The Sandbox Analysis feature in OneView enables the option to analyze files for threats through the OneView console. Once a file is uploaded, a comprehensive report on the file is generated, providing an indication if it's malicious or not. Reports appear on the Sandbox Analysis page within 10 minutes after uploading the file.
This article offers guidance on uploading files for analysis and understanding the returned data in the analysis reports.
Upload file for analysis
- On the left navigation menu, go to Investigate > Sandbox Analysis.
- At the top of the Sandbox Analysis page, drag and drop a file or click browse computer to choose a file for upload. The following file parameters apply:
- Max file size: 64 MB
- File types accepted: PE 32/64bit (exe,dll)
- A pop-up window displays. Select the site you are uploading the file from.
- Click Confirm Upload to initiate the analysis.
Uploading and analyzing a file may take a few minutes. Refresh the Sandbox Analysis page for an updated status.
Investigate information displayed
The information in the results table is intended to warn you of potentially malicious files that may warrant an endpoint scan or for your forensic investigation to find indicators of compromise in your environment. The results table lists the analysis reports from all of your file uploads. Each line item displays the information in different columns.
|File name||The name of the analyzed file. Click the name to expand process information and specific threat details.|
|MD5||Shows the file's MD5 hash value.|
|SHA256||Shows the file's SHA256 hash value.|
Shows one of the following:
|File type||Shows the file type.|
|File size||Shows the file's size in KB or MB.|
|Upload location||Shows the OneView console page where the file was uploaded from.|
|Upload date||Shows the date and time the file was uploaded.|
Click the Check Now link to open the Virus Total website in a new browser tab. This site displays the process path as if found by 3rd party antivirus vendors. This can help you determine if the event is a false positive. NOTE: Virus Total is a 3rd party website. For information, see Virus Total's Terms of Service.
When you click on a file name under the analysis results table, the Process Information pop-up window slides into view. This shows more detailed information about the file's hash values, system impact, and indicators of threat behavior based on severity. The process information window displays the following information:
|View Process Graph||Click this button to expand a visual representation of the files or processes touched by the suspicious activity, including any files or processes spawned from the original file or process.|
|Check VirusTotal||Click this button to open the Virus Total website in a new browser tab.|
|Click this button to download the data to your local machine.|
|Indicators of threat behavior||
Provides data on files and locations used by the analyzed file.