Skip to main content
All CollectionsUser Guides
UpScan User Guide
UpScan User Guide

Submit files to UpScan and understand the results.

Makenzie Schwartz avatar
Written by Makenzie Schwartz
Updated over 5 months ago

When to Submit a File

UpScan is an effective tool for monitoring the behavior of executables when they are launched and run on a system. It leverages the same AI model that protects your client to evaluate the actions taken by a sample and determine if there is malicious activity. This tool is particularly useful when encountering an unfamiliar binary, such as one flagged as suspicious by your antivirus software.

Important Note:

If UpScan does not detect malicious behavior, do not assume the sample is safe. Malware is often designed to evade detection or remain dormant in different environments.

How to Submit a File for Observation

Submitting a Standalone Executable

This is the simplest method to submit a file for observation. To do this:

  1. Upload the Executable:

    • Upload a Windows executable file.

    • The file will be directly run on the UpScan lab machine.

  2. Ensure the File Can Run Independently:

    • The executable must be able to run without any companion files.

    • If you have a malicious executable (evil.exe) that requires a command line option of --password, you can specify the command line as .\evil.exe --password mypassword.

      • UpScan utilizes the PowerShell command Invoke-Expression, which automatically identifies the appropriate application to run the file based on its extension.

      • PowerShell requires the .\ notation to search the current working directory for a file.

Submitting a DLL

For UpScan to execute the code contained in a DLL, you need to specify a command line that can run an exported API found in the DLL.

  1. Using rundll32.exe:

    • The Windows tool rundll32.exe can be used to run an exported API.

    • For example, if a malicious DLL (evil.dll) contains a function EncryptFiles, a command line like rundll32.exe evil.dll, EncryptFiles should be supplied when creating an UpScan submission.

  2. No Command Line Provided:

    • If no command line is specified, UpScan will attempt to identify an exported function in the DLL to run the malicious code.

    • UpScan is capable of identifying exported functions in the DLL and will execute one or more of these functions. This method is less precise but can be useful if the exports are unknown.

Submitting a Script File

To run a script, such as a PowerShell script, you must provide the command line that will be used to execute the script.

  • For example, a PowerShell file can be run using the command line: powershell -File evil.ps1.

Submitting a Zip File

If multiple files are needed to execute malicious code, they can be submitted as part of a zip file.

  1. Zip File Extraction:

    • UpScan uses 7-Zip to extract the files.

    • 7-Zip supports various formats, including 7z, XZ, BZIP2, GZIP, TAR, ZIP, and more.

  2. Password Protection:

    • The zip file must be password-protected with the password infected.

    • UpScan assumes that any zip file it receives will use this password and will be unable to extract files if the zip is not password-protected.

  3. Command Line Requirement:

    • You must provide a command line to run the sample.

    • Refer to the previous sections for running an executable, DLL, or script to form the command line.

What Does UpScan Do During the Sample Evaluation?

During the sample evaluation, UpScan performs several tasks:

  1. Virtual Machine Setup:

    • A Windows 11 VM is created for use during the sample evaluation.

  2. Client Installation:

    • The UpSight client is installed on the VM.

  3. Sample Preparation:

    • The sample file is prepared for the analysis run.

  4. Sample Execution:

    • The sample file is executed.

  5. Observation Period:

    • The Windows 11 VM then monitors the actions taken by the sample for five minutes.

  6. Result Generation:

    • At the end of this period, the resulting events generated by the UpSight client are examined, and the run's results are generated.

  7. Error Handling:

    • If an error occurs during the analysis, more details can be viewed in the status message in the console. This is the first place to check for any errors running the sample.

The total run time for an UpScan sample will be 10 to 15 minutes.

How to Evaluate the Results

At the end of UpScan, the sample will be classified as either Undetected or Malicious.

Undetected

  • Meaning:

    • Indicates that UpScan observed no behavior indicative of malicious intent.

    • It could also mean that the sample did not run correctly or did nothing when executed.

  • Common Issues:

    • Sample requires an elevated command prompt.

    • Sample is missing a required binary (e.g., due to a debug build or a missing runtime library not supported by the test VM).

    • Sample is incompatible with Windows 11.

Malicious

  • Meaning:

    • Indicates that UpScan observed behavior it deemed malicious and took action to prevent it (either by blocking an action or terminating an application).

  • Viewing Results:

    • You can further review the UpScan evaluation results by viewing the attack graph.

    • If malicious behavior was detected, the attack graph will show the actions taken and how UpSight responded.

UpScan Error

  • Meaning:

    • If an error occurred during the observation run, the status of the run will be “UpScan Error.”

    • Refer to status messages for more information.

Did this answer your question?