Intelligent Monitoring

Date: 2021-09-24

Intelligent Monitoring is a dynamic malware analysis method that employs an agentless approach with its monitoring capabilities embedded completely in the hypervisor – i.e. outside of the virtual machine where the malware sample is detonated. This approach not only achieves monitoring capabilities without agents or hooks that the malware may otherwise be able to identify, but it provides total and resolution-scaling visibility into the behavior of malware samples. This total visibility makes it unnecessary to filter the analysis output data because monitoring can be focused exclusively on parts of the system relevant to the analysis at any given moment.

How Intelligent Monitoring Works

Most malware sandboxes rely on hooking methods to intercept API calls between malware samples and operating systems. A hook is considered an agent and a modification of the analysis environment. In a malware sandbox, these hooks are artifacts that some malware families can detect.

In an attempt to combat artifact detection, other analysis tools rely on system emulations in place of sandbox environments. Unfortunately, this isn’t an easily scalable solution, and certain malware families can identify flaws in the emulation.

The solution to this problem is to use an intelligent monitoring approach where a malware sample is detonated within a virtual machine instead of an emulated analysis environment and all monitoring is done from the outside, at the hypervisor level.

An intelligent monitoring approach invisibly observes and records all interactions between a suspected malware sample and the operating system, including API calls, syscalls, java functions, et cetera. An intelligent monitoring approach can also zoom in or out and provide data at any level within a system, depending on what a suspected malware sample is attempting to do – providing security teams with a more focused analysis for incident responders to interpret.

The technology that provides the ability to zoom focus between different levels within a system is called intermodular transition monitoring, and it is an integral part of an intelligent monitoring approach. By focusing only on these direct interactions, and segregating trusted code from untrusted code, intelligent monitoring drastically diminishes the amount of extraneous ‘noise data’ that other analysis methods produce. The reduction of large quantities of noise data not only saves time for the incident responders and analysts attempting to identify malware, but also the frequency of false positives as well.

Get The Latest Update

Subscribe to our newsletter

Keep up to date with our weekly digest of articles. Get the latest news, invites to events, and threat alerts!

products

use cases

Find yours

Why VMRay

Customer Success Stories

By CAtegory

Featured Integration

Insights

Latest Malware Analysis Spotlight

NEWS

ABOUT US & CONTACT

CAREERs

Intelligent Monitoring

Get The Latest Update

Subscribe to our newsletter

Table of Contents

Share With Others:

You May Also Like:

Subscribe to our Newsletter:

Solutions

Products

Why VMRay

Resources

Missed the headlines?

We’re featured in:

ThreatFeed

products

use cases

Find yours

Why VMRay

Customer Success Stories

By CAtegory

Featured Integration

Insights

Malware Analysis Reports

cybersecurity glossary

Latest Malware Analysis Spotlight

NEWS

ABOUT US & CONTACT

CAREERs

Tech Insights Deep Dive of April: Detection Strategies & Operational Excellence

Tech Insights Deep Dive of April:
Detection Strategies & Operational Excellence