search cancel

On-box Sandboxing of archive files on the Content Analysis System

book

Article ID: 175150

calendar_today

Updated On:

Products

Content Analysis Software - CA

Issue/Introduction

On the Content Analysis System (CAS), the Malware Analysis (MA) will scan the files for potential malware to be blocked.

When a file is received by the CAS, using ICAP or API, the file will be scanned following the standard order of File Hash checks > Predictive Scan > AV Scan > Sandboxing. Please refer to this article for more details: TECH245572

The same applies to the archive files such as .rar, .7z, .tar files... However, by default the CAS won't send the archives to the MA.

Resolution

There is additional configuration required in order to unzip and scan the archives files in the Sanboboxing in the iVM.

The extensions of the archives must be present under the list of custom extensions at Services > Sandboxing > General Settings > File Extensions
For example, to enable the CAS to submit the 7zip files to the MA, you must add the extension ".7z".

In addition, the default plugin must be changed at Services > Sandboxing > Symantec Malware Analysis > Tasks, where you must select the plugin 'ghost_user_with_unpacker.py'

 

The steps are:
1. Add manually all the archive extensions you need under Services > Sandboxing > General Settings > File Extensions
2. Make "ghost_user_with_unpacker.py" the default plugin for all your tasks at Services > Sandboxing > Symantec Malware Analysis > Tasks

 

Additional notes:

According to the webguide documentation of CAS version 2.4.x available here, the plugin 'ghost_user_with_unpacker.py' can deal with the following types of archives: 7z, XZ, BZIP2, GZIP, TAR, ZIP, WIM, AR, ARJ, CAB, CHM, CPIO, CramFS, DMG, EXT, FAT, GPT, HFS, IHEX, ISO, LZH, LZMA, MBR, MSI, NSIS, NTFS, QCOW2, RAR, RPM, SquashFS, UDF, UEFI, VDI, VHD, VMDK, WIM, XAR, Z, TNEF and ACE.

 

If you leave the default plugin 'ghost_user.py', the iVM will not unzip the archives. The file will be scanned unzipped in the virtual machine.

 

When you manually submit an archive to the MA scanning, at Malware Scanning > Submit > Upload and Unpack Zip, you must submit a ZIP file only (".zip"). The other extensions such as .7z, .tar, .rar, .egg,... are not supported for the manual submit.