System Overview

The MetaDefender NDR solution mainly focuses its scrutiny to identify and analyze files downloaded over the web or received via email to detect malicious code. MetaDefender NDR collects all HTTP and SMTP network traffic sessions from taps, spans, or packet capture files, and performs Deep File Inspection on the captured data. Deep File Inspection, or DFI, is the reassembly of packets captured off of the wire into application-level content that is then reconstructed, unraveled, and dissected (decompressed, decoded, decrypted, deobfuscated) in an automated fashion. DFI gives analysts a quick way to filter malicious content out and generate alerts on it or perform threat hunting to triage suspicious content for more detailed analysis. These alerts may be viewed locally through the system's Graphical User Interface (GUI) or forwarded to various third-party analysis and reporting tools. Encoded file containers in SMTP and HTTP messages are decoded, saved, cataloged, and queued for scanning via the built-in signature-based scanning methods and/or the supported third-party integration methods enabled through the GUI.

Innovative and constantly evolving file post-processing techniques are applied to live, monitored network traffic providing insights into even the most creative combinations of obfuscation. The processed content is fed through a gauntlet of the following security checks:

  • Threat Detection Engine signatures. Users can add their own custom rules.
  • Entropy, internally developed.
  • MetaDefender NDR Cloud, hash comparison only if client has API key.
  • VirusTotal, hash comparison only if client has API key.
  • OPSWAT MetaDefender Core, full document/binary analysis if client has the product onsite.
  • FireEye AX, full document/binary analysis if client has the product onsite.

Unlike most Network Intrusion Detection Systems (NIDS), MetaDefender NDR focuses on analyzing a combination of file attributes, file content, and network characteristics in their native format. Hidden data such as embedded and/or compressed streams in file formats, which are commonly used to evade detection through NIDS, are extracted and normalized to maximize the effectiveness of the signature-based scanning method.

The MetaDefender NDR team reviews new products regularly, constantly tunes the threat scoring algorithm to match the real-world threats being monitored every day, and integrates with the most effective third-party organizations assisting in malware discovery in your working environments.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
System Component Description
On This Page
System Overview