Viewing Behavior Reports

After the analysis portion of the task list has been completed, you may now view the associated report on the CSA MC. The report is available by choosing Analysis > Application Behavior Reports > Windows Behavior Reports. The information listed next to the report name is the description of the analysis that was entered during configuration, the name of the host that was analyzed, and the operating system of the host. Figure 11-9 shows a sample report list.

Figure 11-9. Sample Behavior Analysis Report List

To view the report, click the name of the report. Doing so opens the report in the main browser window. The report has five sections:

• File Events

• Registry Events

• COM Events

• Network Events

• Summary Events

To view the various sections of the report, click the title of the section in the left navigation pane.

File Events

The File Events section is divided into three sections:

• Directory Summary

• Individual File Summary

• All Events

To open the corresponding section and view detailed information, click that link in the navigation pane. You might notice that the number of directories accessed by the application is far higher than you expected. Much of this is related to the file-saving process in Microsoft Word, which uses file browsing to locate the appropriate folder.

Directory Summary

The Directory Summary portion of the File Events section provides the following information, as shown in Figure 11-10:

• Directory name

• Number of files in the directory

• The file extension of the file accessed in the directory

• The operation performed (read or write)

Figure 11-10. Directory Summary Section

NOTE

If network file shares were used by the application during the analysis, they will be at the top of the directory listing because they begin with the backward slash special characters (\\), as in \\fileserver\share\directory\filename.txt.

Individual File Summary

The Individual File Summary portion of the File Events section provides the following information, as shown in Figure 11-11:

• Directory name

• Number of events related to this specific action

• The filename that was accessed

• The operation performed (read or write)

Figure 11-11. Individual File Summary Section

This view is limited to 100 entries per page with the option to view the next or a specific page of data.

NOTE

The filenames listed in this report also list directories, which display in all capital letters to show what READ and WRITE operations occurred to those directories.

All Events

The All Events portion of the File Events section provides the following information, as shown in Figure 11-12:

• Time at which the action took place

• Directory of the affected file

• Filename

• File extension

• The operation performed (read or write)

• Process ID (PID, the process that performed the action on the file)

• Process name

Figure 11-12. All Events File Section

This view is limited to 100 entries per page with the option to view the next or a specific page of data.

You can also filter this data by a text string within the Directory, File Name, or Process Name fields. In addition, you can sort the presented data by time, operation, file extension, or directory. The various sort and filter methods provide you with a simple and intuitive way to get to the specific data you need to view quickly and easily. Figure 11-13 shows a sample filtered view of the data collected.

Figure 11-13. Filtered All Events View

Registry Events

The Registry Events section is divided into two sections:

• Key Summary

• All Events

To open the corresponding section and view detailed information, click that link in the navigation pane.

Key Summary

The information provided by the Key Summary portion of the Registry Events section includes the number of events affecting the registry key and the key name that was affected, as shown in Figure 11-14. Editing the Windows registry can seriously impact the usability of a system, so closely monitor this information.

Figure 11-14. Key Summary Section

All Events

The All Events portion of the Registry Events section provides the following information:

• Time of the access

• Key name impacted

• Value of the accessed key

• PID (ID of the process that accessed the registry key)

• Process name

You can filter this data by a text value in the Key Name, Value Name, or Process Name fields, as shown in Figure 11-15. You also can sort by process, key name, or time to easily view the necessary registry access without the need for an exhaustive search.

Figure 11-15. All Events Registry Section

COM Events

The COM Events section is divided into two sections:

• Object Summary

• All Events

To open the corresponding section and view detailed information, click that link in the navigation pane.

Object Summary

The Object Summary portion of the COM Events section provides information about the number of events affecting the COM object and the object name that was affected. Figure 11-16 shows a sample view of the Object Summary section.

Figure 11-16. Object Summary Section

All Events

The All Events portion of the COM Events section provides the following information:

• Time of the access

• COM object name impacted

• PID (process ID)

• Process name

You can filter this data by a text value in the Object Name or Process Name fields, as shown in Figure 11-17. You can sort also by process, object name, or time.

Figure 11-17. All Events COM Object Section

Network Events

The Network Events section is divided into two sections:

• Destination Port Summary

• All Events

To open the corresponding section and view detailed information, click that link in the navigation pane.

Destination Port Summary

The Destination Port Summary portion of the Network Events section provides the following information:

• Number of events related to this type of network access

• Role (A client connection displays as CONNECT, whereas a server connection or termination of a connection displays as ACCEPT.)

• Protocol (TCP or UDP)

• Destination port used

Figure 11-18 shows a sample view of the Destination Port Summary section.

Figure 11-18. Destination Port Summary Section

All Events

The All Events portion of the Network Events section provides the following information:

• Time of the access

• Role (CLIENT=CONNECT/SERVER=ACCEPT)

• Protocol (TCP or UDP)

• Source address

• Source port

• Destination address

• Destination port

• PID (process ID)

• Process name

You can filter this data by a text value in the Source Address, Destination Address, or Process Name fields. You also can sort by process, protocol, role, destination port, or time. In Figure 11-19, you can see that as part of the test of the Microsoft Word application, the transmitted file to and from a network file share uses the common Windows ports of UDP/137-138.

Figure 11-19. All Events Network Section

Summary Reports

The Summary Reports section is divided into two sections:

• Behavior Summary

• Behavior Summary by Process

To open the corresponding section and view detailed information, click that link in the navigation pane.

Behavior Summary

The information provided by the Behavior Summary portion of the Summary Reports section is an overall summarized view of the various events logged during the investigation and the corresponding number of events associated. As shown in Figure 11-20, the sections summarized are as follows:

• COM (All Events)

• File (All Events)

• File (Read Operations)

• File (Write Operations)

• File (Writes of Executables)

• Network (All Events)

• Network (Acting as Client)

• Network (Acting as Server)

• Registry (All Events)

Figure 11-20. Behavior Summary Section

Behavior Summary by Process

The Behavior Summary by Process portion of the Summary Reports section provides the following information:

• PID (process ID)

• Process name

• Event type

• Associated number of events

Figure 11-21 shows a sample view of the Behavior Summary by Process section.

Figure 11-21. Behavior Summary by Process Section