Support for the Consumption of Numerous Data, File and Protocol Formats

Use Case Description

Malware can be embedded in a variety of different files and formats. In many cases, commercial-off-the-shelf (COTS) security products are incapable of scanning and supporting all relevant file and protocol formats when inspecting data in-transit leaving you blind to the potential threats.

Our Solution

InQuest systems support a wide array of file formats and have special processing routines designed to extract the data that can be concealed within each one. Here, the intended and malicious functionality of different types of files are highlighted and a sample of the relevant file types that InQuest supports are listed.

Compressed Files

File compression is intended to allow files to be stored or transmitted in a format that requires less memory than their standard structure. This functionality is often leveraged by hackers to conceal malicious functionality as a signature of an uncompressed file will not match the compressed version of the file. InQuest natively supports decompression of a variety of common compressed file types including the following:

  • 7z
  • AR
  • ARC
  • ARJ
  • BZIP2
  • CAB
  • CPIO
  • DEB
  • FLAC
  • GZIP
  • ISO
  • LZMA
  • RAR
  • RPM
  • TAR
  • XZ
  • ZIP
Document Files

Document files include Microsoft Office file formats, Portable Document Format (PDF) files and similar. These files can contain embedded malicious code that the visible contents of the document encourage the user to execute. For example. Microsoft Office documents support the use of macros which, if executed, have the ability to install malware on the user’s machine. PDF readers have historically contained vulnerabilities that allow malicious code to execute if the document is even opened. InQuest supports a variety of common document formats and identify and extract embedded content for further analysis. Supported file types include, but are not limited to, the following:

  • DOC
  • DOCM
  • DOCX
  • PDF
  • PPS
  • PPSM
  • PPT
  • PPTM
  • PPTX
  • XLS
  • XLSM
  • XLSX
Executable Files

The Portable Executable (PE) format is a data structure specifically built to support Windows operating environments to load and manage the executable code. An unexpected executable entering the network perimeter is always a cause for suspicion since they are designed to be lightweight and trivial to execute. Executable file types vary based upon the base operating system. A sample of the ones supported by InQuest include the following:

  • EXE
  • DLL
Flash Files

Flash files provide animation and video capabilities to applications, web pages, etc. Since code is needed to execute the video, it is possible to create a malicious Flash file consisting of the actual video and some code that runs in the background. InQuest systems search for embedded code in Flash files and support the following formats:

  • FLA
  • FLV
  • SWF
Script Files

Script files are files containing code intended to be executed within a certain environment. On the web, PHP and JavaScript are commonly used scripting languages. Microsoft Office documents support Visual Basic for Applications (VBA) scripting to allow the automation of repetitive tasks. Execution of untrusted script files is dangerous as they have the ability to install malware on the affected computer. InQuest natively supports many scripting filetypes including the following:

  • JS
  • PHP
  • PL
  • VBA