Skip to main content

Overview of Sandbox Analysis in Nebula

Malwarebytes Endpoint Detection and Response customers can use the Sandbox Analysis feature. This feature allows you to upload a file within the Nebula console and receive a comprehensive report on the item, indicating if the file is malicious or not. Reports display on the Sandbox Analysis page after a few minutes from the time you upload the file.

This article explains how to upload files for analysis, and the types of data you can investigate in the results table of the Sandbox Analysis page.

Watch the video below to see how to upload a file for analysis and view its results.

Upload file on the Sandbox Analysis page

  1. On the left navigation pane, go to Investigate > Sandbox Analysis.
  2. At the top of the Sandbox Analysis page, drag and drop a file or click browse computer to choose a file for upload. The following file parameters apply:
    • Max file size: 64 MB
    • File types accepted: PE 32/64bit (exe,dll)
  3. A window asks you to confirm the file upload. Click Confirm Upload to initiate the analysis process.

Uploading and analyzing a file may take a few minutes. Refresh the Sandbox Analysis page for an updated status. Once analysis is complete, the result displays in the table beneath the file upload area.

Investigate information displayed by Sandbox Analysis

Information displayed in the results table is intended to warn you of potentially malicious files that may warrant an endpoint scan, or for your forensic investigation to find indicators of compromise in your environment.

The results table lists the analysis reports from all of your file uploads. Each line item displays the information in different columns. The columns available are:

  • File name: The name of the analyzed file. Click the name to expand process information and specific threat details.
  • MD5: Shows the file's MD5 hash value.
  • SHA256: Shows the file's SHA256 hash value.
  • Status: Shows one of the following:
    • Pending: The file is still being analyzed by Sandbox Analysis.
    • No Threat: The file appears to be safe.
    • Malicious: The file appears to be compromised. We recommend you remove the file from affected machines and run a Malwarebytes scan immediately.
  • File type: Shows the file type.
  • File size: Shows the file's size in KB or MB.
  • Upload location: Shows the Nebula console page where the file was uploaded from.
  • Upload date: Shows the date and time the file was uploaded.
  • VirusTotal: Click the Check Now link to open the Virus Total website in a new browser tab. This site displays the process path as if found by 3rd party antivirus vendors. This can help you determine if the event is a false positive. NOTE: Virus total is a 3rd party website not associated with Malwarebytes. For information, see Virus Total's Terms of Service.

Process information

When you click on a file name from your Sandbox Analysis results table, the Process Information pop-up window slides into view. This shows more detailed information about the file's hash values, system impact, and indicators of threat behavior based on severity. The process information window displays the following information and functions:

  • View Process Graph: Click this button to expand a visual representation of the files or processes touched by the suspicious activity, including any files or processes spawned from the original file or process.
  • Check VirusTotal: Click this button to open the Virus Total website in a new browser tab.
  • Export: Click this button to download the data to your local machine.
  • MD5 value, if applicable.
  • SHA1 value, if applicable.
  • SHA256 value, if applicable.
  • SHA512 value, if applicable.
  • Indicators of threat behavior:
    • High Severity: Click to expand this field and view a descriptive list of all threat indicators that the Sandbox Analysis deems as high severity.
    • Medium Severity: Click to expand this field and view a descriptive list of all threat indicators that the Sandbox Analysis deems as medium severity.
    • Low Severity: Click to expand this field and view a descriptive list of all threat indicators that the Sandbox Analysis deems as low severity.
  • Dropped Files: Provides data on files and locations used by the analyzed file.
    • File size
    • File type(s)
    • Path
    • MD5 value
    • SHA512 value

 

Return to the Malwarebytes Nebula Administrator Guide.

Related articles