Local Malware Analysis

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Local Malware Analysis

L2 Linker

Hello,

 

Could we know the frequency with which the hosts are scanned to identify alerts in local malware analysis module? 

4 REPLIES 4

L4 Transporter

Hi @Aiman_Fathima ,

Thanks for contacting us in Livecommunity. 

Im not sure if I understood your question. Im going to try to answer and please contact back if you have any doubts. 

In the malware module you can configure the frequency for enpoint scanning. It is quite granular the way you can configure it. 

As a best practice we do not recommend to abuse the use of these scans since it consumes a lot of resources of your infrastructure/endpoints and the best capabilities of CXDR are in detecting malicious activity inspecting the behaviour of processes, pre-execution, execution, post-execution and we can block malicious processes before they damage your assets. This way we can detect unknown threats (the ones that other vendors do not know the signatures and so they do not detect them because their hashes are not yet discovered and tagged as malicious), zero days included.

 

If this solves you doubts, please feel free to click on like and also mark this as a solution

KR, 

Luis

 

Hello, 

 

Thank you for the information provided!

 

My question was, even without initiating scan we get incidents regarding local malware analysis and wildfire malware. On what basis or frequency does the cortex detect those files to trigger incidents.

 

For eg: If a malware was downloaded on the system and its dormant. Will cortex trigger an alert immediately regarding the file or is there a delay or lag time between the time it was downloaded and cortex detecting it. 

Hi @Aiman_Fathima ,

CXDR is not checking continously all file hashes in your endpoints, so XDR figures out if something is malicious when it tries to start (pre-execution). 

We do not periodically try to detonate all files in the file system. 

So understand that we do not work as tradicional antivirus vendors that check hashes of all files continously.

 

If you download a file and it is malicious, we have two ways of detection: 

1- Programmed/periodic scan (under the malware profile). As mentioned before not to abuse the usage of this since it will consume many resources of your endpoints checking all the files in your file system

2- While the file is untouched, it is not harmful, no infection or no malicious action will happen. Once somebody tries to execute or detonate this malware, XDR agent will kick in with pre-execution analysis, wildfire, local analysis, etc... if it is found malicious it will be blocked and not allowed to run. An alert will be created and also an Incident containing this alert and other alerts that are related to this Incident/security event. 

Even if a legit process run and somehow it gets maliciouly injected or turns to try to execute a malicious child, we are continously checking the process execution and we can terminate this process at a later stage together with its childs. 

 

Take into account that malicious actors that are really skilled and successful, ususally never attack with a hash knows as malicious by antivirus vendors, so they go unseen (by traditional antiviruses), stealth into your infrastructure to damage it, exfiltrate, you name it. We catch them because we continously check the behavior of the processes from pre-execution to post-execution.

 

I hope this helps, and feel free to like it and mark it as a solution

Luis

 

 

 

L0 Member

Hello,
Is it possible to trigger the analysis of a file from the command line? The need is to verify new files deposited by an application before they can be accessed by users.
Thanks in advance

  • 1558 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!