With the latest 2.5.0 release of Cyber Triage, users get access to enterprise-grade malware scanning from ReversingLabs. This service provides more accurate scan results and is not typically available to incident responders, who tend to only need malware scanning a few times a week.
We’ll focus on the new malware scanning in this blog, but other enhancements in this release include:
- Improved resiliency when corrupt event logs are encountered
- Improved performance when domain names can’t be resolved
- Improved Prefetch parsing
Malware Scanning in Cyber Triage
Cyber Triage collects many executable files from the endpoint being investigated, such as the programs that users ran and startup items. Those files need to be analyzed for malware.
If the malware scanning add-on is purchased, Cyber Triage uploads the files to a malware scanning service and uses the results to score the file.
ReversingLabs analyzes executables with over 40 engines, performs static and dynamic analysis, and applies its own scoring algorithm to the file. Based on the results, it can also identify the family of malware that the file is associated with.
The quality of the engines that ReversingLabs use and its scoring algorithm mean that Cyber Triage users will have:
- Fewer false positives about suspicious executables
- More true positives because it includes engines with advanced detection capabilities
In our evaluation, we also found that ReversingLabs had a very large number of files that were already analyzed. This means that Cyber Triage can now get more results by simply querying for the file’s SHA1 hash value without needing to upload file content.
Up until now, the ReversingLabs functionality has not been available to a typical incident response team. ReversingLabs is an enterprise vendor that licenses to large companies that scan thousands of files and attachments every day. Incident response teams at smaller companies have very different needs. They will have a bursty and immediate need for malware scanning. They may not need the feature at all one week and then need it a lot for only a couple of days.
Cyber Triage users who purchase the malware scanning add-on can query 5,000 file hashes and upload 500 files per week at an affordable per-user price (email firstname.lastname@example.org for a quote). Larger daily limits are provided for Team users that integrate Cyber Triage with orchestration systems.
Try It Out
If you are already a Cyber Triage premium user, you’ll start getting the ReversingLabs benefits when you upgrade to 2.5.0. If you aren’t a user yet, download an evaluation copy by filling out the form. You’ll get a link to download the software and try it out for 7 days.