File Reputation Service
Threat Intelligence Cloud
Key Features
- 1Industry’s most comprehensive, curated and private source of threat intelligence and reputation data on files: both goodware and malware: approaching 3 billion unique samples
- 2Powerful REST query functions enable triage and on-going analysis and remediation by SOC/CIRTs as well as deep enrichment of results identified via other deployed security solutions
- 3Available as a cloud-based solution and/or an on-premises appliance for highly-secured or air-gapped environments
- 4Provides both identification of new threats as well as continual re-scanning of all samples to expose historical perspective and threat family provenance
Overview
The ReversingLabs TitaniumCloud File Reputation service provides the industry’s most comprehensive source for threat intelligence and reputation data on files. It contains up-to-date reputation and internal analysis information on over 2.5 billion goodware and malware files. It identifies files and provides rich information about their internals and contents. Every sample is processed using the ReversingLabs 
engine to extract all contained objects and their internal Proactive Threat Indicators (PTI)s. The samples are recursively unpacked, decompressed, decrypted and de-obfuscated. The PTIs extracted from the resulting components include format, format validation, strings, sections and certificate chains. Malware samples are continually reanalyzed for the most up-to-date file reputation status. Their detection history is stored in the TitaniumCloud database.
Powerful query functions are accessed over the Internet or locally on a T1000 File Reputation Appliance through a high performance REST Interface or a GUI. The TitaniumCloud service uses a proprietary NoSQL database optimized to support advanced search and record updates across billions of file records in milliseconds.
Threat intelligence and reputation data on files
- Blacklist - 800+ million malware samples
- Whitelist - 1.7+ billion known goodware samples
- Over 10 million file reputation updates per day
Over 3000 PTIs per file
- Indicators include file reputation, malware family classification and detailed internal information
- File source information and trust factor for all goodware samples
- Rich historic anti-virus scan data
- Malware repository samples are continually reanalyzed for the most up-to-date file reputation status
Query Services
- Search for files by hash or anti-virus detection name
- Hunt for files belonging to a single malware family
- Hunt for functionally similar samples identified with the ReversingLabs Hashing Algorithm (RHA)
- Receive alerts on file reputation changes
- Bulk queries supports multi-file searches
Performance Scales To Meet Stringent Requirements
- Elastic and scalable daily query capacity
- Optional on-premises appliance with database instance for low latency access and privacy
Proactive Indicators
- File reputation and malware classification data
- File validation and repair data
- Format and file metrics
- Embedded files and Parent archives with sources
- Embedded domains, IP Addresses, IRC handles, spam dictionaries and URLs
- Full certificate data chain - Authenticode, Java Certificates. Mozilla Certs Apple/Android/Symbian
- PE/ELF/Mach-O/DEX/SWF/PDF imports, exports, and resources
- Section names, sizes and hashes
- Relative and full install paths
- Registry entries, file type, architecture, language, icons, compile dates
- Embedded strings for packed and unpacked files
Anti-virus scan data
- Anti-virus scan records from our malware repository: malware samples are continually reanalyzed for the most up-to-date file reputation status
REST Web Services Over the Internet
Customer applications access TitaniumCloud using a REST Web Services API over the Internet. Results are returned in JSON or XML format.
On-Premises T1000 File Reputation Appliance
The T1000 File Reputation Appliance provides a high performance, low latency solution for high volume, automated applications. The appliance maintains a local copy of the TitaniumCloud database on a customer's premises that is updated in real-time over the Internet or can be ‘manually’ updated in air-gapped networks.
TitaniumCloud provides multiple APIs and Feeds that automate processing, analysis and threat status information gathering on single or bulk samples. For a full list of APIs and details contact us. Some examples follow:
File Reputation APIs:
- File Reputation Details (Whitelist and Blacklist)
- File Reputation Change on tracked samples
- Return all Malware Family Members
- Return functionally similar files (RHA)
Threat Feeds:
- Exploits with CVE
- Linux, MacOS and Android Malware
- IP/Domains present in Malware
- APT threats
- Malware Targeting Financial Services, Retail, Healthcare, Oil&Gas, etc.
