Sergei Shevchenko PC Tools
Threats can end up on a computer from numerous sources, via email, using chat programs such as Messenger or IRC programs, or by browsing sites containing malware on the Internet.
When new suspected threat files are identified, system administrators can send these files to an Internet security company, such as an anti-virus or anti-malware vendor, for analysis. These companies investigate the threats and some time later, possibly ranging from a few up to 48 hours later, depending on the complexity of the threat, provide updated database definitions to remove them. In some circumstances, if the threat warrants additional research, a detailed description of it is subsequently posted on the Internet.
Nevertheless, the downtime between identifying the relevant threat files and receiving a database update to remove the infection can result in severe financial losses to an organization.
This is where Threat Expert steps in. Threat Expert takes a threat file, places it in a self-contained environment, deliberately executes the threat in this environment and then monitors its behaviour. A combination of file system, Windows Registry, network traffic, memory snapshots are then recorded, in addition to a series of specific 'hooks' that intercept communication routes typically exploited by threat infections.
These hooks 'deceive' the threat into communicating across a simulated network, whereas the threat's communication actions are actually being recorded in detail by Threat Expert. Using this invaluable recorded data, a detailed report is generated, consisting of system changes, memory and traffic dump analyses, and other important system activities caused by the threat.
This presentation is a practical guide to the advantages of using an advanced automated threat analysis system in the current climate of zero-hour threats to effectively reduce the time taken between first detection and solution/signature.
The presentation covers the following topics: