You can analyze files automatically from your EDR, via API, via Command Line Interface, or manually by drag-and-drop or selecting from your files. In this article, we will cover the different options you have to analyze files and the supported file formats.
If you already have a file analyzed, you can read about understanding the results and analysis report here.
Table of Contents
- Analyze a File Manually
- Analyze By Hash
- Supported File Types
- Customizing your dynamic execution analysis
Analyze a File Manually
If the file that you need to analyze was not automatically collected via integration or API, you can manually upload it either by drag-and-drop or by selecting from your files.
For community users, uploaded files are made public to the community and shared with VirusTotal.
For enterprise users, the files remain in your organization’s private scope and will not be made public to the community, or uploaded to VirusTotal, or any other third party.
Analyze Encrypted Files
Intezer Analyze can automatically decompress and analyze archive files that are uploaded with one of the passwords intezer, infected, malicious or dangerous.
For enterprise users, it is also possible to enter a custom password.
Analyze by Hash
You also have the ability to analyze a file by SHA256, MD5 or SHA1.
If the sample doesn’t already exist in Intezer’s database, the file can be downloaded from VirusTotal (For enterprise users, in order to support this functionality, they must set their own VirusTotal key.)
Once a file is analyzed by Intezer, you will be directed to the analysis report and the results will be logged in your account History.
Supported File Types
The following file formats are fully supported:
- Windows executable files (PE) – .exe, .dll, .sys – native x86, native x64 and .NET.
- Linux executable files (ELF) – native x86, native x64, ARM32, ARM64
- macOS executable files and applications (Mach-O, .dmg, .pkg)
- Compressed files that contain one file - Zip, RAR, TAR, 7-Zip
- Android applications (APK)
- Installers - MSI, trusted installer, Inno setup...
- Microsoft Office - doc, xls, ppt, etc.
- Email - eml, msg
- Scripts - PowerShell, vbs, js
Customizing your dynamic execution analysis
-
Forcing which package to use
On the Scan File screen, you will be able to force which package to use when sending the file to dynamic execution. Currently, the available packages are:- Browsers - Chrome, Firefox, Internet Explorer
- Compressors - jar, rar, zip
- Documents - doc, pdf, ppt, xls, xlst
- Email - eml, msg
- Executables - dll, exe, msi, nsis
- Others - chm, cpl, lnk
-
Scripts - hta, html, js, ps1, py, vbs, wsf
-
Add command line arguments
Sending command line arguments to be a part of the analysis. The arguments will be sent as part of the file execution.
Here is an example of how the following command to run a DLL file would look like:rundll32.exe path_to_dll, entry_point 123 "hello world"
Notice, thepath_to_dllandentry_pointare provided by the platform by default. -
Disabling the automatic dynamic execution feature
By turning the 'Disable Dynamic Execution' toggle on, you have the option to send the file for static analysis only.