Use this option if you want to submit the file for analysis under a different name. The original file won’t be overridden.
•Use VNC
The availability of this function depends on the current license. You can check the availability in the License window. The use of VNC client is convenient if you choose more than one operating system and you want to influence the process on each of them.
To activate the function, select the Use VNC check box. When you start the analysis, new browser tabs open automatically. Tabs are connected to the corresponding virtual machines via the VNC client. At the top of each tab, a progress bar is displayed. The bar shows the completion percentage and the current state of the analysis.
Although new tabs open immediately, it can take some time to connect to virtual machines.
|
If you have not selected this option in Additional settings and have already started the analysis, click Use VNC on the analysis page. VNC client will open in a new tab. |
•Monitor all processes if VNC is used
By default, this setting is disabled and the report only includes the processes engaged in malicious activity.
•Show MITM traffic
Select this check box if you want Dr.Web vxCube to parse encrypted traffic. This option is limited to Windows platforms. Once the analysis is done, you can view the decrypted traffic. To do this:
1.Open the report page generated as a result of the analysis.
2.Click 
Download archive.
3.Unzip the archive. If prompted, input the password specified in the Password for report archive field in Settings. The default password is vxcube.
4.Locate the network.pcapng file in the unpacked archive and upload it into a network packet analyzer like Wireshark.
•Sample run time
The default sample run time in Dr.Web vxCube is 1 minute. You can adjust this value for the particular file if required. For example, you can increase the value if a file needs more time to show suspicious behavior. To do this, move the slider to the right.
By default, the total size for files created during the analysis is limited to 64 MB. You can increase it to 512 MB.
•Specify a command to run the file
This option allows you to set a specific command to run the file analysis. You can use any application from the standard Windows pack as a command, for example, rundll32.exe, regsvr32.exe, notepad.exe, etc. To use the command, specify it in the Specify a command to run the file field.
You can specify a full path to the file using the special %SAMPLE% parameter.
You can use this option if you need to run an executable file by calling an exported function. For example, rundll32 %SAMPLE%, ExportedFunction.
VPN is used by default. For some connection types, you can specify a proxy server address and authorization parameters. Only TCP connections are proxied. Traffic of the other protocols is transferred through the default VPN server. To redirect UDP traffic, select the Redirect UDP check box.
Figure 13. Additional settings
After specifying additional settings
•Click Analyze to start analyzing the file.
•Click Cancel to reset settings and close the window.
|
Additional settings are only applied to the current file. If you close the Additional settings window or select another file, you will have to configure the settings again. |