6 Ways Intelligent Monitoring Improves Malware Analysis Accuracy & Efficiency

This is the second blog in a two-part series describing how VMRay Analyzer’s Intelligent Monitoring capabilities remove the noise from malware analysis. Read part one.

VMRay Analyzer’s hypervisor-based monitoring approach provides total visibility into the behavior of a sample under analysis and enables monitoring only parts of the system related to the analysis. This makes it unnecessary to do filtering on the analysis output as no side-effects of benign applications are ever monitored.

By ensuring that standard OS runtime operations and the effects of other benign processes such as MS Office applications or the browser are not included in the logs and report files, Intelligent Monitoring helps Incident Responders and Malware Analysts to:

Generate Concise, Focused Reports and Logs for Efficient Manual Analysis

DFIR specialists and malware analysts manually scrutinize log files that often contain a significant amount of irrelevant and redundant entries. Benign operations performed by OS threads may get captured in the log files making it harder for a security analyst to sift through the information and draw accurate conclusions about the sample under analysis. Intelligent monitoring focuses only on the behavior of the sample in question and saves Incident Responders and Malware Analysts time and effort.

VMRay Function Log - 6 Benefits of Intelligent Monitoring

In addition, VMRay Analyzer’s unique monitoring approach enables automatic adjustments to the optimum monitoring granularity. That means regardless of whether the malware is doing an API call, using special CPU instructions to directly jump into the kernel, or using higher-level concepts such as COM objects, VMRay always intercepts at the highest semantic level possible.

Apply Machine Learning Algorithms with Ease

Machine Learning algorithms applied to focused, non-diluted reports and log files provide significantly better results than those applied to reports with noise. As an example, in the past, malware clustering algorithms (based on behavior) often clustered by a compiler and/or runtime artifacts instead of the actual malware behavior. VMRay Analyzer generates concise, focused reports and log files which help security teams apply machine learning algorithms efficiently for malware detection.

Reduce False Alerts and Improve Automated Detection Efficacy

Often an action performed by an unrelated library may get captured in the log files as part of the ‘noise’. This could lead to incorrect conclusions being drawn about the sample under analysis especially in automated detection environments. IOCs extracted from log files may be incorrectly attributed to the sample under analysis and will inevitably lead to false positives. VMRay Analyzer’s unique hypervisor-based monitoring approach reduces false positives by focusing only on the core behavior of the sample under analysis.

VTI Score - Intelligent Monitoring

Note to Reader: In any sandbox trial, it is important to also test with benign software as most systems tend to have high false positive rates for the reasons mentioned above.

Apply Pattern Matching Algorithms Efficiently to Logs

Pattern matching algorithms designed to detect malware are much easier to apply to focused log files and reports such as those generated by VMRay Analyzer.

Reduce Storage Requirements

Non-diluted reports and log files have smaller storage requirements.

Improve Malware Detection Performance and Scalability

Downloading a file from the Internet or creating a new process only requires one high-level API call, but may result in hundreds of kernel calls.

For that reason, VMRay Analyzer performs only a minuscule number of interrupts (to log data) during analysis. Every single interaction between the monitored malware and the rest of the system is captured but VMRay does not include the sub-function calls and user/kernel transitions, powering superior performance and scalability.

Get hands-on with VMRay Analyzer’s Intelligent Monitoring, contact us for a trial below.