I'm trying to analyze the file for analysis in ATD.
Files with the following extensions - vb, vba, vbe, vb
In the analysis I select mode - Xmode
Profile analysis was used - OS Windows XP, OS Windows 7 (32, 64).
I see that the file is opened as text expansion.
File - the usual script language visual basic.
The file does not contain any malware !
The same file, we analyzed in the sandbox Cuckoo.
Cuckoo Sandbox analyzes the file thus execute and it does not open as text.
How is that set up in McAfee ADT ?
You can try the below steps.
1. Go to Control Panel, Default Programs, Associate a file type or protocol with a program
2. Then set the default program correctly as shown below.
3. You will have to change the program to C:\Windows\System32\wscript.exe to open the script file.
Refer below KB link for more details.
based on the ATD Product Guide (ATD_3.6.0_Product_Guide_revA.pdf, Table 8-1 on page 282) you can see the following information.
vb, vba, vbe, vb Files are supported for Static Analysis but not for dynamic Analysis.
Page 228 shows wich engines and technologies are used for static analysis: Global Whitelist, Local Blacklist, McAfee GTI, Gateway Anti-Malware (GAM), Custom Yara Scanner and Anti-Malware.
GAM is perfect for Script analysis. GAM is able to look for the obfuscation and encryption mechanism of an script, and much more. GAM emultates a virtual CPU in memory is does much fancy stuff. 🙂
Therefore, analyzing the file types in XMode (Dynamic Analysis) will make no difference when analyzing that file.
Just one thing i´m not shure, what happens if the script downloads and drops a file......
Hope this helps,
Please try the previously suggested steps for associating the file type with a default program. For this below steps needs to be followed.
1. Delete the Analyzer Profile
2. Delete the VM Profile
3. New VM Profile with same VM that you deleted in Step 2.
4. Click on Activate button under New VM Profile and make the suggested changes.
5. Shutdown the VM from Start menu.
6. Enter the Maximum license value
7. Click on Save.
8. Create a new Analyzer Profile using VM Profile created in Step 7.
9. Submit a sample in X-Mode and verify whether it is opening with correct application or not.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center