Malware Analysis Appliance (MAA) IntelliVM analysis process explained

book

Article ID: 168399

calendar_today

Updated On:

Products

Malware Analysis Software - MA

Issue/Introduction

This article explains how the iVM analysis process works and why some samples take longer to finish processing than others

Resolution

When a sample binary is sent to the intelliVM task queue, the next available intelliVM (iVM) will be started up. The sample will be copied into the virtual machine, and the analysis process starts by executing the sample through a script.

At that point the watchdog timer is set to keep the iVM running for 60 seconds (default) or the amount of time specified by the user.  The analysis process ends when either the watchdog timer reaches the timeout, or when the sample and all processes started by that sample or process injected into the iVM by that sample terminate.  The latter may cause the analysis time to be much quicker than 60 seconds.

When the Watchdog timeout is reached, processing stops abruptly. There is no flag set if the full time is reached, but the execution time can be queried. All events captured until this moment will be post processed and run through the pattern matching engine that will determine the risk score. The overall risk score of a task is assigned from the highest matching behavioral pattern.
 
A sample not running 60 seconds is not really less reliable or accurate. It's job might have been to setup persistence and a Command&Control (C2) channel and then exit. Likewise a sample going for 60 seconds could be less accurate. It might sit in memory for an hour or a specific event occurs before taking action.
 
The accuracy for a true positive is based on malicious activity occurring inside the 60 seconds time window that the MAA has a pattern for. If that occurs, MAA gives you reliable results. If the sample doesn't act malicious on the host within the 60 seconds, there may not be any valuable results. While you could run the sample for several more minutes, this is not a practical option for high sample volume automated analysis, as the required resources occupied would increase by orders of magnitude.

This is why Blue Coat combines products like the Content Analysis System (CAS) and the Security Analytics Platform (SA) With MAA. CAS filters out known bad/malicious files, and SA allows for finding malicious network activities that will happen outside of a local machine.