Identify Malware Through Automated Dissection and Inspection

Use Case Description

A significant challenge for malware authors is how to actually deliver their malware through perimeter network defenses and entice a user to execute it on their system. Many network-based intrusion detection and/or prevention systems are signature-based and will alert and/or block known malware from successfully entering a network. In addition to the perimeter defenses, the continuing rise of security awareness through user training has made it increasingly challenging to entice a user to open a file that has been sent to them from an untrusted source. In order to overcome these challenges, malware authors use a variety of tactics and techniques such as compression, encoding, and obfuscation to evade detection.

Our Solution

InQuest’s platform represents a next generation solution for detecting and stopping malware. Our components are designed to peel back the layers used by threat actors to disguise their activity and to reveal the malware hidden within. InQuest’s threat detection solution locates these frequently disguised malicious applications and unmasks them through automated post-processing. By thoroughly dissecting and inspecting session data and file content the solution provides you with a robust resource for identifying and thwarting sophisticated attackers.

InQuest scrutinizes files downloaded over the web or received via email to detect malicious code in-transit. We apply innovative post-processing techniques to live monitored network traffic which enables us to provide insights from even the most cleverly masked malware. Additionally, integrations are available for a number of antivirus and sandbox technologies that serve as complementary functions to InQuest’s analytics. Here, each stage of the process will be explained along with information about how you can set up InQuest to protect your network against these types of evolving threats.

Data Collection

The InQuest Collector is designed to identify and display network sessions and associated files and objects that are entering and leaving your network regardless of whether or not they are malicious. By allowing a Collector to natively capture your network traffic via a network TAP or SPAN, all files entering and leaving your network are reconstructed from the network streams and retained for further inspection. Network traffic saved as a pcap as well as raw files can also be fed to the Collector or Manager for offline traffic analysis and content inspection.

File & Object Dissection

InQuest has developed a post-processing layer that parses common file types and identifies locations where other files or code can be embedded within the file that was originally captured. For example, Microsoft Office documents can include VBScript encoding macro functionality. Additionally, support is available for decompressing common archive file formats (zip, gzip, etc.), decompiling byte code, reversing common encodings and stripping other methods of obfuscation.

InQuest identifies embedded content within a file and recursively dissects files to find hidden content that could potentially be malicious. Each piece of extracted content is passed back through InQuest’s Threat Discovery Engine (TDE) in order to identify embedded malware.


Rather than attempting to reinvent the wheel, InQuest is designed to integrate best-of-breed in-house and third-party solutions for sandboxing, antivirus, and feature-based file reputation lookups. These types of integrations consist of the following:

  • InQuest Automatic Updates: Enables InQuest cloud connectivity for automatically retrieving and applying code, signature, and intelligence (feed) updates.
  • Cuckoo Sandbox: Sandbox that performs dynamic malware analysis.
  • VxStream Sandbox: Automated malware analysis system.
  • FireEye: Hardware appliance that performs dynamic analysis of files.
  • InQuest Eyelet Reputation: Cloud-based reputation database
  • InQuest MultiAV: Provides cloud-based hash analysis.
  • InQuest Threat Exchange: Enables communication with the InQuest Cloud-based threat exchange which provides shared threat information on IPs, domains, URLs, and files.
  • Joe Sandbox: Sandbox for deep malware analysis
  • OPSWAT Metadefender Core: Hardware appliance that leverages multiple AV engines to scan files.
  • VirusTotal: Online service used to look up AV reports for known-bad hashes.

InQuest is designed to make the integration of these products painless for the administrator to configure and the operator to monitor. Operators can specify which products should be used and which filetypes should be analyzed by each of the respective static and dynamic analysis systems.


Using the output of the analysis stage, the InQuest User Interface (UI) calculates and displays a threat score as well as the events that were generated for each network session and its associated files. Analysis results and metadata regarding the session as well as the file are also provided to give an intrusion analysis or incident responder a complete picture of the incident.