Dynamic Malware Analysis Data Now Available on Metadefender.com

There is currently a huge debate about the reliability of dynamic malware analysis made within a controlled environment; the anti-malware community questions the quality of this data given the increased investment by malware writers in sandbox evasion and malware armoring. Therefore, in order to make MetaDefender.com a more valuable malware analysis tool, we have exposed a subset of data that gathered from live users and their machines, in the hopes of providing a better reflection of what is happening in the wild.

Dynamic Data for Malware Analysts on Wild Threats:

Over the past few months we have invested in building this new, unique feature: Multidimensional Binary Dynamic Analysis on Live Machines. It provides powerful data about the environments in which files are running, powered by integration with our MetaDefender Endpoint solution to crowd-source information from users and machines in the real world.

Because the core of MetaDefender Endpoint Client is our OESIS Framework, the industry standard for detecting, classifying, assessing and managing third-party software applications, we are able to uniquely combine interesting data about the applications on a machine with the MetaDefender.com threat report.

The combined data would help you evaluate whether a hash/binary is malicious or not. MetaDefender.com can now tell you the binary's network connections and the loaded components that are being used by that particular application, as well as the applications and versions that hash belongs to. With this information, you will be better able to assess the behavior of the binary by basing your analysis on the IP scan report of the network connections, or by the scan report of all the loaded components. This provides better insights about the nature of the binary, and will help identify malicious content vulnerabilities/EPO malware even though the file itself appears to be safe.

OESIS can assess Windows, Mac, Linux, and mobile devices and can gather comprehensive contextual intelligence about the applications installed as well as device information. We've begun to connect this application and device information with the scan engine reports on MetaDefender.com to provide unique new dynamic analysis data about binaries on live machines.

The amount of data we are gathering is incredible; we've started to organize and classify the data and what we can offer for our very first version is:

Application details for better analysis:

  • Version
  • Vendor Name
  • Operating systems was seen on:
    • OS name
    • OS version
    • Kernel Version
    • Architecture

Click to Enlarge

  • How many times this hash was reported
    • On each OS
    • For each application

Click to Enlarge

Network connection information available:

  • IP
  • Domain
  • How many times an IP was reported
  • Usage
  • IP Scan report

Loaded components:

  • Component file name
  • How many times reported
  • What is the rank of the file name (based on the report count)
  • Metascan Scan Report for each component
  • By accessing each component you will get the report with all the applications that are sharing that component

File names and path Information:

  • File name/ aliases
  • Reported File Paths

Click to Enlarge

What are the kind of reports we are able to provide?

  • List of connected IPs:

    • Depending on the use case it can be handled differently:
      • For malware researchers/analysts the interest is to analyze the traffic and to aggregate the IPs based on the potential malicious traffic
      • For an IT manager might be relevant which IPs to whitelist for allowing an application to perform online updates (e.g. an AV Engine in order to update signatures)
  • Application information

    • Decisions are easier when you know the hash belongs to reputable or highly dangerous sources
    • If an application/library reported a known vulnerability, we will be able to tell you which are all the applications that are using, in order to patch it and properly secure your endpoints.
  • Live distribution of applications

    • Which applications and which versions are used
  • Live distribution of operating systems

    • We can report which are the existing distribution, which are the versions, service packs used, etc.
  • Adoption ratio for either applications or operating systems

Check out this new data on some example hashes that we've collected:

View Company Hash Data by Clicking on the Logo

Gathering all this information into the cloud and aggregating it under one roof is a stepping stone toward the hash intelligence tool we are currently building. We are excited to share this new tool with our community--please let us know what you think by tweeting @OPSWAT or by dropping us an email at feedback@opswat.com!

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.