Intelligent Monitoring is a dynamic malware analysis method that employs an agentless approach with its monitoring capabilities embedded completely in the hypervisor – i.e. outside of the virtual machine where the malware sample is detonated. This approach not only achieves monitoring capabilities without agents or hooks that the malware may otherwise be able to identify, but it provides total and resolution-scaling visibility into the behavior of malware samples. This total visibility makes it unnecessary to filter the analysis output data because monitoring can be focused exclusively on parts of the system relevant to the analysis at any given moment.
Most malware sandboxes rely on hooking methods to intercept API calls between malware samples and operating systems. A hook is considered an agent and a modification of the analysis environment. In a malware sandbox, these hooks are artifacts that some malware families can detect.
In an attempt to combat artifact detection, other analysis tools rely on system emulations in place of sandbox environments. Unfortunately, this isn’t an easily scalable solution, and certain malware families can identify flaws in the emulation.
The solution to this problem is to use an intelligent monitoring approach where a malware sample is detonated within a virtual machine instead of an emulated analysis environment and all monitoring is done from the outside, at the hypervisor level.
An intelligent monitoring approach invisibly observes and records all interactions between a suspected malware sample and the operating system, including API calls, syscalls, java functions, et cetera. An intelligent monitoring approach can also zoom in or out and provide data at any level within a system, depending on what a suspected malware sample is attempting to do – providing security teams with a more focused analysis for incident responders to interpret.
The technology that provides the ability to zoom focus between different levels within a system is called intermodular transition monitoring, and it is an integral part of an intelligent monitoring approach. By focusing only on these direct interactions, and segregating trusted code from untrusted code, intelligent monitoring drastically diminishes the amount of extraneous ‘noise data’ that other analysis methods produce. The reduction of large quantities of noise data not only saves time for the incident responders and analysts attempting to identify malware, but also the frequency of false positives as well.