Use Case Description
Malware can be embedded in a variety of different files and formats. In many cases, commercial-off-the-shelf (COTS) security products are incapable of scanning and supporting all relevant file and protocol formats when inspecting data in-transit leaving you blind to the potential threats.
InQuest systems support a wide array of file formats and have special processing routines designed to extract the data that can be concealed within each one. Here, the intended and malicious functionality of different types of files are highlighted and a sample of the relevant file types that InQuest supports are listed.
File compression is intended to allow files to be stored or transmitted in a format that requires less memory than their standard structure. This functionality is often leveraged by hackers to conceal malicious functionality as a signature of an uncompressed file will not match the compressed version of the file. InQuest natively supports decompression of a variety of common compressed file types including the following:
Document files include Microsoft Office file formats, Portable Document Format (PDF) files and similar. These files can contain embedded malicious code that the visible contents of the document encourage the user to execute. For example. Microsoft Office documents support the use of macros which, if executed, have the ability to install malware on the user’s machine. PDF readers have historically contained vulnerabilities that allow malicious code to execute if the document is even opened. InQuest supports a variety of common document formats and identify and extract embedded content for further analysis. Supported file types include, but are not limited to, the following:
The Portable Executable (PE) format is a data structure specifically built to support Windows operating environments to load and manage the executable code. An unexpected executable entering the network perimeter is always a cause for suspicion since they are designed to be lightweight and trivial to execute. Executable file types vary based upon the base operating system. A sample of the ones supported by InQuest include the following:
Flash files provide animation and video capabilities to applications, web pages, etc. Since code is needed to execute the video, it is possible to create a malicious Flash file consisting of the actual video and some code that runs in the background. InQuest systems search for embedded code in Flash files and support the following formats: