Malicious Code Analysis Platform (MCAP) FAQ
Do I have to be an MS-ISAC member to get an MCAP account?
Yes, MCAP is currently available only to those organizations with a Multi-State Information Sharing and Analysis Center® (MS-ISAC®) membership.
Can you please provide me with some general information about MCAP?
MCAP is a simple tool that gives our partners an easy-to-use front-end portal for uploading suspicious files to the Cisco Secure Malware Analytics sandbox, a pool of advanced virtual machines we use to run malware on in conjunction with a set of data collection tools. After Secure Malware Analytics completes its analysis of a file, MCAP provides a thorough, easy-to-read report detailing indicators and actions observed during execution.
How do I register for or purchase an MCAP account?
Please fill out our form. A CIS Sales representative will contact you with next steps.
What happened to my previous MCAP account and historical data?
As part of the transition to the new MCAP platform, all legacy accounts and historical submission data were securely terminated and removed. This ensures a clean, secure start for all MS-ISAC members using the updated system.
All organizations will need to create new MCAP accounts and begin fresh with new submissions when the platform launches.
How do I add users to my MCAP account?
Simply email [email protected] listing the individual's first and last name, email address, and organization. CIS Central Support will add users to your account as soon as possible.
My organization is not classified as a U.S. State, Local, Tribal, or Territorial (SLTT) government entity. Is there any way I can still register for an MCAP account?
Thank you for your interest in MCAP. Currently, MCAP is available only to U.S. SLTT government organizations that qualify for MS-ISAC membership.
What is MCAP's behavioral indicators section?
MCAP's behavioral indicators section looks at artifacts observed during execution and reports back general actions the sample attempted to take along with indicators of malicious activity. For example, if a piece of malware attempts to hide from debuggers, MCAP will generate a notification indicating as much in its behavioral indicators section.
What is MCAP's technical indicators section?
MCAP's technical indicators section documents every observed system change or actions and presents them to the end user in this section.
What do the severity and confidence ratings mean?
Cisco's Secure Malware Analytics uses severity and confidence ratings to determine a “Threat Score,” which helps illustrate how malicious a file, email, link, or artifact is. In the case of MCAP's behavioral indicators section, severity refers to how malicious the indicator is, "100" being definitely malicious and "0" being something that is not leveraged by malicious actors, while the confidence rating then refers to how reliable the assessment is.
What if I don't understand the report? Is there someone who can assist me?
Yes. The MS-ISAC Cyber Incident Response Team (CIRT) can provide assistance in two ways:
- Interpreting the reporting data provided by MCAP
- Conducting manual malware analysis in cases where further analysis is needed to understand the behavior of a submission and its impact
Is CIRT malware analysis support included with my MCAP subscription?
Yes. Five hours of CIRT malware analyst support is included in an initial subscription. You can purchase additional support hours by emailing [email protected].
What are the file types I can submit to MCAP?
You can submit URLs along with executables, DLLs, and documents. We currently support the following file types:
- PE32 files (complete forensics done)
- Executables (EXE, BAT, ISO, MSI, PS1)
- Libraries (DLL)
- Java Archives (JAR) (limited static forensics)
- Portable Document Format (PDF) (limited static forensics)
- Office Documents (RTF, DOC(X), XLS(X), PPT(X)) (limited static forensics)
- XML
- Microsoft Compiled HTML Help (CHM)
- Javascript files (JS, JSE)
- Windows shortcut files (LNK)
- Flash files (SWF)
- Email messages (EML, MSG)
- Cabinet archives (CAB)
- SYLK Files (SLK)
- Visual Basic files (VBS, VBE)
- Windows script files (WSF)
- Archives (7Z, BZ2, GZ, TAR, XZ, ZIP) as a container (no nesting of archives, no password or ‘infected’)
- Quarantine (VBN, SEP)
- URLs (currently as a internet shortcut file)
All other file types will be rejected by the malware sandbox. Additionally, MCAP comes with some limitations on the types of files you can submit:
- Filenames cannot be more than 200 Unicode characters in length.
- Files may not be smaller than 1 kilobyte (KB) in size or larger than 20 megabytes (MBs) in size.
Do I maintain ownership of my data? Can I delete my data?
Yes and yes. You maintain ownership of your data and can delete it within MCAP at any time. One item to note, however: in accordance with our terms and conditions, data from MCAP is anonymized and utilized by the Center for Internet Security® (CIS®) Cyber Threat Intelligence (CTI) team to identify trends and update threat intelligence platforms used to provide MS-ISAC membership with actionable intelligence for community defense.
My state/territory has purchased a "whole of state" MS-ISAC membership. How do I access MCAP? Is it an additional add-on that my organization pays for, or is there a mechanism for receiving MCAP access through the "whole-of-state" membership model?
MCAP is an add-on purchase (such as CIS Managed Detection and Response™ (CIS MDR™)) that is per organization and not sold at the state or territory level. Please fill out our form, and a CIS Sales representative will be in touch with the next steps.
If my organization pays for an MCAP account, is that considered one account to be used by the entire organization or is it broken up into individual licenses per user at an organization?
Yes, one MCAP account is available per organization. MCAP is not broken up into individual user licenses.
