In boxing, the “One-Two” combination is an essential component of a fighter’s arsenal. A left jab followed by a right cross is one the most effective combinations a fighter can unleash on his opponent. In the fight against malware, it’s just as important for Malware Analysts and Incident Responders to have a “One-Two” combination consisting of rapid threat detection and total visibility into malware behavior.
Over the last few years, VMRay focused on perfecting the “right cross” by providing total malware visibility through the Automated Malware Analysis Engine. The level of detail in the analysis reports give Malware Analysts and Incident Responders the information they need to dissect malware and understand its behavior.
With the release of VMRay Analyzer V 2.0 we added a fast “left jab” in the form of the Reputation Engine. With the Reputation Engine, Malware Analysts and Incident Responders are now able to detect known malicious and known benign files within milliseconds. The only input that needs to be provided is the file hash value. Together, the Reputation Engine and the Analysis Engine deliver the desired “One-Two” combination of rapid threat detection and detailed analysis.
The obvious benefit associated with the ability to rapidly detect malware without performing a detailed behavioral analysis is that the number of samples that can be analyzed is much higher. Given the amount of email and internet traffic that most organizations have to analyze today, this is a very significant benefit.
Sometimes, during a behavioral analysis, the Command and Control server (C&C) may not be reachable. Consequently, no instructions or malicious files are downloaded from the C&C, potentially not classifying the sample as malicious. Having a reputation engine that looks up the file hash and provides a reputation status ensures that no known malicious files go under the radar for reasons such as an unreachable C&C.
The reputation engine can be the difference between real-time attack prevention and reacting after the fact to a malware attack. During the few minutes needed to perform a behavioral analysis, several hosts inside a network may become infected and would then need to be isolated from the rest of the network while recovery/clean-up is performed. By providing an almost real-time reputation status, the reputation engine can not only help detect known threats but also prevent an attack.
The reputation engine database is regularly updated with feeds from threat intelligence sources, thus ensuring that it is kept up-to-date. This, coupled with the analysis engine’s ability to detect 0-day threats, ensures that the network is protected from both known and unknown threats.
What information does the reputation engine provide?
In milliseconds, the reputation engine returns one of the following status labels for every submitted file hash.
With the Built-In Reputation and Dynamic Analysis Engines, Malware Analysts and Incident Responders will have an effective “One-Two” combination for rapidly detecting threats and getting deeper insights into malware behavior.