Manual Static Analysis
- Hours / file
- Tool intensive – disassemblers
- Advanced expertise required
- Time wasted on repetitive sample unpacking and indicator extraction tasks
Active File Decomposition
- Milliseconds / file
- Pre-Execution analysis
- Identifies over 3500 format families
- Complete file analysis
- Comprehensive (3K+ Indicators)
- Windows, Linux, Mobile, Documents...
- Cloud assisted Classification
- Advanced Rules
- YARA & Third Party module support
- Minutes / file
- Sample controls the analysis
- Easy evasion by malware
- Incomplete view of capabilities
- Limited file types
- Only control flow examined
Here's how it works
Active File Decomposition (AFD) combines an array of automated analysis technologies for a ground-breaking solution for detecting and analyzing threats within files. This new innovative approach starts with the industry's fastest and most advanced automated static analysis engine to identify, de-archive, de-obfuscate and unpack the underlying object structure (e.g. embedded executables, libraries, documents, resources, icons) and extract over 3000 Proactive Threat Indicators (PTIs) from the unpacked files. An integrated rules engine classifies the results to calculate the threat level and to route the extracted files for further analysis. The extracted files are repaired to enable further extraction or analysis with a sandbox, de-compiler or debugger. The Proactive Threat Indicators can be stored in a database for subsequent data correlation. This valuable information can then aid practitioners in determining the capabilities and intent of an adversary.
AFD, unlike dynamic analysis, does not execute the file but rather extracts all available compressed and obfuscated data from files and fragments whether executable or not, and whether damaged or not. AFD can screen and pre-process samples to make analysts and traditional analysis tools and automation work flows significantly more efficient and effective. Since the samples are not executed, the process can identify and decompose files of any type in milliseconds regardless of their target OS or platform. It thus overcomes shortcomings of dynamic analysis techniques while not being subject to traditional virtualization and dynamic analysis evasion techniques. Since AFD is extremely lightweight it can easily scale to process hundreds of thousands of files daily in real time.