Overview

Join the Hunt.

The MetaDefender NDR platform provides high-throughput Deep File Inspection (DFI) for threat and data leakage prevention, detection, and hunting. MetaDefender NDR aims to automate and scale the expert knowledge of a typical SOC analyst. Available on-premise or as a service, MetaDefender NDR pairs Deep File Inspection with unique threat intelligence sources, and a seasoned signature development team augmented by machine learning. Optionally, its automated decision-making engine can be paired with multi-scanning and sandbox platforms through turnkey bi-directional orchestration.

The MetaDefender NDR solution mainly focuses its scrutiny to identify and analyze files downloaded over the web or received via email to detect malicious code. MetaDefender NDR collects all HTTP and SMTP network traffic sessions from taps, spans, or packet capture files, and performs Deep File Inspection on the captured data. Deep File Inspection (DFI) is the reassembly of packets captured off of the wire into application level content that is then reconstructed, unraveled, and dissected (decompressed, decoded, decrypted, deobfuscated) in an automated fashion. DFI gives analysts a quick way to filter malicious content out and generate alerts on it, or perform threat hunting to triage suspicious content for more detailed analysis. Alerts may be viewed locally through the system's Graphical User Interface (GUI) or forwarded to various third-party analysis and reporting tools such as ArcSight via the Syslog Common Event Format (CEF). Encoded file containers in SMTP and HTTP messages are decoded, saved, cataloged, and queued for scanning via the built-in signature-based scanning methods and/or the supported third-party integration methods enabled through the GUI.

Unlike most Network Intrusion Detection Systems (NIDS), MetaDefender NDR specializes in analyzing a combination of file attributes, file content and network characteristics in their native format. Hidden data, such as embedded and/or compressed streams in file formats, which are commonly used to evade detection performed by NIDS, are extracted and normalized to maximize the effectiveness of the signature-based scanning methods that are performed.

The GUI provides an interface for near real-time monitoring as well as historical lookups using attributes of network connections, protocol-specific message headers, file hashes or file names. The interface also provides analysts with the ability to view information about alerts generated via automated static analysis, matching payloads and alerts or metadata produced by third-party appliances that have been integrated with the MetaDefender NDR deployment. The original files can be downloaded for additional incident handling and/or forensics purposes through the GUI.