch selected samples* downloads the selected files from the current page to the Spectra Analyze appliance
- *Subscribe* and *Unsubscribe* are used to [create an alert subscription for selected files](./alerts.md#monitoring-samples-with-alerts)
Some pages on the Spectra Analyze appliance display the **Fetch All** button at the top right of the page when no files are selected. In those cases, clicking the button downloads all available files from the page to the appliance. It is also possible to choose an arbitrary amount of files by selecting individual checkboxes on the left side of each file. In this case, the **Fetch All** button changes to **Fetch Selected**.
When downloading is confirmed, Spectra Analyze displays a notification about files being queued for download. Navigating away from the page will not stop the downloads. The process should only take a couple of seconds, after which the downloaded files will appear on the Search page.
## Managing Unknown (Not Found) Files
**Note: “Unknown” in this context means “unknown to the system”, “not found in the system”. It does not refer to the *Unknown* status that files have when they are not classified yet.**
Spectra Analyze can detect and track files that are currently not present on the appliance or in the Spectra Intelligence cloud. Users can look up hashes of specific files and set up alert subscriptions to get notified when the files become available in the cloud.
**Search page**
To track unknown files using the [Advanced Search](./advanced-search.md) feature, users should submit hashes through the *Bulk Hash Search* dialog.
When one or more hashes are submitted through the *Bulk Hash Search* dialog, unknown hashes are automatically filtered out and displayed in a separate *Not found* tab on the search results page.
When one or more **SHA1** hashes in the *Not found* list are selected, the actions menu (☰) provides options to subscribe or unsubscribe to them. Users can then create an alert description as described in the [Tracking Unknown Hashes with Alerts](./alerts.md#tracking-unknown-hashes-with-alerts) section.
## Deleting Submitted Files and URLs
It is possible to manually delete files and URLs from the Search page. Users can delete only those submissions that they have added, while administrators (“superusers”) can delete any submission regardless of who added it to the appliance.
There are several ways to delete a submission:
1. by selecting *Delete sample* in the actions menu (☰) on the Search page. This menu item is visible to users only for their own submissions. Administrators can see this menu item for all submissions.
2. by clicking a submission name to access its Sample Details page, then selecting *Delete sample* in the *ACTIONS* menu
Multiple submissions can be deleted at once. To do this, select one or more items on the Search page using the checkboxes on the left side. Selected submissions are highlighted in yellow. To select all submissions at once, click the **Select all N uploads** message at the top of the list.
Next, open the bulk actions menu (☰) highlighted on the right side of the list. Select *Delete* to remove selected submissions.
A confirmation dialog appears, displaying the number of submissions to be deleted. Click **Yes** to proceed with deleting the submissions. Navigating away from the page will not stop the deletions.
Clicking **No** or **Cancel** closes the confirmation dialog and returns to the Search page.
## Reanalyzing Files and URLs
Users can perform additional analysis activities at any point after the files/URLs have initially been submitted and processed on the Spectra Analyze appliance.
*Reanalyze* options are accessible on the following pages:
- Advanced Search > Local, Cloud and Network tabs
- the [Summary section](./Sample%20Details/sample-details-summary.md) of the Sample Details page
- Extracted Files on the Sample Details page
- The list of YARA matches (*local* and *local-retro* only)
Depending on the currently focused search page tab and view, files/URLs can be submitted for reanalysis to the following supported services:
### Local Files View
1. Static Analysis - Spectra Core. Users can choose to reanalyze files with a newer version of the Spectra Core static analysis engine after updating the appliance.
2. Threat Intelligence - Spectra Intelligence. Users can submit a file to be reanalyzed with AV engines in the Spectra Intelligence cloud.
3. First-party analysis includes dynamic analysis with ReversingLabs Cloud Sandbox and static analysis through Auxiliary Analysis. Samples larger than 400 MB cannot be submitted to dynamic analysis services. When submitting a file to RL Cloud Sandbox, users have the option to launch an [interactive session](./dynamic-analysis.md#interactive-analysis) and interact with the sample directly.
4. Third-party dynamic analysis using supported analysis services: Cuckoo, FireEye, Joe Sandbox, CAPE, Cisco Secure Malware Analytics or VMRay. Samples larger than 400 MB cannot be submitted to dynamic analysis services (100 MB for FireEye).
### Cloud Files View
1. Reanalyze on Spectra Intelligence - submit the sample to a new Spectra Intelligence analysis. Use **Fetch & Analyze** or **Fetch and Analyze (Advanced)** to make the sample available locally for more options.
### Network Tab
Click the **Advanced Analysis Options** to reveal the following settings:
#### Dynamic Analysis
- Cloud Sandbox - submits the URL for automated dynamic analysis in ReversingLabs Cloud Sandbox
- Interactive Analysis - allows real-time interaction with the URL in a controlled sandbox environment
- Third-party integrations - submits the URL to configured third-party dynamic analysis services
#### URL Crawling
- Analyze Crawled Files (Local, On-Device) - this option crawls the URL and performs static analysis on the downloaded content. This makes the downloaded payload available as a file in the Files tab. **This setting is disabled by default. Check with your administrator to enable it.**
- Analyze Crawled Files (Cloud) - the URL will be crawled using Spectra Intelligence.
### Bulk Actions
On the **Files** tab, up to 100 files can be selected and reanalyzed at once.
When the *Reanalyze* option is selected, a floating dialog opens, where users can select which services to use for reanalysis.
Multiple services can be selected in the dialog. If any of the selected files have last been analyzed with a Spectra Core version older than the current version on the Spectra Analyze appliance, the Spectra Core static analysis service is selected by default. For other services, the date of the last successful analysis is displayed under the service name. The ReversingLabs Cloud Sandbox dynamic analysis service allows the users to select the platform to which the sample will be submitted: Windows 7, Windows 10, macOS Big Sur, or Ubuntu 20 (Linux).
If a service is unavailable or misconfigured on the appliance, this is indicated by a status label under the service name. If a file is already being processed by a service when submitted for reanalysis, that service will be disabled.
After selecting the desired service(s), confirm by clicking **Reanalyze** to submit files for reanalysis.
Integrations and assessment analysis services have additional limitations. Consult the [Analysis Service Integrations](./dynamic-analysis.md) section for more details.
**Important: Files without available sources cannot be reanalyzed using the *Reanalyze* option/dialog.**
If file crawling is enabled, submitted URLs on the Files tab will behave exactly as files, so everything applies to URL submissions as well. To crawl a URL again, select the *Reanalyze* option in its action menu (☰). This will open the URL submission pop up window with the URL already inserted, allowing the users to select/change the crawling method. To see the URL network analysis results, switch to the *Network* tab.
## Reanalyzing Files and URLs in Error State
In some cases, submissions on the Spectra Analyze appliance can remain in error state if there have been some issues during their previous analysis.
Files in error state have a "Fail" indicator instead of the classification indicator on the Search page. Hovering over the indicator displays a tooltip with information about the last failed analysis.
If the file name is crossed-out, that indicates the file doesn’t have a source on the appliance. Files without available sources cannot be submitted for reanalysis.
To reanalyze a file or a URL submission in error state, select the *Retry Analysis* option in its actions menu (☰). This option is available for individual submissions only (not for multiple submissions at once).
During reanalysis, users can normally browse pages on the Spectra Analyze appliance, including the Sample Details page of the submission that is being reanalyzed.
Following a successful reanalysis, the submission will no longer display the *Fail* indicator, and will receive a classification from one of [the supported sources](./Sample%20Details/threat-classification-sources.md#threat-classification-descriptions).
## Analyzing Files with RHA Similarity Algorithm
The [RHA (ReversingLabs Hashing Algorithm)](https://www.reversinglabs.com/technology/reversinglabs-hash-algorithm) is a functional similarity algorithm that classifies files based on the similarity of their features. Format-specific attributes of a file are abstracted into categories, and then evaluated for similarity at four different precision levels (25%, 50%, 75% and 100%). The precision levels represent the degree of similarity: the higher the level, the more similar attributes there are between files.
**The Spectra Analyze appliance can display RHA information for PE, MachO, and ELF samples. Only the first precision level (25%) is supported for those file formats.**
If RHA results are available for a file, they will be displayed next to a red RHA icon on the left side of the [Expanded Details](./search-page.md#expanded-details) section, in the sidebar of the [Sample Details](./Sample%20Details/index.md) page, and in the File Similarity section on the Summary section of the Sample Details page.
To get a list of functionally similar samples for a file:
- click the links in the File Similarity section on the Sample Details page
- expand the row on the Search page and click any of the numbers in the RHA section (above User and System Tags)
This will open the RHA results with samples functionally similar to the selected file. They can be filtered by threat status (All threats, Goodware, Unknown, Malicious, Suspicious) and by source (All, Local, Spectra Intelligence). Additionally, *Subscribe/Unsubscribe* options are available for those files, making it possible to create alert subscriptions for them.
When the cursor changes to an up-down arrow in the RHA results list, click to expand the row and get more information about the file.
Files marked with a gray cloud icon are unavailable for download, while those marked with a black cloud icon can be downloaded to the appliance.
Clicking **Fetch All** at the top of the RHA results list will download all available files to the appliance, up to a maximum of 1000 files.
It is also possible to manually select one or multiple files from the list and click **Fetch Selected**. The procedure is identical to the one described in the [Downloading Files from Spectra Intelligence](#downloading-files-from-spectra-intelligence) section.
**Tip: When the functionally similar samples are downloaded and analyzed, it is useful to look at their “Protection” features and “Indicators” (in the Sample Details > Spectra Core section), and compare them.**
---
## Spectra Analyze Tags — System Tags, User Tags & Advanced Search
The Spectra Analyze appliance supports two types of tags: System Tags and User Tags. Both types of tags are visible for every sample in the [Expanded Details](./search-page.md#expanded-details) and on the **Sample Details ‣ Summary** page.
[Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis) automatically adds System Tags to new samples during analysis based on their metadata properties. It is not possible to change or add new System Tags to samples manually. Samples analyzed with Spectra Core version 3.7.1 will not have any System Tags. Users should submit such samples for reanalysis with Spectra Core to receive System Tags.
User Tags are completely custom; any Spectra Analyze user can add and remove User Tags on all local samples on the appliance. User Tags are shared between all users of a Spectra Analyze instance. In other words, every user can see the tags created by other users, assign those tags to samples, or remove them from samples.
User Tags are local-only and unique to each Spectra Analyze instance. They are not stored in the Spectra Intelligence cloud when a sample with User Tags is submitted for analysis.
## Searching for Samples by Tags
There are several ways to find all samples tagged with a particular tag.
1. Use the Sample Search bar on the uploads page. Type in the hash symbol (#) followed by the tag (for example, #desktop). The search feature supports partial matching, so searching for #desktop will also find tags that contain the word “desktop” (for example, #desktop_app, #malicious_desktop, #zdesktop)
2. Or, click the tag in the list of User Tags on [Expanded Details](./search-page.md#expanded-details) or on the **Sample Details ‣ Summary** page
In both cases, the Tags page will be displayed and filtered by the selected tag. This applies to both System Tags and User Tags.
3. If access to the [Advanced Search](./advanced-search.md) feature is enabled on the appliance, use the `tag` keyword to find samples with System Tags, and the `tag-user` keyword to look for samples with User Tags. Both keywords are case-insensitive and support wildcard matching. All samples with the queried tags are listed on the search results page, and divided into Local and Cloud depending on their location.
## Adding User Tags to Samples
All Spectra Analyze users can create their own User Tags or add already existing ones to samples on the appliance. Keep in mind the following rules and limitations when creating new User Tags:
- User Tags are case-sensitive and distinguish spaces from underscores. In other words, `Example` and `example` are two separate tags; `test_tag` and `test tag` are separate tags, too.
- A single tag must be between 2 and 40 characters long (including spaces), matching the supported pattern. Supported characters for tags are [a-z0-9][a-z0-9 /._-]. The following examples are valid tags: `malware_1, ClassifiedByYARA, false-positive, Better.Test/Tag`. The following examples illustrate invalid tags: `Ž++, #hashtag, *.exe`.
- It is possible to create a User Tag with the same name as a System Tag. For example, there can be an `indicators` System Tag, and a user can create their own `indicators` tag. Removing a User Tag does not affect the System Tag in any way.
- If the user attempts to add a tag that is identical to a System Tag already added to the sample, it will be ignored (not added to the sample). However, it is possible to add a User Tag identical to a System Tag if the sample does not have that System Tag. For example, `antisandbox` is a System Tag. If a sample has this System Tag, attempting to add a User Tag called `antisandbox` will fail. If the sample doesn’t have it, `antisandbox` will be added as a User Tag.
User Tags can be added to local samples (or removed from them) in several ways.
**Adding User Tags to individual samples**
1. In the [Expanded Details](./search-page.md#expanded-details) for a sample, click **Edit Tags** button in the list of User Tags, or click the icon to the right of the list. This can be done from any Spectra Analyze page that supports Expanded Details (Search results, Alerts, YARA, Tags, Sample Details > Extracted Files).
2. Or, on the **Sample Details ‣ Summary** page, find the list of User Tags and click **Edit Tags**.
3. Or, on the Search & Submissions page, select a sample and click the triple bar button next to the *Size* column title. In the menu that opens, select the **Apply tags** option.
In all three cases, the *Edit tags* dialog opens and displays the current list of User Tags if any are assigned to the sample.
Start typing into the dialog and a pull-down menu with suggestions will appear if the letters match any of the existing tags. Select the desired tags from the pull-down, or type in the name of a new tag. To remove existing tags from the sample, if there are any, delete them from the input field in the dialog. Click **Save** to confirm the changes.
4. Use the [Modify tags API](./API%20Documentation/tags-api.md) to list User Tags for a sample, add new ones, and remove existing ones.
**Adding User Tags to samples in bulk**
Select one or more samples on any of the pages that support bulk tagging (Submissions, YARA, Tags, Sample Details > Extracted Files).
While the samples are selected, choose the **Apply tags** option from the bulk actions menu next to the *Size* column title.
This opens the *Edit tags* dialog. Start typing into the dialog and a pull-down menu with suggestions will appear if the letters match any of the existing tags. Select the desired tags from the pull-down, or type in the name of a new tag. To add multiple tags at once, separate them with commas (e.g., *tag1*, *tag2*, *tag3*).
To remove existing tags from the sample, if there are any, delete them from the input field in the dialog.
Click **Save** to confirm the changes. The dialog will automatically close, and a notification will appear in the upper right corner, informing about changed tags.
To add User Tags to samples from Spectra Intelligence, the samples must first be [downloaded to the appliance](./search-page.md#downloading-files-from-spectra-intelligence). When they are downloaded, User Tags can be added in any of the ways described on this page.
---
## Spectra Analyze Troubleshooting — Upload Failures, API Errors & Licensing
# Troubleshooting
This guide covers common issues with [Spectra Analyze](./index.md) and the steps to resolve them.
---
## File upload fails or hangs
**Symptom**
The upload progress bar in the header stalls or the browser shows no response after selecting a file via the **Submit** button. The upload may fail silently, or the browser displays a network error.
**Cause**
The most common causes are:
- The file exceeds the configured maximum upload size.
- The browser tab was navigated away from or refreshed during upload, which interrupts the transfer.
- A network timeout or proxy between the browser and the appliance terminated the connection.
- Disk space on the appliance is critically low, causing the upload to be rejected at the server.
**Solution**
1. Check the appliance's configured maximum file size limit under **Administration > Configuration > General** and compare it to the file you are trying to submit. Files larger than this limit are rejected with an HTTP 413 error when submitted via the API. When submitted via the GUI, files exceeding the limit display a modal: "File Size Exceeds Spectra Analyze Upload Limit! Analyze large files with Spectra Detect!"
2. Do not navigate away from the page or refresh the browser tab while an upload is in progress. The upload status bar in the header indicates active transfers.
3. If you are uploading over a proxy or VPN, check that the proxy is not terminating idle connections prematurely. Increase the proxy timeout or upload directly if possible.
4. Check available disk space on the appliance using the [Health Status Indicator](./index.md#health-status-indicator) or the **Administration > System Status** page. See [Storage space warning](#storage-space-warning) for remediation steps.
5. For large files, use the [Submissions API](./API%20Documentation/submissions.md) directly with a tool like `curl`:
```bash
curl -X POST https:///api/submit/file/ \
-H "Authorization: Token " \
-F "file=@/path/to/large-file.exe"
```
---
## File stuck in "Processing" status
**Symptom**
A submitted file remains in the **Processing** state on the [Search & Submissions](./search-page.md) page for an extended period (more than 15–30 minutes for typical files) and never transitions to a classified state.
**Cause**
- The appliance analysis queue is backed up due to a large number of submissions.
- A Spectra Core analysis instance has become unresponsive processing an unusually complex or deeply nested archive.
- The appliance has insufficient CPU or memory resources to keep up with the current submission rate.
**Solution**
1. Check the [Health Status Indicator](./index.md#health-status-indicator) for CPU, memory, and queue size warnings. Navigate to **Administration > System Status** for a detailed breakdown.
2. If the queue is congested, reduce the rate of new submissions and allow existing jobs to drain.
3. Check the appliance system logs for errors related to analysis workers. If an individual analysis instance is hung, the appliance will typically restart it automatically.
4. For files that are persistently stuck, try resubmitting the file after the queue clears. You can also use the [Reanalyze API](./API%20Documentation/reanalyze-api.md) to trigger reanalysis:
```bash
curl -X POST https:///api/samples//analyze/ \
-H "Authorization: Token " \
-F "analysis=core"
```
5. If the issue persists across multiple files, contact [ReversingLabs Support](mailto:support@reversinglabs.com) with system logs.
---
## Classification result is unexpected (false positive or false negative)
**Symptom**
A file is classified as malicious when it is known to be clean (false positive), or a known malicious file is classified as goodware or receives a low risk score (false negative).
**Cause**
- A custom YARA rule with overly broad pattern matching is triggering on clean files.
- The file is new and has not yet been seen by enough classification sources to produce a confident verdict.
- The classification was manually overridden by another user on the appliance.
- The file is a compressed or packed variant not yet in the threat database.
**Solution**
1. Review the **Classification Reason** in the [Report Summary Header](./Sample%20Details/sample-details-summary.md) to identify which classifier produced the final verdict.
2. If the classification originates from a YARA rule, navigate to the [YARA](./yara.md) page and review the matching ruleset. Tighten the rule conditions to reduce false positives. See [Interpreting Analysis Results](./getting-started.md#understanding-the-classification-reason) for guidance on evaluating classification confidence.
3. Check whether a user override is in effect. The classification sources table on the sample details page shows if a manual override is present.
4. For false negatives on known malware, check whether Spectra Intelligence enrichment is configured and reachable (see [Cannot connect to Spectra Intelligence for enrichment](#cannot-connect-to-spectra-intelligence-for-enrichment)). Intelligence feed data significantly improves classification confidence.
5. If the sample is a known false positive, apply a classification override directly on the sample details page or use the [Set Classification API](./API%20Documentation/set-classification-api.md). See [Administering classification overrides](./getting-started.md#administering-classification-overrides) for details.
6. Submit persistent false positives or false negatives to ReversingLabs for analyst review at [support@reversinglabs.com](mailto:support@reversinglabs.com).
---
## Cannot log in / authentication error
**Symptom**
Attempting to log in to the Spectra Analyze web interface returns "Invalid credentials", "Account locked", or redirects back to the login page without an error message.
**Cause**
- Incorrect username or password.
- The user account has been disabled or locked after repeated failed login attempts.
- An SSO or LDAP integration is misconfigured, causing authentication to fail silently.
- The session cookie is stale or the browser has cached an old session.
**Solution**
1. Verify you are entering the correct credentials. Passwords are case-sensitive.
2. Clear browser cookies and cache, then retry the login.
3. If the account is locked due to failed login attempts, it cannot be manually unlocked by an administrator. The account will automatically unlock after the configured block timeout expires. See [Login Security](./Administration/configuration-update/configuration.md#login-security) for details on the lock duration.
4. If LDAP or SSO integration is in use, verify the configuration under **Administration > Configuration**. Confirm that the LDAP server is reachable from the appliance and that bind credentials are correct.
5. If you have lost administrator access entirely, contact [ReversingLabs Support](mailto:support@reversinglabs.com) to arrange account recovery.
---
## Appliance shows license warning or expiry
**Symptom**
A banner appears in the interface warning that the license is expiring soon or has already expired. The [Health Status Indicator](./index.md#health-status-indicator) shows a red icon. Certain features or API endpoints may become unavailable.
**Cause**
- The appliance license has reached or passed its expiration date.
- A new license file has been issued but not yet applied to the appliance.
- The appliance cannot reach the ReversingLabs license server for validation (for cloud-validated licenses).
**Solution**
1. Navigate to **Administration > Configuration > Licensing** to view the current license status and expiration date. See [Licensing](./Administration/configuration-update/licensing.md).
2. If you have received a new license file, upload it through the licensing page.
3. If the license appears valid but the warning persists, verify that the appliance can reach the ReversingLabs license server. Check for firewall rules blocking outbound HTTPS traffic.
4. Contact your ReversingLabs account manager or [support@reversinglabs.com](mailto:support@reversinglabs.com) to request a license renewal.
---
## API returns 401 Unauthorized
**Symptom**
API requests return:
```json
{"detail": "Invalid token."}
```
or
```http
HTTP/1.1 401 Unauthorized
```
**Cause**
- The API token is missing from the request headers.
- The token has been revoked or has expired.
- The token is being passed incorrectly (wrong header name or format).
**Solution**
1. Confirm that every API request includes the `Authorization` header with the correct token format, for example:
```bash
curl -X POST https:///api/samples//analyze/ \
-H "Authorization: Token " \
-F "analysis=core"
```
2. Verify that the token is still valid by checking **Administration > Tokens** if you manage tokens for multiple users. See [Tokens](./Administration/users-personalization/tokens.md).
3. If the token was recently regenerated or revoked, update all integrations and scripts that use the old token.
4. Check that the token belongs to a user account that is still active and has not been disabled.
---
## API returns 403 Forbidden
**Symptom**
API requests return:
```http
HTTP/1.1 403 Forbidden
```
```json
{"detail": "You do not have permission to perform this action."}
```
**Cause**
- The authenticated user's role does not grant access to the requested endpoint or resource.
- A per-user or per-group permission restriction is in place for the specific operation (for example, deleting samples or accessing administration endpoints).
**Solution**
1. Check the user's assigned role under **Administration > User Roles**. See [User Roles](./Administration/users-personalization/user-roles.md) for a full list of permissions associated with each role.
2. If the operation requires elevated privileges, ask an administrator to assign the appropriate role or a higher-privilege role to the user.
3. If the 403 is returned for a specific resource (for example, a private sample), check whether the sample's visibility settings restrict access.
---
## Slow analysis performance
**Symptom**
Files take significantly longer than expected to complete analysis. The queue displayed on the **Administration > System Status** page is consistently non-zero. Analysis that normally completes in seconds takes minutes.
**Cause**
- The appliance is receiving more submissions than its current Spectra Core capacity can handle.
- Large or deeply nested archives (for example, multi-layer ZIP files) are consuming disproportionate analysis time.
- CPU or memory resources on the appliance are under heavy load from other processes.
- The appliance hardware does not meet recommended specifications for the current submission volume.
**Solution**
1. Check CPU and memory utilization via **Administration > System Status** or the [Health Status Indicator](./index.md#health-status-indicator). Look for sustained CPU above 90% or memory above 85%.
2. Review the configured system health thresholds under **Administration > Configuration > System Health Indicator** and adjust alert thresholds to get earlier warnings.
3. Identify if specific file types (large archives, firmware images) are consistently slow. Consider rate-limiting submission of such files during peak periods.
4. If the appliance is persistently under-resourced, consider adding a Spectra Detect Worker cluster and connecting it via [Spectra Detect Manager](/SpectraDetect/Admin/ManagerSettings/) to offload processing.
5. Review the [platform requirements](/General/DeploymentAndIntegration/PlatformRequirements) to confirm the appliance meets minimum hardware specifications for the current submission rate.
---
## Storage space warning
**Symptom**
The [Health Status Indicator](./index.md#health-status-indicator) shows a red icon with a disk-related warning. The hover tooltip or **System Status** page displays a message similar to:
```
Disk usage: 94% — threshold exceeded
```
New file uploads may be rejected.
**Cause**
- The appliance disk has accumulated a large number of stored samples and analysis results.
- Log files or system backups have consumed available space.
- The configured disk usage threshold has been set too conservatively relative to actual growth patterns.
**Solution**
1. Navigate to **Administration > Configuration > Backup & Purge** to configure automated sample purge policies. Samples older than a specified retention period can be removed automatically. See [Backup & Purge](./Administration/configuration-update/backup-purge.md).
2. To reclaim space immediately, navigate to **Administration > Configuration & Update > Backup & Purge** and click **Run Purge** to trigger a manual purge according to the configured retention criteria.
3. If log files are consuming space, rotate or archive them per your appliance OS procedures.
4. Adjust the disk usage alert threshold under **Administration > Configuration > System Health Indicator** if the current threshold triggers too early for your capacity.
5. If disk space is chronically insufficient, consider expanding the appliance storage volume or archiving older samples externally before deleting them from the appliance.
---
## Cannot connect to Spectra Intelligence for enrichment
**Symptom**
The [Health Status Indicator](./index.md#health-status-indicator) shows a red icon. The hover tooltip displays:
```
Spectra Intelligence: not reachable
```
Samples on the appliance lack Spectra Intelligence enrichment data such as scanner detections, threat names, or community classifications.
**Cause**
- The Spectra Intelligence credentials configured on the appliance are incorrect or have expired.
- Network connectivity from the appliance to `data.reversinglabs.com` is blocked by a firewall or proxy.
- The Spectra Intelligence account has exceeded its quota, causing requests to be rejected with HTTP 429.
**Solution**
1. Navigate to **Administration > Configuration > Spectra Intelligence** and verify that the username and password are correct. Test the connection using the built-in connectivity check.
2. From the appliance, test outbound connectivity to the Spectra Intelligence API server:
```bash
curl -I https://data.reversinglabs.com
```
If this times out or is refused, check firewall rules and proxy configuration. The appliance must be able to reach `data.reversinglabs.com` over HTTPS (port 443).
3. If a proxy is required, configure the proxy address in **Administration > Configuration > General** under the proxy settings, or contact your network team to allow direct HTTPS access to `data.reversinglabs.com`.
4. Check your Spectra Intelligence quota via the **Quota Indicator** in the appliance header bar, or via the [Customer Usage API](/SpectraIntelligence/API/CustomerUsage/tca-9999). If the quota is exhausted, contact [support@reversinglabs.com](mailto:support@reversinglabs.com) to review your entitlements.
---
## YARA Retroactive Hunting
The YARA Retroactive Hunting feature is an extension of the already powerful yara capabilities available on the Spectra Analyze appliance.
With standard YARA hunting, only new samples are compared against YARA rules, and new matches are reported as they happen. Retroactive Hunting allows users to scan through old samples to uncover YARA rule matches that would otherwise remain hidden.
Three types of YARA Retroactive Hunting are supported on Spectra Analyze, with one being available only if the appliance is in a [Spectra Detect](/SpectraDetect/) cluster:
- [Cloud Retro Hunting](#local-retro-hunting), which applies to samples in the Spectra Intelligence cloud that were analyzed in the past 90 days. Archives and samples larger than 200 MB are excluded from the sample set, but samples extracted from those archives are not.
- [Local Retro Hunting](#local-retro-hunting), which applies to all samples on the local Spectra Analyze instance regardless of their age and analysis date. **Local Retro Hunts across large datasets are processing-intensive and may negatively impact the performance and stability of the appliance.**
- **Remote Storage Hunting**, which applies to samples stored in S3 buckets configured on a Spectra Detect Hub group S3 connector service. Such retro hunts will be executed using the Worker appliances, and the results will be visible on the Manager dashboard. Links to remote storage retro hunts can be found in the **YARA Retro Hunt** pop-up dialog.
## Local Retro Hunting
**Important notes**
1. Local Retro Hunting can be performed on all active rulesets on the appliance, including [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis) rulesets.
2. Local Retro Hunting cannot be performed on individual rulesets - it runs on all active rulesets at once.
3. To exclude a ruleset from Local Retro Hunting, disable it before running Local Retro.
4. Local Retro does not submit samples to dynamic analysis services (such as Cuckoo or FireEye) during a scan.
### Starting a Local Retro Hunt
To start a Local Retro scan on all active rulesets on the appliance, click the **Run Retro Hunt** button at the top right of the YARA page. This opens a pop-up with the options to perform a retro hunt on local samples, or to initiate a retro hunt on remote storage.
**Tip: Performing retro YARA hunts on remote storage is available only if the appliance is in a Spectra Detect cluster comprising a Spectra Detect Manager, Hub and Worker with a configured S3 connector on the Hub group. Users can select the buckets from those added to the Hub group’s S3 connector and configure the desired file age and folder/prefix for the files to be included in the hunt. Such retro hunts will be executed using the Worker appliances, and the results will be visible on the Manager dashboard. Links to remote retro hunts can be found in the **YARA Retro Hunt** pop-up dialog.**
To stop a retro scan, open the **YARA Retro Hunt List** menu (the clock icon) and click the stop button next to the retro hunt listing. Local Retro does not submit samples to dynamic analysis services (such as Cuckoo or FireEye) during a scan.
When the scan completes, the results will be available in the list of YARA matches for every active ruleset. The results for Local Retro scans cannot be cleared, and samples cannot be removed from the list of matches.
### Stopping and Restarting a Local Retro Hunt
While a Local Retro scan is in progress, it can be stopped by clicking the stop button next to the retro hunt listing in the **YARA Retro Hunt List** dialog.
After a Local Retro scan is stopped or completed, it can be restarted at any point. However, the next scan behaves as a fresh start - it does not continue from where it previously stopped.
The *YARA Retro Hunt List* dialog contains detailed information about all previous Local Retro scans, including whether they were stopped or not.
## Cloud Retro Hunting
**Important notes**
1. Cloud Retro Hunting can be performed only on rulesets that are saved in the Spectra Intelligence cloud, because the Cloud Retro sample set resides there. For a successful Cloud Retro scan, a ruleset needs to be able to access that sample set.
2. The Cloud Retro sample set includes samples analyzed in the Spectra Intelligence cloud over the last 90 days. Archives and samples larger than 200 MB are excluded, but samples extracted from those archives are not. The sample set is not static, and it changes daily.
3. Cloud Retro Hunting cannot be performed on Spectra Core rulesets.
4. The maximum number of Cloud Retro scans that can be executed depends on the license purchased by the customer.
5. The maximum amount of rules and rulesets that can be scheduled for Cloud Retro Hunting at a time depends on the license purchased by the customer.
### Starting a Cloud Retro Hunt
To enable Cloud Retro Hunting for a ruleset, the selected ruleset must first be saved to Spectra Intelligence.
To do this, open the ruleset editor by clicking the *Edit* item in the ruleset action menu (☰). In the editor, select the *Run ruleset continuously in Spectra Intelligence* checkbox and click the *Save* or *Save & Close* button. Alternatively, open the ruleset's page and enable the *Run Ruleset in Cloud* switch.
The indicators on the YARA page should show that the ruleset is active in the cloud and ready for Cloud Retro. An indicator of synchronization status will be visible in the upper right part of the YARA page. The indicator displays the date and time of last synchronization, and allows skipping the synchronization until the next day.
The action menu for the ruleset should now have the *Run Cloud Retro Hunt* option. Selecting it will schedule the ruleset for a Cloud Retro Hunting scan. If the ruleset has been successfully validated, the retroactive scan will start shortly.
Alternatively, the appliance administrator can enable automatic Cloud Retro hunting for YARA rulesets saved to Spectra Intelligence in the **Administration > Configuration > YARA Cloud Settings** configuration dialog.
If this option is enabled, YARA rulesets that are synchronized with Spectra Intelligence will be automatically scheduled for a Cloud retro scan that will start after successful ruleset validation. This applies to new rulesets created on the appliance, and to existing rulesets that are edited and synchronized with Spectra Intelligence by selecting the “Run ruleset continuously in Spectra Intelligence” checkbox in the YARA ruleset editor.
If new samples are uploaded to the Spectra Analyze appliance while a Cloud Retro scan is in progress, they will be also matched against the ruleset that is being scanned.
During a Cloud Retro scan, the progress for the ruleset is displayed next to the status indicator icons on the YARA page.
When the Cloud Retro scanning for a ruleset is completed, the *RETRO* indicator on the YARA page will reflect that the scan was successful. Hovering over the indicator displays a tooltip with more information on the ruleset’s Cloud Retro status.
If the scan has completed successfully, the tooltip will show the date and time when the latest Cloud Retro hunt started and finished.
### Stopping and Restarting a Cloud Retro Hunt
It is possible to stop a Cloud Retro scan if the user needs to modify the ruleset for accuracy, or because of performance concerns. While a Cloud Retro scan is in progress, click the triple bar button (☰) on the right side of the selected ruleset. Choose the *Stop Retro Hunt* item from the menu.
After a Cloud Retro scan is stopped or completed, it can be restarted at any point (as long as the ruleset remains saved to Spectra Intelligence).
However, restarting a Cloud Retro scan on a ruleset will remove the results from the previous Cloud Retro scan. The restarted scan behaves as a fresh start - it does not continue from where it previously stopped.
## Managing YARA Retroactive Hunting Results
To view and manage the results of Retroactive Hunting scans, click a ruleset name to expand the list of matched samples.
Cloud Retro scan results will have their source displayed as a cloud icon. If the file is not available for download from Spectra Intelligence, a light gray cloud icon is displayed
The list of matches for Retroactive Hunting contains similar options as described in the [Managing YARA Ruleset Matches](yara.md#managing-yara-ruleset-matches) section. Users can choose the ruleset version from the dropdown list below the ruleset name to compare scan results for each version. Every sample in the list of results can be selected and managed individually using the options in the action menu (☰). Clicking the file name opens the local or the Spectra Intelligence version of the [Sample Details](./Sample%20Details/index.md) page for the selected file, depending on if the sample is locally available.
The Retroactive Hunting results can also be managed in bulk. Selecting one or more samples in the list of results activates the triple bar button (☰) on the right side of the *Size* column.
The button opens the bulk action menu with options for:
- downloading and analyzing selected samples on the Spectra Analyze appliance, if the samples are available for download (*cloud* and *cloud-retro* only),
- removing samples from the list of matches (*cloud* and *cloud-retro* only),
- reanalyzing samples (*local* and *local-retro* only),
- applying tags to samples (*local* and *local-retro* only),
- downloading samples to local storage,
- adding/removing samples in new or existing alert subscriptions,
- exporting data about selected samples as a CSV file.
### Removing Samples from the Cloud Retro Results
YARA rulesets that are saved to Spectra Intelligence can match up to 10 000 samples. When a ruleset reaches that many matches, it will be capped and new matches will no longer be stored on the Spectra Analyze appliance. To free up space and continue collecting new matches for the ruleset, users have to remove at least 1000 old matches.
- Samples can be removed from the list of Cloud Retro results manually by selecting them and choosing the *Remove Cloud Matches* option from the action menu (☰). Using this method, samples can be removed one by one, or the user can select and remove multiple samples at once.
- Additionally, it is possible to clear all Cloud Retro results for a selected YARA ruleset. To do this, select a ruleset and click the triple bar button (☰) on the right side of the ruleset row. In the action menu that opens, select *Clear Retro Hunt*.
When the Cloud Retro results for a ruleset are cleared, the icon for the *RETRO* indicator on the YARA page will change, showing that the results have been cleared. Users can then run a new Cloud Retro scan on the ruleset at any point.
---
## YARA Hunting
## Classifying files with YARA rules
If a file has been classified by a YARA rule, the **Static Analysis > Classification** section on the [Sample Details](./Sample%20Details/index.md) page includes links to YARA rules that the file has matched. Clicking the link to a ruleset redirects to the YARA page containing the selected ruleset and its matches.
To find files tagged by YARA rules on the appliance or in the Spectra Intelligence cloud, use the **tag-yara** keyword on the Search & Submissions page. For example, the search query `tag-yara:malicious threatname:*ransomware*` returns all files classified as malicious by YARA rules, with “ransomware” in their detected threat name.
All files that match the YARA rule are automatically tagged with those custom tags after analysis. If a file has any YARA tags, they can be found in the **Static Analysis > Classification > YARA > Tags** section on the [Sample Details](./Sample%20Details/index.md) page.
**Note: Changes to YARA tags are not immediately reflected in the Search results. When a YARA tag is added, changed, or removed from a rule, the files that match the rule must be reanalyzed with [Spectra Core](/General/AnalysisAndClassification/SpectraCoreAnalysis) first. Alternatively, you can also run a local [retro scan](./yara-retro.md#starting-a-local-retro-hunt).**
For example, if a YARA tag “test” is renamed to “test2”, searching for *tag-yara:test* returns the same results until all matching files are reanalyzed with Spectra Core. After they are reanalyzed, the files can be found with the new tag, *tag-yara:test2*, and the old tag will not return any results.
## How YARA Hunting Works on Spectra Analyze
Spectra Analyze contains default YARA rulesets, but also allows users to [create and edit custom rulesets](#creating-new-yara-rulesets), as well as to synchronize rulesets with other ReversingLabs products.
The default YARA rulesets are called Spectra Core rulesets. They can be accessed by selecting the “Spectra Core Rulesets” option in the filter pull-down menu on the YARA Hunting page. Those rulesets are applied only to local files on the appliance (through Continuous Local Matching). Spectra Core rulesets cannot be saved to the cloud or modified (edited, disabled, or deleted) in any way by any type of user.
Rulesets present on Spectra Analyze by default are open source, and published by ReversingLabs in [a public GitHub repository](https://github.com/reversinglabs/reversinglabs-yara-rules). Additional rulesets can be imported as files, or from online sources, straight from the YARA page. For more information on importing rulesets, refer to the [YARA Repository Management](#yara-repository-management) chapter.
Files are matched against YARA rulesets on the Spectra Analyze appliance in four different ways.
1. **Continuous Local Matching (Default)**
When a YARA ruleset is created on or uploaded to Spectra Analyze, it continuously looks for matches among local files that are added to the Spectra Analyze appliance after the ruleset has been created. This is the default behavior when Spectra Intelligence is not configured on the appliance, and when a YARA ruleset is not saved to Spectra Intelligence.
Local matches for rulesets cannot be removed from the list of matches on the YARA page.
2. **Continuous Cloud Matching**
When a new or existing YARA ruleset is selected to run continuously in the Spectra Intelligence cloud, it looks for matches among files that are added after the ruleset has been created. This includes local files added to the Spectra Analyze appliance, and files in the cloud uploaded through various ReversingLabs services (such as APIs).
The prerequisite for Continuous Cloud Matching is that the Spectra Analyze appliance is connected to Spectra Intelligence.
Important Note
Every Spectra Analyze instance must be connected to a different Spectra Intelligence account. Sharing accounts between multiple instances can interfere with the functionality of the appliance (particularly with YARA rule synchronization). Appliance administrators should ensure that the cloud account credentials are properly configured in the **Administration ‣ Configuration ‣ Spectra Intelligence** dialog.
YARA rulesets that are saved to Spectra Intelligence can match up to 10 000 samples. When a ruleset reaches that many matches, it will be capped and new matches will no longer be stored on the Spectra Analyze appliance. To free up space and continue collecting new matches for the ruleset, users have to remove at least 1000 old matches.
Find more information in the [Hunting for Malware in the Spectra Intelligence cloud with YARA](#hunting-for-malware-in-the-spectra-intelligence-cloud-with-yara) section.
3. **Retroactive Cloud Matching**
When a new or existing YARA ruleset is selected to run continuously in the Spectra Intelligence cloud, and the YARA Retroactive Hunting feature is enabled on the appliance, the ruleset can be selectively matched against files in the cloud that have been analyzed in the past 90 days.
The ruleset will continuously look for new matches among local files that are added to the Spectra Analyze appliance while a Cloud Retro scan is in progress.
Find more information in the [Cloud Retro Hunting](./yara-retro.md#cloud-retro-hunting) section.
4. **Retroactive Local Matching**
When the YARA Retroactive Hunting feature is started, all rulesets that are active (enabled) on the appliance will be included in a Local Retro scan. This also includes the default Spectra Core rulesets. While a Local Retro scan is in progress, the appliance still continues to analyze new files that are added to the appliance. The processing priority is given to newly added files to prevent delays.
The Local Retro scan runs against all local files regardless of their age and analysis date. If users want to prevent the Local Retro scan for one or more rulesets, those rulesets have to be disabled on the appliance.
Local Retro matches for rulesets cannot be removed from the list of matches on the YARA page.
Find more information in the [Local Retro Hunting](./yara-retro.md#local-retro-hunting) section.
## Understanding the YARA Page
Clicking the *Yara* item in the top-level menu brings the user to the YARA Hunting page, which displays a list of rulesets (collections of YARA rules) and matching statistics.
### Filters
The search bar allows users to filter the list of rulesets by typing the full or partial name of a ruleset. Enclose the search string in quotation marks for exact name matching.
Next to the search bar, several menus allow filtering according to ruleset ownership, status and source (for imported rulesets).
Some notes on the possible choices:
- Under the ownership menu, "User Rulesets" will show all rulesets from all users except the current user ("My Rulesets")
- Under the status menu, you can find rulesets with warnings (for example, with a syntax error), as well as rulesets that were [capped in Spectra Intelligence](#managing-yara-rulesets-with-warnings)
**Tip: Filters are reflected in the URL (as query parameters), which means that you can share a filtered page. For example:**
```
?name=yippee-ki-yay&owner=owner_user_jmcclane&status=enabled
```
...will present a page where the ruleset names contain "yippee-ki-yay", where their owner is user `jmcclane` (note the "owner_user_" prefix), and where such rulesets are enabled.
### Actions
The indicators and buttons in the top right of the page display the actions and status information related to [YARA Retroactive Hunting](./yara-retro.md).
- The **Add Ruleset** button provides the options to [create, import or upload rulesets](#creating-new-yara-rulesets).
- The **Actions** button allows starting a [Local Retro Scan](./yara-retro.md#local-retro-hunting) on all active rulesets on the appliance, and contains links to the list of previous retro hunts and YARA repository management. The retro hunt list is also accessible via the *Open Retro Hunt List* button.
- The **gear icon** menu allows the users to customize the YARA table columns and date format.
- The synchronization status indicator is visible only if Spectra Intelligence is correctly configured on the appliance, and if at least one YARA ruleset on the appliance is saved in the Spectra Intelligence cloud. Hovering over the indicator with the mouse activates a “Skip To” link that can be used to postpone ruleset synchronization.
### Results
If a ruleset is greyed out on the page, it is disabled. Disabled rulesets are not active on the appliance and are not included in any of the Local, Cloud, or Retro scans.
Clicking the star icon next to the ruleset adds it to favorites for the current user. Favorite rulesets are listed in the YARA Matches section on the [Dashboard](./dashboard.md). Up to 10 rulesets can be added to favorites.
Every ruleset has one or more status indicators. **Hovering over the indicator icon displays a tooltip with more information about every status.**
The far right action menu (☰) for each ruleset contains options for testing, editing, exporting, disabling, and deleting the ruleset, and options to subscribe (create [Alerts](./alerts.md) for new YARA matches) or unsubscribe from a ruleset.
**Note: Spectra Core rulesets can only be edited and exported, but not disabled or deleted. Selecting the **Edit** option for a Spectra Core ruleset opens the ruleset editor where the user can preview and copy the contents of the ruleset, but cannot save any changes to it.**
### Creating New YARA Rulesets
YARA rulesets on the Spectra Analyze appliance can be created from scratch, uploaded as files, or imported from a number of popular online sources. There is also a [YARA API](./API%20Documentation/yara-api.md).
ReversingLabs products, including Spectra Analyze, support the following YARA modules:
- PE
- ELF
- Dex
- Macho
- String
- Math
- Hash
- Time
- Dotnet
**Note: “Import” and “include” statements are not supported.**
To upload or import rulesets from external files and sources, click the **Add Ruleset** button at the top right of the YARA page. The dropdown menu offers three options: **Create Ruleset**, **Upload File** and **Import from Online Sources**.
Importing from online sources provides a list of predefined and custom (if configured) sources, and contains an additional step of allowing the selection of which rulesets or individual rules to import. Invalid rules will, depending on the parser, be either imported as disabled or not imported at all.
Once the process finishes, imported rulesets can be edited and synced to other appliances if YARA sync is enabled.
To write a new ruleset, select the **Add Ruleset > Create Ruleset** option in the top right of the page. This opens the YARA Ruleset Editor
**Tip: For more information on writing YARA rulesets, consult one of the following sources:**
- ReversingLabs publishes guidance for using YARA on the official blog. See the blog posts [“Level up your YARA game”](https://blog.reversinglabs.com/blog/level-up-your-yara-game) , [“Writing detailed YARA rules for malware detection”](https://www.reversinglabs.com/blog/writing-detailed-yara-rules-for-malware-detection) and [“Five Uses of YARA”](https://blog.reversinglabs.com/blog/five-uses-of-yara) to learn more.
- The official YARA documentation offers detailed advice on [how to write YARA rules](https://yara.readthedocs.io/en/stable/writingrules.html).
- Use Spectra Core rulesets present on the appliance as reference.
#### YARA Ruleset Restrictions
- Naming restrictions:
- YARA ruleset names must be between 3 and 48 characters.
- The underscore ( _ ) should be used instead of spaces, and any other special characters should be avoided. Ruleset names should only use numbers (0-9) and a-z/A-Z letters.
- Ruleset size restrictions:
- A ruleset file should not be larger than 40 MB.
- A ruleset larger than 1 MB (1048576 bytes) cannot be saved and run in the Spectra Intelligence cloud.
When creating a new ruleset in the editor, you can select whether the ruleset will be immediately enabled after saving changes by selecting the **Enable Ruleset** checkbox. If the checkbox is not selected, the ruleset will be disabled after it is created, and files will not be matched against it until the you enable it.
To save a newly created ruleset in the Spectra Intelligence cloud, select the *Run ruleset continuously in Spectra Intelligence* checkbox in the ruleset editor.
The appliance administrator can enable automatic upload of YARA rulesets to Spectra Intelligence in the **Administration > Configuration > YARA Cloud Settings** configuration dialog. If this option is enabled on the appliance, the *Run ruleset continuously in Spectra Intelligence* option will be automatically selected by default in the YARA ruleset editor.
When done making changes to the new ruleset in the editor, click the *Save & Close* button. If the new ruleset is validated, it appears in the list of rulesets on the YARA page.
Clicking *Save & Publish* will save the ruleset and add it to the synchronization queue. This button will be visible only to users with the appropriate [user role](/SpectraAnalyze/Administration/users-personalization/user-roles/).
If one or more rulesets are saved in Spectra Intelligence, an indicator of synchronization status is visible in the upper right part of the YARA page.
### Editing Rulesets and Restoring Previous Ruleset Versions
All Spectra Analyze users with the appropriate user roles can edit or delete all YARA rulesets on the appliance, except Spectra Core rulesets.
Clicking the *Edit* item in the ruleset action menu (☰) on the YARA page opens the ruleset editor. The editor allows modifying an existing YARA ruleset, saving it to Spectra Intelligence, and managing different versions of the same ruleset. Users can also manually enable or disable a ruleset by selecting the *Enable ruleset* checkbox.
Every time a ruleset is edited and saved, a new version of the ruleset is created. The versions are visible both in the Version filter on the ruleset's page and in the YARA ruleset editor.
The statistics about matches of every ruleset version are preserved and displayed, allowing users to compare their efficacy.
In the YARA ruleset editor, the user can restore any previous version of a ruleset to overwrite new changes. Click the *History* menu to open the pull-down list with ruleset versions. Click the **Load** link next to the ruleset version that should be restored, then click the *Save* button to apply changes and activate the selected version.
Clicking **Save & Close** returns to the YARA page after saving changes, while clicking *Save* allows the user to remain in the ruleset editor and keep making changes. It is not possible to save an empty ruleset (a ruleset without any text in the *Rules* field), or a ruleset without a name.
The **Save & Publish** button saves the ruleset and add it to the synchronization queue. This button is visible only to users with the appropriate [user role](/SpectraAnalyze/Administration/users-personalization/user-roles/).
Optionally, [test the ruleset](#yara-test-run-page-testing-rulesets) before saving and/or publishing to check if it’s correctly matching the desired samples.
The ruleset editor also displays information about the user who added the ruleset, and the user who last edited it.
Editing a ruleset does not change its ownership. For example, if user *test1* creates a ruleset and another user *test2* saves changes to the same ruleset, user *test1* is still the owner of the ruleset. In this scenario, only the user *test1* can delete the ruleset.
When a user account is deleted from the Spectra Analyze appliance, all YARA rulesets owned by that deleted user are automatically transferred to the administrator account that deleted the user.
Validation indicators visible on the main YARA page are also displayed in the ruleset editor. Depending on the modifications made to the ruleset, the validation indicators can change (for example, when a ruleset is saved to Spectra Intelligence).
### YARA Test Run Page: Testing Rulesets
When writing a new ruleset in the editor, you can test run a ruleset against a predefined set of samples to check if the ruleset matches everything it should. The YARA Test Run page can be accessed via the ruleset editor, or using the **Test Ruleset** option in the (☰) menu of a particular ruleset in the table.
Samples can be added to the testing page either directly by hash, or using tags. You can select up to 5 tags, which will load 100 latest submitted samples from the selected tags. If unsure about a specific tag name, the tag menu also serves as a search box. Once the page is populated with samples, you can tweak the ruleset by clicking the **Edit Ruleset** button, or perform a YARA test run by clicking the **Run Test** button.
After the test is complete, the samples list shows the test results in the far right column of the table. If you tweak the ruleset again and **Retest** it, new test results will show up alongside the old ones in the rightmost column. This way, you can compare the results of up to four previous runs. Test result icons, when clicked, open up a hex preview with the highlighted portion of the binary that was matched in the test run, as well as its ASCII representation.
**Run New Test** clears the previous results.
### Enabling and Disabling Rulesets
**Note: YARA rulesets cannot be enabled or disabled while their Cloud or Retro validation is pending, or while a Retro scan on the rulesets is in progress.**
For individual rulesets: on the right side of the page, click the triple bar button (☰) to open the ruleset action menu. In the menu, click *Enable* or *Disable*. Alternatively, click the ruleset to open its page showing a list of matches, and disable the "Enable Ruleset" switch in the top right of the page.
For multiple rulesets at once: select the checkboxes to the left of each ruleset name. When the rulesets are selected, open the main action menu by clicking the triple bar button (☰) in the toolbar, on the right side of the YARA page. In the menu, select the *Enable* or *Disable* option.
The YARA page dynamically displays rulesets as enabled or disabled, one by one.
### Managing YARA Ruleset Matches
Every ruleset on the YARA page can be clicked to show a list of files that matched one or more YARA rules in the selected ruleset.
When a ruleset is opened, various statistics are displayed below the ruleset name and filters: Total Matched Samples, Most Matched Rule, Most Matched Format, Most Matched Threat Type. The top left of the page contains the ruleset name with a tooltip displaying the ruleset's creation and last updated date, commit ID and source repository information (where the ruleset was imported from). The top right of the page contains options to **Edit Ruleset**, and an **Actions** menu allowing the users to test, edit, export, disable or delete the ruleset, and to subscribe/unsubscribe. In addition to these buttons, there are switches to enable/disable the ruleset, and to run the ruleset in Spectra Intelligence cloud.
To the right of the statistics boxes is an arrow button that expands each of the statistics into a graphical display. Colored sections on the graph can be clicked to actively filter out the results table below.
The table can also be filtered using the dropdown menus at the top of the ruleset’s page: by ruleset version, by a specific rule, classification, format, threat type and the first seen date.
Several different filters can be active at the same time. The filters can be cleared to their default values by clicking the **Clear** button.
Ruleset matches can be filtered to display only those files that matched a particular rule. To do that, select the rule in the pull-down list under the ruleset name.
The information about ruleset matches is divided into columns. All columns can be sorted in ascending or descending order by clicking the column name.
From left to right, the columns are:
- source indicator (local or cloud; if the file is not available for download from Spectra Intelligence, a light gray cloud icon is displayed),
- status indicator (as explained in the [About Spectra Analyze](./index.md#color-coding-and-sample-status) section),
- time when the file matched the selected ruleset,
- time when the sample was first seen,
- time when the sample was last seen,
- threat name (if detected; applies to malicious and suspicious samples only),
- file name (or SHA1 hash),
- name of the YARA rule that triggered the match,
- file format (for cloud matches, displays “Unknown” if file format information for a sample is not stored in the Spectra Intelligence cloud),
- the number of extracted files,
- the file size.
The right side of the page contains two buttons with more options to filter the list of ruleset matches:
On the right side of every match in the list, there is a triple bar button (☰) that activates the actions menu with different options.
For local matches, the options include:
- *Delete sample* - removes the submission. This action is visible to users only for files and URLs they have submitted themselves. Regular users cannot delete files and URLs submitted by other users. Administrators can see this menu item for all submissions, and delete all submissions regardless of who created them.
- *Copy to my submissions* - available only if the sample was submitted by a different user. Selecting this adds the sample to the submissions for the current user.
- *Download sample* – downloads the submission from Spectra Analyze to local storage (compatible with modern ZIP tools such as `unzip` 6.00+, Python's `zipfile`, 7-Zip, or `bsdtar`).
- *Download container* - if the file is extracted, downloads its top-most parent from the appliance to the local storage
- *Set classification* - allows users to manually override file classification
- *Subscribe* and *Unsubscribe* - adds or removes the file from alert subscriptions
- *Reanalyze* - allows users to reanalyze the file with static, dynamic, or Spectra Intelligence analysis services
- *Download Extracted Files* - downloads files extracted during analysis to local storage
For cloud and cloud retroactive hunting matches, the options include:
- *Fetch & Analyze* - downloads the file to the appliance
- *Reanalyze on Spectra Intelligence* - reanalyzes individual files using the Spectra Intelligence analysis services
- *Subscribe* and *Unsubscribe* - adds or removes the file from alert subscriptions
Clicking a row in the list of matches expands it to show additional information about the file, as described in the [Expanded Details](./search-page.md#expanded-details) section.
Clicking the file name opens the local or the Spectra Intelligence version of the [Sample Details](./Sample%20Details/index.md) page for the selected file, depending on if the sample is locally available.
#### Performing Bulk Actions on Ruleset Matches
Multiple files can be selected in the list of ruleset matches, and supported bulk actions can be performed on them.
Select the checkboxes on the left side of each individual file, or click the *Select all N YARA matches* link that appears above the list of matches when at least one sample is selected. It is also possible to select all matches by clicking the *Select All* checkbox on the left side of the *Match Time* column.
When one or more files are selected, the bulk action menu (☰) appears on the right side of the list (next to the *Size* column).
**For local matches, the supported bulk actions include:**
- *Download samples* – downloads the submission from Spectra Analyze to local storage (compatible with modern ZIP tools such as `unzip` 6.00+, Python's `zipfile`, 7-Zip, or `bsdtar`).
- *Reanalyze* - allows users to reanalyze the files with static, dynamic, or Spectra Intelligence analysis services
- *Subscribe* and *Unsubscribe* - adds or removes the files from alert subscriptions
- *Apply tags* - allows users to add custom tags to selected files
- *Export data* - exports information about selected files as a CSV file
- *Download Extracted Files* - downloads files extracted during analysis to local storage
**For cloud and retro matches, the supported bulk actions include:**
- *Fetch & Analyze* - downloads and analyzes the files to the Spectra Analyze appliance
- *Remove* - removes selected files from the list of matches for that particular ruleset
- *Subscribe* and *Unsubscribe* - adds or removes the files from alert subscriptions
- *Download samples* – downloads the submission from Spectra Analyze to local storage (compatible with modern ZIP tools such as `unzip` 6.00+, Python's `zipfile`, 7-Zip, or `bsdtar`).
- *Export data* - exports information about selected files as a CSV file
- *Download Extracted Files* - downloads files extracted during analysis to local storage
**The exported CSV file with YARA matches contains the following information:**
- threat status,
- risk score
- threat name (if detected),
- time when the file matched the selected ruleset,
- file name,
- YARA rule that triggered the match;
- file format;
- the number of extracted files,
- the file size.
### Managing YARA Rulesets with Warnings
Some YARA rulesets can slow down file processing on the Spectra Analyze appliance due to their length, scope, and other factors.
When uploading, editing, enabling and disabling such rulesets, the Spectra Analyze appliance displays a notification. The ruleset(s) are marked with a warning icon on the YARA Hunting page.
It is possible to filter the YARA Hunting page to display only rulesets with warnings by choosing the *Rulesets with warnings* item from the pull-down menu on the right. Those rulesets can then be disabled or edited to resolve the issue.
It takes some time for the system to update the ruleset status, so the warning icon does not disappear immediately after modifying a problematic ruleset.
Appliance administrators can access the list of rulesets with warnings from the *Scale* section of the [System Status](/SpectraAnalyze/Administration/usage-alerts/system-status/) page. If there are any rulesets with warnings, the *YaraWarnings* icon will not be green, and will show the number of warnings instead.
Clicking the icon redirects to the YARA Hunting page filtered to display only rulesets with warnings. Here the offending rulesets can be edited or disabled to improve the processing speed of the appliance.
## Hunting for Malware in the Spectra Intelligence cloud with YARA
By default, rulesets only run on files processed on the Spectra Analyze appliance (through Continuous Local Matching).
However, rulesets can be synchronized with Spectra Intelligence and run on a massive amount of files processed daily by ReversingLabs systems, greatly expanding the potential for YARA matches. If [YARA Retroactive Hunting](./yara-retro.md#cloud-retro-hunting) is enabled on the appliance, rulesets synchronized with Spectra Intelligence can also be run on files analyzed in the Spectra Intelligence cloud over the last 90 days.
To synchronize a YARA ruleset with Spectra Intelligence:
- Click the ruleset's name on the YARA page to open the page displaying a list of its matches. Enable the **Run Ruleset in Cloud** switch in the top-right corner of the page.
- Open the ruleset editor by clicking the *Edit* item in the ruleset action menu (☰). In the editor, select the *Run ruleset continuously in Spectra Intelligence* checkbox and click the *Save* or *Save & Close* button.
- Alternatively, the appliance administrator can enable automatic upload of YARA rulesets to Spectra Intelligence in the **Administration > Configuration > YARA Cloud Settings** configuration dialog. If this option is enabled on the appliance, the *Run ruleset continuously in Spectra Intelligence* option is automatically selected by default in the YARA ruleset editor.
When synchronized with Spectra Intelligence, the ruleset displays a cloud status indicator on the YARA page. Additionally, an indicator of synchronization status is visible in the upper right part of the YARA page. The indicator displays the date and time of last synchronization, and allows skipping the synchronization until the next day.
The number of matches stored for a ruleset synchronized with Spectra Intelligence is currently capped at 10 000 to limit the impact on Spectra Analyze. If a ruleset has hit this limit, its CLOUD status indicator on the YARA page gets a red X badge icon. New matches are no longer preserved for a ruleset that hits this limit.
If the appliance administrator has enabled the *Automatic disabling of Cloud enabled YARA rulesets* option in the **Administration > Configuration > YARA Cloud Settings** configuration dialog, every ruleset that reaches the limit are automatically de-synchronized from Spectra Intelligence.
To continue receiving new cloud matches for a ruleset that has reached the limit, users have to remove previous retro results from the ruleset’s action menu (☰) by clicking the Clear Retro Hunt option. Alternatively, open the ruleset’s page, configure the filters so no matches of importance are removed, select all samples in the table and pick the Remove Cloud Matches option from the upmost (☰) menu.
To clear matches even more selectively, configure the filters, sort the table by source (click the first table column title so that the cloud matches are listed first) and select individual samples or entire pages of results and use the Remove Cloud Matches option on the selected samples.
## Synchronizing YARA Rulesets with Other Appliances
**Note: Only appliance administrators can access the option to synchronize YARA rulesets.**
If the Spectra Analyze appliance is connected to the ReversingLabs [Spectra Detect](/SpectraDetect/) Manager, it is possible to synchronize YARA rulesets to other appliances (Spectra Analyze, Spectra Detect Worker) connected to the same Spectra Detect Manager.
The synchronization needs to be configured on Spectra Detect Manager first, and then enabled in the *Spectra Detect Manager* section of the Spectra Analyze [System Configuration](/SpectraAnalyze/Administration/configuration-update/configuration/) page.
Select the *Enable Syncing* checkbox to enable YARA rule synchronization to other appliances from the current Spectra Analyze instance. When synchronization is enabled, every new ruleset created on the appliance automatically gets sent to the Spectra Detect Manager, and from there to other appliances that support YARA rule synchronization.
The synchronization is bidirectional, so any changes made to YARA rules on other appliances connected to Spectra Detect Manager also reach the current Spectra Analyze instance. New rulesets automatically appear on the Spectra Analyze YARA page. Rulesets retrieved from other appliances via Spectra Detect Manager synchronization are not visually distinguished from other rulesets on the YARA page.
Ruleset synchronization includes deleting and disabling rulesets. Deleting a ruleset on one appliance also deletes it on the others, if they are synchronized via Spectra Detect Manager.
When creating, deleting or editing rulesets, only users with the **YARA Publish and Delete** permission have the additional options to **Save & Publish / Delete & Publish** that add the ruleset action to the synchronization queue. Other users with the appropriate, **YARA**, permission are only able to manage rulesets locally.
### Important notes
1. Spectra Core rulesets are not synchronized.
2. If two users on different appliances make changes to the same ruleset at the same time, only the changes from the appliance that syncs with Spectra Detect Manager first will be applied. Synchronization with Spectra Detect Manager happens approximately every ten minutes.
### YARA Status
If YARA syncing is enabled, the YARA page shows a YARA Status indicator to show the current synchronization status, and to indicate if any rulesets are out of sync. In case some rulesets are not synchronized, which is indicated by a red X badge, users can click the **Show Status** link to see which rulesets are not synchronized and **Republish** them.