Cyber Triage finds malware using 40+ scanning engines from ReversingLabs.
Malware is used at some point in nearly every intrusion. It enables the attacker to obtain passwords, maintain a foothold, or encrypt data.
Cyber Triage finds malware using 40+ scanning engines from ReversingLabs. Because no single detection tool is perfect, using over 40 gives you a broad set of opinions on if a file is good or bad.
You can also locally apply Yara rules and upload to the Recorded Future sandbox.
Scan Every Executable
The Cyber Triage malware forensics tool will copy many executable and library files from the investigated host. This includes files associated with running processes, startup items, and previously launched programs.
You have control over how that data is analyzed. For example, you can lookup detection results based on the file’s signature (hash) if someone already uploaded the file and results already exist, or you can upload the file contents and let the engines analyze them.
Many responders have heard horror stories of uploading malware to public service and revealing an attack to the world.
The Cyber Triage service is different:
- When files are uploaded, they are sent to a private repository. The general public cannot see the results. Only fellow Cyber Triage customers who query for the same hash value.
- Only PE format executable and library files are uploaded. PDF and Office documents are not. This limits PII risk.
You control how the service is used. Even with the above safeguards, you can choose to never upload files. In fact, we make special licenses that prevent uploads if that makes you feel safer.
Some DFIR labs are air-gapped and cannot directly query the online service. To service those labs:
Cyber Triage will export a list of hash values from the collected host to a text file.
The investigator will copy the text file to an Internet-facing computer and upload the hashes to a website.
The investigator will get a text file response and copy that back into Cyber Triage.
Malware Scan Limits
Cyber Triage malware forensics tool licenses include a limited number of malware scans. The limits are either daily or weekly. For example, a Standard license may limit 5,000 lookups per week. A Team license may have 4,000 lookups per day. This means that the software can query for up to 4,000 hash values in a given day. After that, you need to wait until the next day.
There are separate limits for hash lookups versus uploading a file for a full scan from the 40+ engines. For example, a Team license may have only 400 uploads per day.
The results are cached in your Cyber Triage database. So, if you reencounter the same file, the previous results can be reused. However, Cyber Triage may decide to get updated results if the engines update their results if the file is new.