Advanced Malware Analysis, Detection, Protection, and Prevention Tools Identify Malware Author Tricks Including Compression, Encoding, and Obfuscation

Malware authors are an informed bunch - ever vigilant at monitoring for any defense advances that might impede their desire to penetrate networks for harm, ransom, or theft purposes.

As two key examples:

  • They are keenly aware of traditional perimeter defenses and their inherent capabilities. They know network-based intrusion detection and/or prevention systems are signature-based and will alert and/or block known malware from successfully entering a network.
  • They are just as aware of the rising popularity around security awareness training - which includes as one of its core tenets educating users to not open files sent from an untrusted source

No one would argue these defensive measures aren't useful. However, in betting parlance, they simply lead to an “I see you and I'll raise you” response from malware authors. Today, more sophisticated and stealthy tactics and techniques are employed - including compression, encoding, and obfuscation - to evade detection.

Newer, more advanced, security defense-in-depth measures are required to keep adversaries in check.

FDR Uses Sophisticated Content Dissection and Inspection when performing Malware Analysis

FDR malware analysis tools represent a next generation solution for detecting and stopping malware. FDR malware analysis features are designed to peel back the layers - used by threat actors to disguise their activity - and reveal the malware hidden within. Our FDR malware prevention solution locates these frequently disguised malicious artifacts and unmasks them through automated post-processing.

By thoroughly dissecting and inspecting session data and file content, FDR malware analysis tools equip you with a robust resource for identifying and thwarting the most sophisticated attackers.

At a high level, FDR scrutinizes files downloaded over the web or received via email to detect malicious code in-transit. We apply innovative post-processing techniques to live, monitored network traffic - which enables us to surface insight about even the most cleverly masked malware. Additionally, integrations are available for a number of antivirus and sandbox technologies that serve as complementary functions to InQuest's analytics.

Read more about core features including data collection, dissection, analysis, and alerting below.

FDR Malware Detection and Prevention Capabilities

Data Collection

The InQuest Collector is designed to identify and display network sessions and associated files and objects that are entering and leaving your environment regardless of whether or not they are malicious. By allowing a Collector to natively capture your network traffic via a network TAP or SPAN, all files entering and leaving your environment are reconstructed from the network streams and retained for further inspection. Network traffic saved as a PCAP as well as raw files can also be fed to the Collector or Manager for offline traffic analysis and content inspection.

File & Object Dissection

InQuest has developed a post-processing layer that parses common file types and identifies locations where other files or code can be embedded within the file that was originally captured. For example, Microsoft Office documents can include VBScript encoding macro functionality. Additionally, support is available for decompressing common archive file formats (zip, gzip, etc.), decompiling byte code, reversing common encodings and stripping other methods of obfuscation.

InQuest identifies embedded content within a file and recursively dissects files to find hidden content that could potentially be malicious. Each piece of extracted content is passed back through InQuest's Threat Discovery Engine (TDE) in order to identify embedded malware.

Analyze

Rather than attempting to reinvent the wheel, InQuest is designed to integrate best-of-breed in-house and third-party solutions for sandboxing, antivirus, and feature-based file reputation lookups. These types of integrations consist of the following:

  • InQuest Automatic Updates: Enables InQuest cloud connectivity for automatically retrieving and applying code, signature, and intelligence (feed) updates.
  • Cuckoo Sandbox: Sandbox that performs dynamic malware analysis.
  • CrowdStrike Sandbox: Automated malware analysis system.
  • Trellix: Hardware appliance that performs dynamic analysis of files.
  • InQuest Eyelet Reputation: Cloud-based reputation database
  • InQuest MultiAV: Provides cloud-based hash analysis.
  • InQuest Threat Exchange: Enables communication with the InQuest Cloud-based threat exchange which provides shared threat information on IPs, domains, URLs, and files.
  • Joe Sandbox: Sandbox for deep malware analysis
  • OPSWAT Metadefender Core: Hardware appliance that leverages multiple AV engines to scan files.
  • VirusTotal: Online service used to look up AV reports for known-bad hashes.

InQuest is designed to make the integration of these products painless for the administrator to configure and the operator to monitor. Operators can specify which products should be used and which file types should be analyzed by each of the respective static and dynamic analysis systems.

Alert

Using the output of the analysis stage, the InQuest User Interface (UI) calculates and displays a threat score as well as the events that were generated for each network session and its associated files. Analysis results and metadata regarding the session as well as the file are also provided to give an intrusion analyst or incident responder a complete picture of the incident.