Threat intelligence

Activity records provide basic information such as the date and time on which files or emails containing suspicious attachments were sent to Sandstorm.

Threat intelligence uses multiple different analysis techniques and combines these to determine if a file is likely to be malicious or not. This gives you more information and helps reduce false positive detections. You can also view the analysis, release status, report details and release files or emails.

  • To view details of a scan, hover over the detection status of an entry. This shows a brief overview detailing the threat result at each stage of Sandstorm processing. To view the full report, select View report.
  • To filter the results, click Filter Filter button and specify criteria.
  • To view the details of Sandstorm analysis, select the more options button, More options button, and then select Show report.
  • To release a file or email message, click Release now.

When you release a file, users can download it immediately. Only files that are currently being analyzed or that have been returned with error status are eligible for release. Sandstorm continues to analyze the file even if you release it.

Caution Releasing an item before the analysis is complete may result in the downloading of malicious content.

Reports contain the following information:

Download details

For example, the source, download time, and users who downloaded the file.

Analysis summary

Shows the overall Sandstorm result of the file. Files can be classified as clean, likely clean, suspicious, malicious, or PUA (Potentially Unwanted Application). You can also see an overview of the main file details.

Machine learning analysis

Shows the overall machine learning result, file feature analysis, feature combination analysis and the file structure analysis.

Reputation analysis

The result of this analysis is based on how widely-seen the file is.

Sandstorm detonation results

Shows the activities the file carries out, screenshots of the file being run in Sandstorm, details of the processes the file uses and the registry activity generated.

Full file analysis

Shows full details of the file. This section contains details of the file signatures and any certificates used, the resources called, imports carried out, such as DLLs used and any export functionality.

VirusTotal report

Shows how many reports for the specific threat are currently shown in the VirusTotal database and the number of malware detection products that currently detect the file.