Analyzing Files

To analyze a file

1.Make sure Dr.Web vxCube supports the format of the file you want to analyze.

2.Browse for the file you want to check and upload it to the application.

If Dr.Web vxCube cannot identify the file format automatically, you will be able to select it manually.

3.Select an environment for the analysis—an operating system version or an application version.

You can select multiple OS versions or application versions.

4.(Optionally) Specify additional settings for analyzing the file.

5.Click Analyze.

warning_green

Files can be also analyzed using API.

Analysis

When you start the analysis, one or several virtual machines with pre-installed software will be run. The number of VMs depends on the number of OS versions or application versions you have selected.

All events related to the file behavior on a virtual machine are monitored to trace any suspicious activity. All processes on a guest OS are logged to the API Log. The analyzer uses a list of rules to categorize these processes.

Dr.Web vxCube analyzer interacts with a hypervisor, rather than with a guest OS, and does not use any additional software on the host operating system, for example, drivers that hook functions. Thus, during analysis, the sample cannot detect hooks.

Virtual machines connect to the internet through a dedicated proxy server. This helps fully analyze the virus behavior, especially if its functioning depends on downloading data from the internet.

In order to log events, Dr.Web vxCube interacts with a hypervisor, not with virtual machines. It means the analyzer cannot be detected.

You can connect to a virtual machine through a VNC (Virtual Network Computing) client and influence the analysis. Note that it is possible only when the virtual machine is operating.

After the analysis, you get a detailed report and a viewable history of previously analyzed files.

warning_green

Sometimes analysis of the same file may have different results if the file behavior depends on external conditions, for example, current date or availability of remote resources.

Also, results of analysis using VNC may differ from results of analysis without VNC if the analyzed file uses an injection method unknown to Dr.Web vxCube, or the control is transferred to processes indirectly.