Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 1 of 19
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 1 of 19
`
`
`
`
`
`EXHIBIT 8
`EXHIBIT 8
`
`UNREDACTED VERSION OF
`UNREDACTED VERSION OF
`DOCUMENT SOUGHT TO BE
`DOCUMENT SOUGHT TO BE
`SEALED
`SEALED
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 1 of 19
`
`
`
`
`
`EXHIBIT 8
`EXHIBIT 8
`
`UNREDACTED VERSION OF
`UNREDACTED VERSION OF
`DOCUMENT SOUGHT TO BE
`DOCUMENT SOUGHT TO BE
`SEALED
`SEALED
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 2 of 19
`
`· · · · · · · · · · UNITED STATES DISTRICT COURT
`
`· · · · · · · · · ·NORTHERN DISTRICT OF CALIFORNIA
`
`· · · · · · · · · · · ·SAN FRANCISCO DIVISION
`
`· · · ___________________________________
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · FINJAN, INC., a Delaware· · · · · ·)
`· · · Corporation,· · · · · · · · · · · ·)
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · · · · · · · · Plaintiff,· · · · · ·)
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · vs.· · · · · · · · · · · · · · · · )· No. 3:17-CV-05659
`· · · · · · · · · · · · · · · · · · · · ·)· · · WHA
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · JUNIPER NETWORKS, INC., a· · · · · )
`· · · Delaware Corporation,· · · · · · · )
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · · · · · · · · Defendant.· · · · · ·)
`· · · ___________________________________)
`
`·
`
`· · · · · · ·HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`· · · · · · · ·VIDEOTAPED DEPOSITION OF YULY TENORIO
`
`· · · · · · · · · · · · · · · VOLUME I
`
`· · · · · · · · · · · · · · ·May 9, 2018
`
`· · · · · · · · · · · · · · · 9:04 a.m.
`
`· · · · · · · · · ·1133 Innovation Way, Building A
`
`· · · · · · · · · · · · Sunnyvale, California
`
`·
`
`·
`
`·
`
`· · · REPORTED BY:
`
`· · · LANA L. LOPER,
`
`· · · RMR, CRR, CCP, CME, CLR, CSR No. 9667
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 3 of 19
`
`·1· · groups.
`
`·2· · · · · · ·For example, there's this networking category
`
`·3· · or signature that a lot of these individual events would
`
`·4· · fall into.· So the behaviors would be those individual
`
`·5· · events.· And the category, the signature category, I
`
`·6· · believe, would be network, if -- which would comprise or
`
`·7· · you can contact external server, or it tried to download
`
`·8· · this and examples like that.
`
`·9· · BY MR. LEE:
`
`10· · · · Q· · So contacting an external server or trying to
`
`11· · download a file would be an example of what is listed in
`
`12· · the signatures trigger?
`
`13· · · · · · ·MS. CARSON:· Objection.· Form.
`
`14· · · · · · ·THE WITNESS:· I haven't worked on this adapter
`
`15· · myself and looked at many reports from Joe Sandbox.
`
`16· · · · · · ·But it is my recollection that the individual
`
`17· · events were, or indicators, which are not necessarily
`
`18· · events, would be considered behaviors, the individual
`
`19· · ones.· But the signature would be the group of them, in
`
`20· · this case, networking, if I'm not wrong, uh-huh.
`
`21· · · · · · ·MS. CARSON:· Would now be a good time for a
`
`22· · break.
`
`23· · · · · · ·MR. LEE:· Let me just follow up -- finish this
`
`24· · line of questioning.· Is that okay?
`
`25· · · · · · ·MS. CARSON:· Okay.
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 4 of 19
`
`·1· · really depends on a variety of factors, what we get on
`
`·2· · the report.
`
`·3· · · · · · ·We -- yeah, it really depends on the file.
`
`·4· · BY MR. LEE:
`
`·5· · · · Q· · Does the report -- strike that.
`
`·6· · · · · · ·Does a typical report generated by Joe Sandbox
`
`·7· · include the MD5 of the file, the SHA-1 of the file, the
`
`·8· · list of signatures triggered, and the network activity
`
`·9· · as well?
`
`10· · · · · · ·MS. CARSON:· Objection.· Form.
`
`11· · · · · · ·THE WITNESS:· No, I would not say that's a
`
`12· · typical report.
`
`13· · · · · · ·Most of the files don't have network activity,
`
`14· · for example.· They don't have something that they --
`
`15· · some network activity.· So it -- that is an example of
`
`16· · something atypical, so I would not say that most of the
`
`17· · reports look the same.· And --
`
`18· · BY MR. LEE:
`
`19· · · · Q· · Does it -- just one more.
`
`20· · · · · · ·Does a typical report generated by Joe Sandbox
`
`21· · typically include at least the MD5, the SHA-1, and the
`
`22· · list of signatures trigger?
`
`23· · · · · · ·MS. CARSON:· Objection.· Form.
`
`24· · · · · · ·THE WITNESS:· I have not worked on the
`
`25· · deception adapter myself and have not looked at many
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 5 of 19
`
`·1· · reports, so I cannot say for certainty if that's typical
`
`·2· · or not.
`
`·3· · · · · · ·I know that those are some of the things that
`
`·4· · may be included, but I can't say with certainty if it's
`
`·5· · typical.
`
`·6· · · · · · ·MR. LEE:· Okay.· Sorry about that.
`
`·7· · · · · · ·THE WITNESS:· Thank you.· No problem.
`
`·8· · · · · · ·THE VIDEOGRAPHER:· We're going off the record.
`
`·9· · The time is 10:58 a.m.
`
`10· · · · · · ·(Discussion off the record.)
`
`11· · · · · · ·THE VIDEOGRAPHER:· We are back on the record.
`
`12· · The time is 11:10 a.m.· This is the beginning of media
`
`13· · No. 2, in the deposition of Yuly Tenorio, on May 9,
`
`14· · 2018.
`
`15· · · · · · ·Please proceed.
`
`16· · BY MR. LEE:
`
`17· · · · Q· · Previously, we were talking about the report
`
`18· · generated by Joe Sandbox.
`
`19· · · · · · ·Do you recall that?
`
`20· · · · A· · Yes.
`
`21· · · · Q· · What does the adapter do with the report
`
`22· · generated by Joe Sandbox?
`
`23· · · · · · ·MS. CARSON:· Objection.· Form.
`
`24· · · · · · ·THE WITNESS:· As I stated earlier, the
`
`25· · deception adapter gets the report generated by Joe
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 6 of 19
`
`·1· · BY MR. LEE:
`
`·2· · · · Q· · Are there any other primary functionalities of
`
`·3· · SkyATP?
`
`·4· · · · · · ·MS. CARSON:· Objection.· Form.
`
`·5· · · · · · ·THE WITNESS:· Do you mean, broadly, what
`
`·6· · features SkyATP has?
`
`·7· · BY MR. LEE:
`
`·8· · · · Q· · Sure.
`
`·9· · · · A· · Well, SkyATP has a lot of features.
`
`10· · · · · · ·I certainly cannot list them all.· I can give
`
`11· · some examples.
`
`12· · · · Q· · Can you provide the primary features of SkyATP?
`
`13· · · · · · ·MS. CARSON:· Objection.· Form.
`
`14· · · · · · ·THE WITNESS:· Some of the main features would
`
`15· · be to -- to analyze a sample in various different ways,
`
`16· · using dynamic -- dynamic analysis through Joe Sandbox,
`
`17· · for example; using nondynamic, using greyduckling,
`
`18· · for example; using other Reputation lookups based on any
`
`19· · traffic or where the file is coming from, based on
`
`20· · any -- any hash lookups that we can perform against the
`
`21· · sample ID or the SHA-256.
`
`22· · · · · · ·We also -- we also support the ability for
`
`23· · SkyATP customer to view some of the overall data that we
`
`24· · have for the files that have been seen through SkyATP
`
`25· · for that customer.
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 7 of 19
`
`·1· · I know that it does do that process call.
`
`·2· · · · · · ·Other than that, for that, I would check the
`
`·3· · code.· I don't know what else it does.
`
`·4· · · · Q· · So you can't elaborate beyond that, without
`
`·5· · looking at the code, right?
`
`·6· · · · A· · Yes, I couldn't elaborate more on that, uh-huh.
`
`·7· · · · Q· · Can you look at the code right now to determine
`
`·8· · how Joe Static operates?
`
`·9· · · · A· · All I could look up is how the adapter
`
`10· · interacts with the binary from Joe Sandbox.
`
`11· · · · · · ·That would not give you much, because the --
`
`12· · the meat of what the adapter would respond with would be
`
`13· · what's the output from what the Joe binary returned.· So
`
`14· · probably, without looking at the code -- even with
`
`15· · looking at the code, I couldn't say exactly what it
`
`16· · does, because the meat of it is in this binary from Joe
`
`17· · Sandbox, which is a black box to us.· We don't really
`
`18· · look at it.
`
`19· · · · Q· · So there's no way for you to determine --
`
`20· · there's no way for you to describe how Joe Static
`
`21· · operates?
`
`22· · · · · · ·MS. CARSON:· Objection.· Form.
`
`23· · · · · · ·THE WITNESS:· Not beyond what I just said,
`
`24· · which is Joe Static, the adapter that we wrote, it calls
`
`25· · this binary that we treat as a black box basically
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 8 of 19
`
`·1· · because we don't know exactly what it does.· We just get
`
`·2· · an output, giving this path to the file.
`
`·3· · BY MR. LEE:
`
`·4· · · · Q· · If you had the source code, would you be able
`
`·5· · to describe the output of Joe Static?
`
`·6· · · · · · ·MS. CARSON:· Objection.· Form.
`
`·7· · · · · · ·THE WITNESS:· I don't know.· It depends on the
`
`·8· · source code.
`
`·9· · · · · · ·I haven't -- I don't remember seeing it, so I
`
`10· · don't know exactly what it does with the output. I
`
`11· · don't know if, for example, it just gets it and called
`
`12· · over to the API to submit the result or if it does
`
`13· · something else.· I don't recall.
`
`14· · BY MR. LEE:
`
`15· · · · Q· · Can you look at the source code during a break
`
`16· · and describe what kind of results are outputted from Joe
`
`17· · Static?
`
`18· · · · · · ·MS. CARSON:· Objection.· Form.
`
`19· · · · · · ·And we don't have the source code here, so...
`
`20· · · · · · ·THE WITNESS:· I -- no.
`
`21· · BY MR. LEE:
`
`22· · · · Q· · If you did have the source code here, would you
`
`23· · be able to describe what results that Joe Static
`
`24· · outputted?
`
`25· · · · · · ·MS. CARSON:· Objection.· Form.
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 9 of 19
`
`·1· · · · · · ·THE WITNESS:· As you answered this -- asked
`
`·2· · this already, and I answered, I don't know what the
`
`·3· · source code -- the source code says.
`
`·4· · · · · · ·All I know is that it calls the binary from Joe
`
`·5· · Sandbox, which is a black box.· I don't know if it does
`
`·6· · anything with the output of this analysis or does it
`
`·7· · actually try to get things.· I don't know.
`
`·8· · · · · · ·So I don't know how much I would be able to get
`
`·9· · from looking at the source code.
`
`10· · BY MR. LEE:
`
`11· · · · Q· · Are you aware of which features does --
`
`12· · · · · · ·THE REPORTER:· I'm sorry, does?
`
`13· · BY MR. LEE:
`
`14· · · · Q· · -- does greyduckling extract from PDF?
`
`15· · · · · · ·MS. CARSON:· Objection.· Form.
`
`16· · · · · · ·THE WITNESS:· You asked this earlier.
`
`17· · · · · · ·Do you want to refer to that answer?
`
`18· · BY MR. LEE:
`
`19· · · · Q· · I don't remember you saying what features are
`
`20· · that are extracted by greyduckling in a PDF.
`
`21· · · · A· · I answered this question already, and
`
`22· · specifically for the PDF stuff, which is, again, not
`
`23· · something I have worked on for greyduckling.
`
`24· · · · · · ·What I recall is that it can -- I believe some
`
`25· · of the features is maybe the header of the file, the
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 10 of 19
`
`·1· · just by looking at the content.
`
`·2· · · · · · ·It sounds more like something that could be
`
`·3· · only seen once you run it in a dynamic environment.
`
`·4· · · · Q· · Are you aware of any features that deception
`
`·5· · looks at that correspond to high-level function for
`
`·6· · uploading a file to a remote server?
`
`·7· · · · · · ·MS. CARSON:· Objection.· Form.
`
`·8· · · · · · ·THE WITNESS:· So most of the files, I would
`
`·9· · say, do not upload stuff to a remote server.
`
`10· · · · · · ·If a malicious or a threatening file were to do
`
`11· · something like that, I guess Joe Sandbox would see that
`
`12· · traffic, making a post request with this payload as a
`
`13· · file or something.· That would be in the workings of Joe
`
`14· · Sandbox, which, to us, is kind of a black box.
`
`15· · · · · · ·We don't know exactly all of the features and
`
`16· · stuff that it can extract when a file is being executed.
`
`17· · BY MR. LEE:
`
`18· · · · Q· · If you had the source code in front of you,
`
`19· · would you be able to describe all the different files
`
`20· · that greyduckling analyzes?
`
`21· · · · · · ·MS. CARSON:· Objection.· Form.
`
`22· · · · · · ·THE WITNESS:· The source code should contain
`
`23· · all of the different models that are supported in
`
`24· · greyduckling.
`
`25· · · · · · ·The final configuration for it in production
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 11 of 19
`
`·1· · these are the behaviors that were generated by Joe
`
`·2· · Sandbox, where the file was run in their environment.
`
`·3· · And this is just explain that information.
`
`·4· · BY MR. LEE:
`
`·5· · · · Q· · To display those behaviors, the UI retrieved it
`
`·6· · using Results DB, right?
`
`·7· · · · · · ·MS. CARSON:· Objection.· Form.
`
`·8· · · · · · ·THE WITNESS:· The UI API asks the results of
`
`·9· · the component to say, hey, give me -- give me results
`
`10· · for the deception adapter -- for this deception adapter
`
`11· · and this sample ID gets the result, from that it gets
`
`12· · this information, which came from the schema-less
`
`13· · results table.
`
`14· · BY MR. LEE:
`
`15· · · · Q· · When you say, schema-less results table, you
`
`16· · mean the results table stored in DynamoDB?
`
`17· · · · A· · Correct.
`
`18· · · · Q· · Can you go to the Bates ending in 955?
`
`19· · · · A· · Yes.
`
`20· · · · Q· · Do you see, under "Behavior Details" --
`
`21· · · · A· · Uh-huh.
`
`22· · · · Q· · -- there's a figure there?
`
`23· · · · A· · I see that.
`
`24· · · · Q· · Do you have any understanding of that figure?
`
`25· · · · A· · It's mock of what -- what is hoped that could
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 12 of 19
`
`·1· · be included in this SkyATP UI.
`
`·2· · · · · · ·From what I recall, this was never done like
`
`·3· · this.· It was just a mock of what was the hope we could
`
`·4· · include in SkyATP UI.
`
`·5· · · · · · ·All this information would have come from the
`
`·6· · Joe Sandbox report.
`
`·7· · · · Q· · When you say it's a mock, are you aware of any
`
`·8· · substantive differences between how the actual behavior
`
`·9· · details looks like on the SkyATP?
`
`10· · · · A· · The representation on the UI changed a lot
`
`11· · based on the UI framework capabilities, so they were not
`
`12· · able to do this kind of tree thing.
`
`13· · · · · · ·Instead, in a different -- in a different
`
`14· · document that you provided earlier, we saw the same --
`
`15· · what looked like an actual screenshot from SkyATP UI, in
`
`16· · which you saw there was this file EXE that dropped this
`
`17· · TMP file, that is what was actually done on the SkyATP
`
`18· · UI, where this is just a mockup.
`
`19· · · · Q· · Is it still -- strike that.
`
`20· · · · · · ·Do you see where it says, dropped evil.exe?
`
`21· · · · A· · I see that.
`
`22· · · · Q· · And that's from lockey.exe.· Is that right?
`
`23· · · · · · ·MS. CARSON:· Objection.· Form.
`
`24· · · · · · ·THE WITNESS:· That's what the mock is saying,
`
`25· · yes.
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 13 of 19
`
`·1· · BY MR. LEE:
`
`·2· · · · Q· · So the actual UI can still capture the
`
`·3· · information but not in a tree format?
`
`·4· · · · A· · SkyATP UI uses the results of the component to
`
`·5· · get the full Joe -- to get the results for the deception
`
`·6· · adapter for the sample which has the Joe Sandbox data
`
`·7· · that it generated.
`
`·8· · · · · · ·The Joe Sandbox report, if the -- if there was
`
`·9· · some information about files that could have been
`
`10· · dropped, or any servers that could be contacted, if
`
`11· · there's any of that information in the Joe report, it --
`
`12· · we would display it here by querying from schema-less
`
`13· · results table, finding it there, and then showing it
`
`14· · here, if it's available.
`
`15· · · · Q· · Do you see, on the left-hand side, there's a
`
`16· · file that says sys. -- sorry, strike that -- a file that
`
`17· · says "sysDD6.tmp"?
`
`18· · · · A· · I see that.
`
`19· · · · Q· · Under that, there's a "MD5:" and a bunch of
`
`20· · numbers and letters.
`
`21· · · · A· · I see that.
`
`22· · · · Q· · Do you have any understanding of what that is?
`
`23· · · · · · ·MS. CARSON:· Objection.· Form.
`
`24· · · · · · ·THE WITNESS:· My opinion would be that this is
`
`25· · what Joe Sandbox computed about this command.exe file
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 14 of 19
`
`·1· · that was executed while lockey.exe was supposedly
`
`·2· · executed in the Sandbox.
`
`·3· · · · · · ·All of this information, to my knowledge, comes
`
`·4· · from the Joe Sandbox report, including this MD5 string.
`
`·5· · BY MR. LEE:
`
`·6· · · · Q· · The MD5 string is MD5 of the sysDD6.tmp file.
`
`·7· · Is that correct?
`
`·8· · · · · · ·MS. CARSON:· Objection.· Form.
`
`·9· · · · · · ·THE WITNESS:· From what I can tell in this
`
`10· · screenshot or mock, yes, I would -- my opinion would be
`
`11· · that this MD5 is of this sysDD6.tmp file that Joe
`
`12· · Sandbox supposedly saw.
`
`13· · · · · · ·(Plaintiff's Exhibit 8 was marked for
`
`14· · · · · · ·identification.)
`
`15· · BY MR. LEE:
`
`16· · · · Q· · You have been handed an exhibit marked as
`
`17· · Exhibit No. 8.
`
`18· · · · · · ·It's Bates labeled FINJAN-JN 046082.
`
`19· · · · A· · Yes, I see that.
`
`20· · · · Q· · Do you have any understanding of what Exhibit
`
`21· · No. 8 is?
`
`22· · · · A· · It looks to be a screenshot of the SkyATP UI,
`
`23· · showing one of the tabs that we display for a certain
`
`24· · sample ID.
`
`25· · · · Q· · Do you see there's a number of behaviors listed
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 15 of 19
`
`·1· · under "Behaviors Seen"?
`
`·2· · · · A· · I see that.
`
`·3· · · · Q· · Those are retrieved from DynamoDB using Results
`
`·4· · DB, right?
`
`·5· · · · · · ·MS. CARSON:· Objection.· Form.
`
`·6· · · · · · ·THE WITNESS:· These are -- this is -- my
`
`·7· · opinion is that these are the behaviors that it found in
`
`·8· · the Joe Sandbox results that are stored through the
`
`·9· · adapter, the second adapter, the way the VVI -- the
`
`10· · results of the component lastly on this schema-less
`
`11· · results table.
`
`12· · · · · · ·This is where this information would be kept.
`
`13· · BY MR. LEE:
`
`14· · · · Q· · When you say, "this information," you mean the
`
`15· · behaviors listed under "Behaviors Seen" that is kept in
`
`16· · the results table in DynamoDB.· Is that correct?
`
`17· · · · · · ·MS. CARSON:· Objection.· Form.
`
`18· · · · · · ·THE WITNESS:· The results table contains the
`
`19· · results coming from all of the adapters, including the
`
`20· · deception adapter, which contains the information that
`
`21· · the Joe Sandbox report gave it.· These behaviors would
`
`22· · be listed in the Joe Sandbox report originally.
`
`23· · BY MR. LEE:
`
`24· · · · Q· · Do you have -- strike that.
`
`25· · · · · · ·Do you see where it says, category,
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 16 of 19
`
`·1· · fine-grained behavior?
`
`·2· · · · A· · Yes, I see that.
`
`·3· · · · Q· · Do you have an understanding of what that
`
`·4· · means?
`
`·5· · · · A· · (Speaking to self.)
`
`·6· · · · · · ·No, actually, I don't know what Joe Sandbox
`
`·7· · thought that means, no.
`
`·8· · · · Q· · Do you see there's a number of categories
`
`·9· · listed there?
`
`10· · · · A· · Yes.
`
`11· · · · Q· · Evasion, fine-grained behavior, evasion,
`
`12· · obfuscation?
`
`13· · · · A· · I see that.
`
`14· · · · Q· · Do you have any understanding of what those
`
`15· · categories are?
`
`16· · · · A· · My opinion, evasion means that the file, while
`
`17· · Joe Sandbox was executing it, tried to evade or not do
`
`18· · some things, because it was in a Sandbox environment.
`
`19· · That's what I understand by evasion, not doing stuff
`
`20· · because you're in a Sandbox environment.
`
`21· · · · · · ·Obfuscation is trying to -- what I think -- is
`
`22· · trying to hide some of the things it does.· That's what
`
`23· · I guess.
`
`24· · · · Q· · Why does SkyATP try to find evasion?
`
`25· · · · · · ·MS. CARSON:· Objection.· Form.
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 17 of 19
`
`·1· · · · · · ·THE WITNESS:· SkyATP, in itself, doesn't find
`
`·2· · this stuff.· This is all coming from the Joe Sandbox
`
`·3· · report.
`
`·4· · BY MR. LEE:
`
`·5· · · · Q· · Why does the Joe Sandbox report look at
`
`·6· · evasion?
`
`·7· · · · · · ·MS. CARSON:· Objection.· Form.
`
`·8· · · · · · ·THE WITNESS:· You would have to look at Joe
`
`·9· · Sandbox code to see why they think this is important.
`
`10· · · · · · ·In my opinion, it is because a benign file is
`
`11· · not going to try to evade -- it's not going to try to
`
`12· · not do things because it's in a Sandbox environment.
`
`13· · · · · · ·It's usually an indication of something
`
`14· · malicious or threatening.
`
`15· · BY MR. LEE:
`
`16· · · · Q· · How about obfuscation, is that the same?
`
`17· · · · · · ·MS. CARSON:· Objection.· Form.
`
`18· · · · · · ·THE WITNESS:· A benign file is not going to try
`
`19· · to obfuscate code that it has, because usually malicious
`
`20· · files may not present the code that they include in
`
`21· · their binary like that.· Sometimes they obfuscate the
`
`22· · code so that something running a nondynamic analysis
`
`23· · cannot really see what they're trying to do.
`
`24· · · · · · ·That's what I understand by obfuscation.
`
`25· · That's why.
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 18 of 19
`
`·1· · · · · · ·And that could be indicative of something being
`
`·2· · malicious because that's their intent.
`
`·3· · BY MR. LEE:
`
`·4· · · · Q· · Would it be fair to characterize evasion and
`
`·5· · obfuscation as suspicious behavior.
`
`·6· · · · · · ·MS. CARSON:· Objection.· Form.
`
`·7· · · · · · ·THE WITNESS:· I would not characterize it as
`
`·8· · suspicious, because it is possible that some legitimate
`
`·9· · benign files could also have this behaviors.
`
`10· · · · · · ·You would have to probably ask Joe Sandbox how
`
`11· · much weight for maliciousness they give to this kind of
`
`12· · indicators, to see, like, do they think that this is bad
`
`13· · all of the time, some of the time.
`
`14· · BY MR. LEE:
`
`15· · · · Q· · So there's nothing suspicious about evasion?
`
`16· · · · · · ·MS. CARSON:· Objection.· Form.
`
`17· · · · · · ·THE WITNESS:· I think it is suspicious.
`
`18· · · · · · ·I would not say that it's a hundred percent
`
`19· · suspicious all of the time.· I cannot say that.
`
`20· · BY MR. LEE:
`
`21· · · · Q· · Is obfuscation also considered suspicious
`
`22· · sometimes?
`
`23· · · · · · ·MS. CARSON:· Objection.· Form.
`
`24· · · · · · ·THE WITNESS:· In my opinion, obfuscation is
`
`25· · considered suspicious some of the time.· I cannot say if
`
`
`
`Case 3:17-cv-05659-WHA Document 499-1 Filed 05/30/19 Page 19 of 19
`
`·1· · it's all of the time.
`
`·2· · · · · · ·(Plaintiff's Exhibit 9 was marked for
`
`·3· · · · · · ·identification.)
`
`·4· · BY MR. LEE:
`
`·5· · · · Q· · You've been handed an exhibit marked as Exhibit
`
`·6· · No. 9.
`
`·7· · · · · · ·Exhibit No. 9 is entitled, Verdict Engine, plus
`
`·8· · Scoring Algorithms.· And it says
`
`·9· · JuniperNetworks/SkyATP/Peter Gael.
`
`10· · · · · · ·It's Bates labeled JNPR-FNJN_29017_00552892 to
`
`11· · 907.
`
`12· · · · · · ·Do you recognize any of the information in
`
`13· · Exhibit No. 9?
`
`14· · · · · · ·MS. CARSON:· Objection.· Form.
`
`15· · · · · · ·THE WITNESS:· I don't think I was present in
`
`16· · this presentation.
`
`17· · BY MR. LEE:
`
`18· · · · Q· · Do you have any understanding of what Exhibit
`
`19· · No. 9 is?
`
`20· · · · · · ·MS. CARSON:· Objection.· Lack of foundation.
`
`21· · · · · · ·THE WITNESS:· From what I can see from seeing
`
`22· · this presentation for the first time, I think it was
`
`23· · Peter presenting what the verdict engine does.
`
`24· · BY MR. LEE:
`
`25· · · · Q· · Could you repeat that?
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
