Analyzing files

To analyze a file

1.Make sure Dr.Web vxCube supports format of the file you want to analyze.

2.Browse for the file you want to check and upload it to the application.

If Dr.Web vxCube cannot identify file format automatically, you will be able to select it manually.

3.Select an environment for the analysis—an operating system version or an application version.

You can select multiple OS versions or application versions.

4.You can also specify additional settings for analyzing the file.

Analysis

After you start the analysis, one or several virtual machines with pre-installed software will be run. The number of VMs depends on the number of OS versions or application versions you have selected.

In order to trace suspicious activity on a virtual machine, all actions related to file’s behavior are monitored. All processes in a guest OS are recorded to the API Log. The analyzer uses a list of rules to categorize these processes.

Dr.Web vxCube analyzer interacts with a hypervisor, rather than with a guest OS, and does not use any additional software on the host operating system, for example, drivers that hook functions. Thus, during analysis, the sample cannot detect hooks.

Virtual machines have an Internet access via private proxy server. This helps to analyze the virus behavior to its fullest, especially if its functioning depends on downloading data from the Internet.

In order to log events, Dr.Web vxCube interacts with a hypervisor, not with virtual machines. It means the analyzer cannot be detected.

You can connect to a virtual machine via VNC (Virtual Network Computing) client and influence the analysis. Note that it is possible only when the virtual machine is operating.

After the analysis, a detailed report and a history of previously analyzed files will become available.

warning_green

Sometimes analysis of the same file may have different results if the file behavior depends on external conditions, for example, current date or availability of remote resources.

Also, results of analysis using VNC may differ from results of analysis without VNC if the analyzed file uses the injection method which is unknown to Dr.Web vxCube, or the control is transferred to processes indirectly.