Malware Detection via Dynamic Document Analysis


Lastline’s unique approach takes dynamic document analysis to a whole new level.

In my previous blog posting, I briefly covered static document analysis as one of two types of document analysis that are essential for effective detection of advanced malware. Today I want to address dynamic document analysis and some of its must-have capabilities.

Static document analysis looks for abnormalities in the file itself, not in how it executes. Dynamic document analysis monitors the actions of the document, and takes place when the file is being executed.

Classic examples of how basic dynamic document analysis works, and why it’s important would include:

  • A document downloaded an external program and executed it
  • A document installed a program
  • A document connected to a website that is known to be malicious

Any good sandbox-based malware detection system is capable of this level of dynamic analysis, even legacy solutions. 

However, when monitoring a document for malware, legacy solutions can only analyze a fraction of what the malware is actually doing. This is because they can only see the function calls the malware makes to the operating system – like when a file is opened, or when a connection to the network is requested. Legacy systems can’t see what’s going on inside the malware between operating system calls.

Likewise, legacy malware detection solutions are unable to see what’s going on inside the operating system, or in the kernel that the operating system relies on. So if there’s a root-kit present (malicious code in the kernel), legacy systems have absolutely no way to see what’s actually going on. They can only see the calls that the malware makes to the operating system, not what is going on in those calls, or between them. If a rootkit does something different than what the operating system expects the kernel to do, the anomaly will not be detected.

Lastline is not subject to these weaknesses when performing dynamic analysis. This is because it isn’t limited to just monitoring the calls between the malware and the operating system. Lastline has full visibility to the actual code instructions as they are being executing in the CPU. So it can see and evaluate every single instruction the malware performs, as well as everything the operating system and kernel do. Any abnormalities can be seen and therefore detected.

Lastline’s unique approach takes dynamic document analysis to a whole new level.

Click here to learn more about the Lastline solution

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing