Note: This feature is only available for Malware Analysis and Autonomous SOC plans. If you have a Free plan, your analyzed files are shared with Intezer's public community database.
Private indexing is a powerful tool that allows you to create your own genetic database in order to:
- Label targeted threats: Save time spent investigating previously seen threats. Once a file is indexed in Intezer Analyze it becomes instantly shareable among global SOC teams in your organization.
- Accelerate incident response: Automatically share classifications and previously effective remediation tactics for unknown and classified files, reducing the time spent investigating threats and helping you respond both quickly and smartly.
- Acquit trusted files and endpoints by indexing your own software and files: Index your own trusted software, files, and endpoints to avoid false positives, duplicate alerts and create a trusted baseline of your organization’s machines
Table of Contents
- How Does it Work?
- How to privately index a file?
- Handling Gene Conflict
- Gene Conflict Examples
- Revert to Original
How Does it Work?
Intezer Analyze determines a file’s verdict and classification based on Intezer’s code database of trusted and malicious code. After uploading a file, code ‘genes’ are extracted, and based on which software those genes have been seen before, the verdict and classification are calculated.
If you privately index a file, Intezer Analyze labels the file’s genes with the classification you gave it.
For example, you can index an unknown file with a “Malicious” verdict and “Turla” malware family classification.
Next time the file or a similar file is analyzed, your classification will play a role in the classification calculation alongside Intezer Analyze’s classification algorithm.
As part of private indexing, you can edit the verdict, malware family name, and label at any time.
After saving the sample, it will be reanalyzed and the new analysis criteria will be applied.
Note:
- You will not be able to change the sample classification to trusted if the sample is known malicious and vice versa, changing the sample from known trusted to malicious. If you think a sample is misclassified, please use the report analysis button.
- Currently, it is not possible to index libraries.
How to privately index a file?
To privately index genes, click the 'Private index' button located under the 'Actions' section in the top right corner of the page or the genetic summary tab, as shown in the image below:
Handling Gene Conflict
When Intezer Analyze encounters a code ‘gene’ conflict between its classification and yours, it does the following:
Intezer Analyze Classification | The Client Classification | The Result |
Malicious | Malicious | Malicious(Both Intezer’s and your families) |
Malicious | Trusted | Common |
Trusted | Trusted | Trusted(Both Intezer’s and your families) |
Trusted | Malicious | Common |
Neutral (Library, Installer, Packer, Interpreter) | Malicious | Neutral(Library, Installer, Packer, Interpreter) |
Neutral (Library, Installer, Packer, Interpreter) | Trusted | Neutral (Library, Installer, Packer, Interpreter) |
Malicious Library | Malicious | Malicious Library |
Malicious Library | Trusted | Malicious Library |
Unique | Malicious | Malicious |
Unique | Trusted | Trusted |
For example, if Intezer recognized a certain gene as ‘Malicious,’ and the client marked this file as ‘Trusted,’ the classification will be ‘Common’.
Gene Conflict Examples
1. Indexing an unknown sample as ‘Trusted’
When a sample contains both unique and common library genes:
The user indexed the sample with a ‘Trusted’ verdict belonging to a legitimate “Windows” application. The ‘Library’ genes will remain classified as Library, whereas the ‘Unknown’ genes will become ‘Trusted’:
Intezer Analyze Classification | User Classification | Result |
Neutral (Library, Installer, Packer, Interpreter) | Trusted | Neutral - Library |
Unique | Trusted | Trusted |
2. Indexing an unknown sample as ‘Malicious’
This time the client indexed the same sample with a ‘Malicious’ verdict and belonging to the ‘Turla’ family.
The ‘Library’ genes will remain as Library, whereas the ‘Unknown’ genes will become ‘Malicious’:
Intezer Analyze Classification | User Classification | Result |
Neutral (Library, Installer, Packer, Interpreter) | Malicious | Malicious Library |
Unique | Malicious | Malicious |
3. Indexing a malware that is already classified to a different family
Let's take as an example a sample that contains genes that are recognized by Intezer as ‘Turla'’ and some recognized as Malicious Library.
In this case, the user is able to mark this sample’s genes as another type of malware family, usually used in cases of a specific campaign or threat actors.
The user indexed the file with “Turla v2” malware family. As the table shows, the Malicious genes will receive both Intezer’s and the user’s indexing and the Malicious Library genes will remain as Malicious Library:
Intezer Analyze Classification | User Classification | Result |
Malicious | Malicious | Malicious(Both Intezer’s and the user’s family classifications) |
Malicious Library | Malicious | Malicious Library |
Revert to Original
This removes the information you added and returns the file to the original verdict based on Intezer’s genetic code analysis and reference to the code database.