Deep Content Inspection – Key to 100% Malware Visibility
At Lastline we’re frequently asked how our technology is able to analyze 100% of the actions performed by a program or other object. The answer is rooted in our Deep Content Inspection technology.
Not all malware analysis environments are alike. Lastline’s Deep Content Inspection goes beyond the conventional malware analysis used in most firewalls, UTM systems, IPS systems, and antivirus software. Deep Content Inspection takes a smarter approach to find advanced malware — a way that legacy sandboxes that use operating system and library hooks can’t match.
In the last couple of years, we’ve seen sophisticated evasion techniques become mainstream. Currently, more than seventy percent of the malicious objects we analyze try to evade detection. We’re not only seeing an increase in the percentage of objects with evasion capabilities, but also in the number of evasion methods found in each object. In the past few years we saw only one or two evasion technologies in each piece of malware, but it’s now common to see ten or more. The ability to detect such evasive malware has become critical.
Unfortunately, conventional sandboxes are often a decade old in design, and unable to keep up with the ever-changing malware landscape. As a result, their ability to effectively detect advanced malware has been severely hampered.
When monitoring an object for malware, conventional sand box technologies can only analyze a fraction of what the malware is actually doing. This is because they can only see when malware makes a function call to the operating system – like when a file is opened, or when a connection to the network is requested. Legacy systems can’t see what’s going on inside the malware between operating system calls.
Likewise, traditional malware detection technologies are unable to see what’s going on inside the operating system, or in the kernel that the operating system relies on. So, if a rootkit is present, conventional systems have absolutely no way to see what’s actually happening. They can see the calls that the malware makes to the operating system, but not what is taking place in those calls, or between them. If a rootkit hides or behaviors uncharacteristically, the anomaly is not detected.
Lastline’s deep content inspection evaluates not only the malware’s interaction with the operating system, but also each instruction executed within the CPU. Every line of code executed by the malware is fully observed and evaluated in context. In the same manner, Lastline observes and analyzes each instruction executed by the operating system, including low-level code hidden by rootkits.
Lastline’s full system and deep content inspection provide 100% visibility of the malware’s actions, detecting even the most evasive code. This level of analysis is the only way to effectively mitigate today’s advanced malware.
Click here to learn more about Lastline.