ECAT
Ecat Brochure Download
ECAT is an enterprise malware threat detection and response solution that quickly enables you to detect, monitor and protect your environment from undesirable software and the most elusive malware — including deeply hidden rootkits, Advanced Persistent Threats (APTs), Metasploit’s Meterpreter and viruses.
ECAT Feature Summary:
Agent
- Custom low-level access parsers for disk, memory access, registry access
- Live code integrity check to find malware code hiding in trusted applications
- Internal structures and code validation (SSDT, IAT/EAT, IDT, DKOM, inline hooks, etc.)
- Remote memory dumps compatible with the Volatility memory forensics framework
- Abnormal network communication patterns recognition
- Active tracing for network connections, module loading, file and registry access.
- Small disk footprint
- SSL encrypted communications authenticated through certificates
Server
- Integration with OPSWAT Metascan using 6 or more different antivirus engines
- External code signing validation. The certificate chain and root authorities are validated at the server level to avoid being fooled at the workstation level
- Enterprise environment correlation to quickly find all instances of malware running among thousands of machines
- Complete and easy to use file and memory whitelisting system
- Built-in monitoring and alerting system
- Built-in reporting and exporting system to standard industry formats
- NIST, NSRL and Bit9 GSR integration for whitelisting.
The ECAT workflow to find unknown malware in large environments is:
1. Deploy and Scan
The ECAT agent is a self-contained executable to be deployed on servers and workstations that you want to assess. It cohabits peacefully with existing security solutions.
Once deployed, the agent reports to a centralized ECAT server from which it receives instructions. When a scan is requested, using a set of low-level functions, it performs an inventory of all running processes and drivers and conducts a number of checks in order to identify behavior related to malware.
Among these checks, the agent validates Windows kernel internal structures, searches for signs of malware trying to conceal its presence, scrubs the memory for Metasploit traces and validates integrity of key kernel and user modules.
2. Assess
The information gathered during the scan process is sent to a centralized server for analysis. Unknown files are automatically downloaded from the scanned computers and run through OPSWAT Metascan Antivirus to find viruses missed by the corporate antivirus solution.
The ECAT console presents the operator with a complete view of the scanned computers along with a machine suspect level (MSL) indicator for identifying which computers should be investigated first.
Whenever possible, ECAT correlates a suspicious behavior with its author: a driver, a process, a DLL or a memory block (floating code). ECAT then displays contextual intelligence about the author:
- Metadata: file time, file size, file attributes, MD5
- Code signing information and validation
- Correlation across the environment
- Bit9 threat level
- Known anomalies database correlation
A suspicious module can be whitelisted, blacklisted or graylisted by the operator. Once categorized, the module is then considered as such for the whole environment. The operator can also add a comment to be later included in the report.
To accelerate the whitelisting process we recommend performing a scan of a clean computer (usually from a standard enterprise image) as a baseline.
3. Monitor
The ECAT agent can be configured to perform a scan at select time intervals.
When a change occurs, the Machine Suspect Level (MSL) of the affected computer rises and the operator can quickly pinpoint the cause. Recurrent assessment processes will flag newly installed executables or malware.
ECAT does not block new applications from executing. Maintenance scans can therefore be run multiple times per day for only a few minutes at a time.
|
ECAT
