Need for Cloud Malware Analysis

Traditional methods of malware discovery focus on either signature analysis or heuristics. However, such analysis is limited:

• to the information currently available to the engine on the client side
• by client machine’s resource and performance constraints.

Zoral Labs – innovative Cloud based malware protection software enables user’s PC to be protected using a combination of both local and cloud mechanisms. Using a policy-based suspicious behavior detector, the client-installed software automatically determines files that should be analyzed for malware, and then submits suspicious files behavior for analysis. Behavior Analysis is performed in the cloud by a grid of powerful servers with a combination of sophisticated artificial intelligence (AI)-based methods. When the analysis is complete, the result is returned in a form of a black or white list update from the cloud to the user’s PC. Our complementary security product is enabled on the client side to block malware using:

• A local antivirus engine
• Black lists controlled and updated by the cloud

Cloud-based malware protection mechanisms try to keep the time between submissions of suspicious behavior and update lists to a minimum.

A combination of traditional antivirus and cloud protection methods provide significantly better accuracy and coverage and minimal response time from emergence of a new threat to protection against this threat. By employing cloud-based community analysis automated tools, a malware attack wave can be detected and effectively blocked or prevented.

Architecture

The solution consists of a client and cloud / server grid parts. The client part consists of a:

• Monitoring SDK (MSDK)
• Antivirus Engine
• Client Service, which orchestrates behavior collection, malware scanning, communication
• GUI

The client part contains both user-mode and kernel mode components.

The cloud / server grid part is comprised of:

• Highly Scalable - Communications Infrastructure
• Management Console
• Distributed Storage
• Artificial Intelligence (AI) / Machine Learning (ML) analysis infrastructure

MSDK

Monitoring SDK serves to intercept potentially suspicious vectors of behavior and events. The details about which events are being monitored depend on the supplied policy.

Service

The client runs as a Windows service. The service monitors and captures events and suspicious behavior from MSDK, maintains communication with the cloud infrastructure.

Communications

The client communicates with the cloud in several ways:

• Receives commands
• Receives encrypted AV database, policy updates and black/white lists updates
• Sends status updates
• Uploads encrypted suspicious behavior vectors
• Uploads suspicious binaries

Management Console

Management Console allows for efficient, highly scalable, encrypted remote control of the clients. Remote control allows changing of system parameters, licenses. Management Console can display details about every client in the system as well as summary information and metrics.

Upload System

Upload system is designed to minimize traffic bandwidth utilization by reusing common pieces of binaries. When a file has to be uploaded to the service, it is found at as many clients as possible, and subsequently only those parts are sent that are missing on the server side, which minimizes the traffic. Upload system also has bandwidth limitation which ensures that client’s bandwidth consumption for upload shall not exceed a predefined limit.

THAC

Threat analysis console is a web application for convenient analysis of binaries (threats), search, visualization and management of threats, files, clients. The tool is useful for virus analysts, closed-loop false positives management and analysis of potential end users false-positive reports.

GUI

Scan functionality:

Cloud protection settings:

For more information please contact us at: sales@zorallabs.com