MetaFlows Sandbox Statistics: Sandbox IDS Signatures (12/04/2020 12:48am to 12/11/2020 12:48am UTC)

These are the signatures triggered by the MetaFlows Cuckoo sandbox. The severity is derived from what class of malware was detected. The detection rate is calculated over all sandbox hits reported in this period.

The table below the bubble graph shows the sortable raw data. The first column is the invariant extracted from the events. If you have an account with MetaFlows, you can click on certain invariants to see if your sensors have detected it. The other columns should be self-explanatory. Hovering over a bubble or set of overlapping bubbles shows the raw data represented by the bubble(s) selected. This selection is sticky so that you can go to the table and inspect the data or click on the links within the table. To see all rows in the table, click outside any bubble.

A diagram of Metaflows' sandboxing

MetaFlows' sensors monitor the transmission of all notable files (.exe, .dll, .pdf, .zip, Microsoft Office formats, etc.) transmitted on your network. The digest of each file is passed to the MetaFlows Network Antivirus System, which consists of 55+ antivirus solutions. All files that test positive on 3 or more antivirus solutions generate high priority reports for your analysis. Content which is unknown to VirusTotal is executed in MetaFlows' sandbox. A mix of proprietary and open source tools analyze the behavior of the content as it is executed/opened to determine whether it is well-behaved. If the behavior is consistent with dangerous malware, the sandbox updates our database and issues a high priority alert with a detailed report of why the content is bad.

Below you will see the invariants detected by our sandbox and how good these invariants are at predicting malicious content. We actually use these statistics quite a bit to make sure our sandboxing system is performing as expected. You can use these invariants to see if they are present on endpoints you suspect are infected. Any red bubble is a very good flag for dangerous malware.

Signature Avg Priority (avgp) Total Priority (totp) Relative Detection Rate (tpr) Severity (avgp * tpr) Prevalence (totp * tpr)