cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynanic Analysis: unverified - how it works

Hi Heroes,

We are using some actual virus samples and manually uploaded to ATD for analysis.

In the Analyzer Profile, we enabled the static analysis + Sandbox(Continue to run all engines even after file is found malicious checked), in the analysis report we saw that the sample was detected as malicious in static analysis, but in dynamic analysis, the result is "unverified".

 

May I know how sandox analysis works? why the result is unverified in dynamic analysis? I have gone through the product guide and it really doesnt have much information on how the dynamic analysis works...

 

Thanks in advance.

3 Replies
hsadi
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Dynanic Analysis: unverified - how it works

Hi User21257322

So for the Dynamic analysis, unverified means they didn’t flag on it meaning they didn’t have it listed as malicious or known clean in the detection package.  Basically it means unknown. 

It could be that the file type isn’t supported for dynamic analysis, that’s why it stated Unverified.  Can you please open an SR with McAfee support and send us an example reports along with a screenshot of your analyzer profile configuration, so we can troubleshoot this issue?

Best regards,

Re: Dynanic Analysis: unverified - how it works

@hsadi  thanks, I saw you mentioned Detection Package. Does it mean the Dynamic Analysis(Sandboxing) uses Detection Package for dynamic analysis? I know that Detection Packages are a collection of rules, but I'm not 100% sure if Detection Package is only used by dynamic analysis.Btw, If the sample is detected as malicious in Static Analysis, will it continue to run Dynamic  Analysis even I enabled "continue to run all engines"?

 

hsadi
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Dynanic Analysis: unverified - how it works

Hi User21257322,

That's right, Sandbox uses the detection package for dynamic analysis and it only used when the VM is analyzing the sample, it is not used in static analysis (GTI, GAM, Anti Malware, etc...).

If you have the option "Continue to run all engines" enabled then the sample will run in Static analysis and Dynamic Analysis, even if the sample is detected in static analysis it will be force to run in Dynamic analysis, as well.

Please let me know if you have more questions.

HTH

Regards,

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community