Automatic file format detection and detonation

Kaspersky Research Sandbox can automatically detect the format of a file (sample) uploaded for analysis.

Pre- and post-processing may take up to 45 minutes. Maximum processing time (including an object execution time for up to 30 minutes) is 1 hour 15 minutes. This amount of time does not include the time that a task may wait in the queue.

To correctly process a sample of a supported format, you do not need to explicitly specify the file extension as the special parameter that overrides the name and extension of the sample upon detonation. Also, the sample may not have the correct extension. These file types include the formats listed at in the Automatically detected file types section.

For custom images, you can define your own file association list.

But the correct detection of the file format does not ensure that the file is always processed in the optimal way in Sandbox, because the environment might not have the software for correct processing of all the detected formats.

For example, the flac (uncompressed audio) format is detected, but there is no player to open it in the execution environment. Or detection of the iso (disk image) format is supported, but the software that automatically runs a specific file on this disk image is not installed.

Such formats are presented below.

If a Windows execution environment is installed and properly configured, Kaspersky Research Sandbox automatically detects the following file formats:

• Binary executable files and libraries: exe, dll, sys, cpl, scr, and others.
• Microsoft Office documents: rtf, doc, docx, eml, dotm, xls, xlsx, xltm, ppt, pptm, one, and other extensions opened by the standard Microsoft Office package.
• Supported OS extensions: hta, chm, lnk, and others.
• Flash animation: swf.
• Java classes: jre.
• PDF documents.
• Installation files: exe, msi.

For Linux execution environment, Kaspersky Research Sandbox detects the following file formats:

• Binary executable files: elf.

For Android execution environment, Kaspersky Research Sandbox detects the following file formats:

• Installation files: apk.
• Executable files: dex.

File formats that require an explicit extension

Some file formats cannot be reliably determined automatically.

For example, they include scripts in certain languages, since they are just plain text (bat, ps1, cmd, and others).

If the file format is reliably known, it is recommended to specify it when sending the object for analysis in the Change file name and extension to field for all file types that are not listed in the table above. In this case, Kaspersky Research Sandbox will use the type whose extension you specified when creating an execution task.

In addition to specifying the extension for the uploaded file (shell, pl, py), the presence of a shebang inside the file is important for the objects of these formats.

Perl shebang example: #!/usr/bin/perl Python shebang example: #!/usr/bin/python

Scripts uploaded to the Linux-based environment must have the UNIX line feed variant: LF (ASCII 0x0A). For scripts with the Windows version of a line feed (CR+LF), it is recommended to first convert it to the UNIX version.

Archive processing

Kaspersky Research Sandbox supports unpacking and detonation of the following archive formats: zip, rar, 7z, gz, arj, tar, ace, lzh, alz, bz2, cab, fxc, hki, lha, pea, xz, z, and others.

If an archive contains only one file, this archive is automatically unpacked, and the unpacked file is sent for detonation.

If you do not explicitly specify the password when creating a task, Kaspersky Research Sandbox uses the default passwords when unpacking encrypted archives.

If the archive contains more than one file, it is possible to perform a dynamic analysis using VNC mode. If the VNC access option was not selected when creating a task, only static analysis is performed. Its results are described in the Static analysis section.

Page top