6 Malware detection services.What are the features of the technology and tools used?6 Malware detection services.What are the features of the technology and tools used?

Last update: 2022-01-19

For those who want to prevent unknown malware infection targeting the company and protect information assets.Here are the features of the technology and tools used for malware detection, and how to select the malware detection service using them.

table of contents

What is malware detection?

Malware detection is the first detection of malware that attempts to invade and infection from various routes, so that infection can be prevented before or if infected is minimized.It is an initiative for.It is common to realize by multilayer defense, which combines multiple technologies and methods for malware measures described in the following section.

What is malware?

Before specific measures, I will briefly explain it for those who want to check what kind of malware is.

Malware is a general term for malicious programs created to add some harm to IT equipment and networks, such as viruses, worms, troyes, and spyware.Malware also includes programs such as "bot", which usually does nothing even if infected, and is active only when receiving external orders, or "adware" for the purpose of displaying specific ads on a PC of users.I can.

When you hear a malicious program, many people may think of an image that users inadvertently download and execute unauthorized software.However, there are many other intrusion and infection routes.Opening files attached to suspicious emails, or being attacked by attacking software vulnerabilities such as OS and server software, it is often infected with malware.If the web browser is vulnerable, you may be infected with malware just by accessing a specific website.

Technology and tools for malware detection

There are various security technology and mechanisms that can be used for malware detection, but there are four main ones:

(1) Virus countermeasures software

The virus software basically holds the characteristic patterns contained in the program code that make up the malware in advance as the detection database (called "pattern file", "signature", "definition file", etc.)., Malware is detected by the "pattern matching method" that checks whether there is a match in the file you want to find out.For this reason, there is a risk that unknown malware that is not registered in the detection database or a malware that hijacks a PC by hijacking a software vulnerability.

In particular, recently, the number of cyber attacks targeting specific companies and organizations, called "APT: ADVANCED PERSISTENT THREATS), is increasing, and malware customized for the target when attacking is used.It is not unusual.Generally, targeted attacks use malware emails that disguise emails from in -house or business partners, but some of them take over a website that accesses well from PCs inside the target company to set up malware.There is also a very advanced attack method such as sending malware and infection only when accessed from).

In addition, files in infected systems are encrypted so that they cannot be used, and the damage caused by malware called "ransomware" that demands exorbitants to solve encryption is increasing rapidly.

Of course, when performing such an attack, the attacker (hacker) confirms that it cannot be detected with general virus software in the process of making malware.For this reason, it is better to consider that virus software is almost useless for malware that is seriously sent to the company (however, is still necessary to prevent known malware).。This is why multi -layered defense is necessary for malware detection and countermeasures.

(2) Firewall and IDS/IPS

Firewalls and IDS/IPS (Intrusion Detection/Prevention System) are security equipment that allows only legitimate communication and blocks suspicious communication that leads to attacks and invasion, but it is a malware -specific communication.It can also be used for malware detection and defense that identifies and blocks patterns.

However, there is no function to detect, exterminate, or track the malware contained in files like a virus software, and it is a technique and tool that can be used to realize multi -layer defense.

(3) EDR

EDRとは？

EDR (EndPoint Detection and Response) is an unfamiliar term, but it is a tool that has recently attracted attention as one of the effective ways for malware measures.By monitoring or collecting log data on IT equipment (endpoints) connected to PCs and servers, recently connected to companies and organizations, including smartphones and tablet terminals, and collecting log data.It will be detected and can be dealt with as soon as possible.

For example, "If access to in -house servers, which is rarely usually from a specific PC, increases rapidly, it is determined that even if it is not detected by virus software, it is determined that it has been infected with malware and blocks communication from the PC."You can do so.Analysis of log data of multiple terminals on the internal network can also help survey analysis for post -countermeasures, such as finding out how many routes have entered and how much infections have been infected.

EDRと従来型の対策ツールの違い

Malware countermeasures with virus software, firewalls, and IDS/IPS are "water -like measures" to stop before infection.EDR, on the other hand, is basically a different concept in the "prevention of infection expansion" for the purpose of sensing the fact as soon as possible and minimizing the damage as soon as possible.By combining both, you can enhance the possibilities of malware detection and defense.

The reason why systems such as EDR have appeared is that it is difficult to keep infections from nowadays, as malware technology has evolved high, and investing in endless focus on it.This is because the idea that "it is necessary to prepare a minimal damage at that time, assuming that malware is slippery and infected."

In addition, conventional tools such as virus software for EDR are collectively referred to as EPP (EndPoint Protection Platform).EPP and EDR are not conflicted, and it is possible to enhance the possibility of malware detection and defense by properly combining.

(4) Sandbox

サンドボックスとは？

Sandbox (Sandbox, sandbox) is another concept / mechanism from the above EPP and EDR.Suspicious files and programs are put into software isolated "sandbox" (virtual environment), actually open and move, and detect malware from their behavior.Moving in a virtual environment can be safely detected (at least in theory) without affecting the real environment.

Unknown malware, which is represented by the "Emotet" (emotet), which comes in via an email attachment and downloads additional malicious programs after infection, may be detected by sandboxes.There are enough.In addition, in a virtual environment, it can of course detect known malware with a pattern matching method such as virus software, and track post -infection behavior like EDR.

サンドボックスの課題

When you hear this, security products equipped with sandbox seem like a versatile tool for malware detection, but it's not a simple story.Security devices and systems equipped with sandboxes are relatively expensive and can not be easily introduced anywhere, and depending on corporate systems and network configurations, it is difficult to use sandboxes or difficult to introduce.

Even if there is no such problem, for example, even if you do not work in a virtual environment or simply execute in a virtual environment, you will not show any suspicious behavior, and "The badness only when humans do specific operations.Various workaround measures, such as making ", are being considered one after another, and there is no guarantee that any malware can be detected.

In order to compete with such workarounds, recently, next -generation sandboxes that use AI technology to increase detection accuracy have also appeared, but of course malware with a mechanism to avoid them may also appear.It is expected that the attack side and the defensive side will not be settled.After all, it is necessary to properly combine tools and technologies other than sandboxes to take multiple layers of measures.

Malware detection serviceとは？

The Malware Detection Service is a service that provides malware detection mechanisms and support measures for companies that are difficult to form a malware detection system in -house.

You can outsource malware detection in an outsourcing manner with a large number of advanced security human resources.The specific mechanism and content detection of malware vary from service to service, but it is also common that unknown malware that passes through virus software etc. can be used.

The malware detection service is suitable for companies with the following needs:

Of course, it is possible to request continuous detection 24 hours a day, 365 days a year by completely outsourcing malware, but the price is relatively expensive, so short -term use for about 1 to 3 months.It seems that there are many cases where spots are used when there is a risk of being attacked from the outside.

If you are looking for a malware detection service, you can download the service introduction material here.

Download malware detection service materials

Agree of the Terms of Use and Privacy Policy, and download the materials.

Malware detection serviceの仕組み・手法

As already mentioned, multiple technologies and mechanisms can be used for malware detection, and there are countless variations considering how to combine them.Services, such as the technology, tools, and target range used by security vendors, vary greatly.

As an example, in the case of Ray Aegis Japan (Ray Aegis) malware detection services, the malware is detected and analyzed in the four steps shown below.

1. 既知のマルウェア分析（既知や亜種のマルウェアとの比較）
2. 逆コンパイル分析（ソースコード内の不審な注釈やコードスニペットなどを検出）
3. IPアドレス/URL分析（サードパーティのプログラムソースコード内に埋め込まれたIPアドレスやドメイン名に不審なものがないかを確認）
4. サンドボックスでの動的分析（サンドボックス上で実行させてみる。単純に動かすだけでなく、AI技術を用いて悪意ある動作をシミュレーションで誘発）

These analysis and detection are implemented in the following forms.

1. レイ・イージス社がサンドボックス装置を持ち込み、サーバーなどの検査対象機器に直接接続して全ファイルをチェックする
2. IDSとサンドボックスのセットを貸し出し、ルーターやスイッチにミラーポート経由で接続したIDSをサンドボックス装置と連携させてネットワーク上を流れるファイルを自動的にサンドボックスに投入して検査する

In addition to simply detecting malware through the sandbox device installed, the company's security engineer decides and reports the risk based on knowledge, and options for manual surveys and analysis.It corresponds.The service period is flexible from spot detection to continuous detection (update in 1 to 3 months).

Malware detection serviceの提供形態

Malware detection services are largely divided into two types, on -site type and remote monitoring type, depending on their format.

On -site type

For the on -site type (also called spot type or one -shot type) service, security vendor security engineers and analysts visit a service contract company, and malware invades the surveyed equipment and in -house network.It is to check directly for not.Use when there are signs of outside attacks, or when you want to find multi -intensive malware when you want to find a targeted attack e -mail and an email with a suspicious attachment to the company in the company.It will be done.

Remote monitoring type

The remote monitoring service is to install an agent software on the internal network or to use an agent software to a PC, etc., and monitor malware invasion from communication patterns and behaviors.If you find a suspicious communication pattern, etc., you will immediately contact the administrator if the security vendor is immediately monitored (remote) and is judged to be malware.。At the same time, the security vendor analysis is performed, and some services provide detailed reports at a later date.

However, many malware detection services will be introduced in accordance with requirements, such as the system, network configuration of companies that wish to use, the scale, and the period of use (24 hours a day, 365 days a year).It is common to determine the number of equipment, composition, setting content, and surveillance system, and is provided as a custom -made service to be introduced after consulting individually, including charges.

For this reason, it is not very important to talk about on -site or remote, and it is important to tell the vendor of how you want to detect malware, and to check if it can be realized.For example, in the case of Ray Aegis's service mentioned above, on -site type and remote monitoring type can be implemented, and the period etc. can be determined.

主なMalware detection service

Download malware detection service materials

Agree of the Terms of Use and Privacy Policy, and download the materials.

Malware detection service（株式会社レイ・イージス・ジャパン）

(Source: Malware detection service official website)

File -type malware detection service that combines static analysis and dynamic analysis by AI technology and sandbox.The Taiwanese CloudCofter's next -generation sandbox technology is adopted to detect fraudulent code and suspicious communication destinations for files in the system and program files under development.

The four -stage detection mechanism of "surface analysis", "static analysis", "IP/URL reputation", and "dynamic analysis" can detect unknown malware that pass through virus software and EDR with high accuracy.For malware equipped with a sandbox evasion mechanism, interactive simulation using AI technology can induce malicious behavior and effectively detects malware.

It supports not only the software itself used, but also the detection of unauthorized code contained in third -party programs and external libraries.It can prevent "software supply chain attack", which makes malware in with the supply chain developed and provided by software.For a service that investigates the file, it does not depend on the OS or hardware, and supports files on the out -of -supported OS.

In addition to a single -shot scan service, the service provision form is also possible to rent a sandbox device for long -term monitoring purposes.The price is an individual estimate, but for example, a case where the sandbox device is rented on a yearly basis in the case of "one -shot fraudulent code, malware detection service" that inspects up to 30 files or system images of up to 30 pieces in one shot.It costs 3 million yen/year (including a separate introduction cost of 600,000 yen, including a script provision tailored to the environment of the user company).

Download the material now (free)

Agree of the Terms of Use and Privacy Policy, and download the materials.

Click here for details

InfoCIC Malware detection service（株式会社インフォセック）

(Source: INFOCIC Malware Detection Service Official Website)

U.S. Fireeye's integrated security device "Fireeye NX Series" (Web MPS) equipped with sandboxes, and "Fireeye EX Series" (Email MPS), an email security solution that can detect targeted attacks, etc.A service that detects malware invasion via.The malware that comes in in the form of a web content or an email attachment can be dynamically analyzed and detected in the sandbox.

Analyze the Fireeye log and notify a file that is suspected of malware or a communication that is considered to be malware activities, and notify it on a dedicated portal site or e -mail.The detected malware has been reported in addition to dynamic analysis at the company's surveillance center, as well as analysis results at Fireeye.In addition, information on security -related information and security incidents detected by devices will be provided as monthly reports.The price is an individual estimate.

Click here for details

Modern Malware detection (Broadband Security Co., Ltd.)

(Source: Modern malware detection official website)

Malware detection service that can be used simply by introducing agent software (service agent) without using exclusive expensive hardware.The company sells the fact that Malware detection can be realized by combining Lastline's detection technology with the security operation of broadband security and analytical technology.

Motor the traffic with a service agent operating on an internal network, and detect a communication pattern specific to malware from a database (fingerprint) and its behavior.There is also a mechanism for analyzing samples that may have unknown malware in a sandbox on the company's cloud base.The sandbox is also compatible with system call inspections using the unique emulator method, and unlike a general sandbox that examines only I/O and communication content, for malware that avoids sandboxes.Even if it is effective, it will be effective.

All exchanges related to services, including samples transmission to sandboxes, are closed in the company's domestic cloud, so that the risk of in -house information leaks overseas can significantly reduce the risk.The price is an individual estimate.

Click here for details

Security Plus Cure Dock (MSS version) (Azgent Co., Ltd.)

(Source: Security Plus Secure Dock Official Website)

Malware detection service of remote monitoring type.The company's specialized analysts will perform a 24 -hour 365 -day surveillance at the Security Monitoring Center (SOC).The feature is that it focuses on quickly finding unknown malware infections that have passed through conventional measures and minimizing actual damage.

A dedicated device (sensor) lent by the company (Damballa Network Insight "is analyzed by analyzing communication content, behavior, and files, and discovered a terminal that was infected with malware.Damballa Network Insight is installed inside a corporate network by connecting to the mirror port of the LAN switch.

Collecting evidence that malware is communicating with external servers such as C & C (Command and Control) server with 12 detection engines, performing correlation analysis using nine risk analysis engines.Before malware causes actual harm, it can be automatically detected with high accuracy and notify the administrator.The price is an individual estimate.

Click here for details

Malware detection / dealing support service (Fujitsu Co., Ltd.)

(Source: Malware detection / coping support service official website)

A remote monitoring malware detection service using a dedicated monitoring device.Unknown malware is detected by monitoring communication behavior, such as using a trend micro detection technology, using a spoofing email or transmitting data to the outside after infection.

Multi -stage analysis using a dynamic analysis using a virtual environment for the rule -based malware detection can analyze a variety of threats, including malware.The contents of the detected threat will be reported in a form that is easy for the administrator to judge / deal with it, including a correlation analysis.We also provide extermination support for malware discovered.The price is an individual estimate.

Click here for details

New Malware Countermeasures Support Service BITDAM (Jella Eeculity Co., Ltd.)

(Source: New species Malware Countermeasures Support Service BITDAM Official Website)

A detection service specializing in malware aimed at video conference apps, cloud storage, and cloud mail.Malware can be detected regardless of whether it is known, unknown, or type, by prior registration of the normal execution flow of these apps and compared with the execution flow of malware.

In addition to the mechanism of malware detection using the white list method, it also has a function to detect malware received by e -mail as an emotet measure and delete it before it reaches users (partially supported the password ZIP file).Supported apps/services include Zoom, Teams, OneDrive, SharePoint, Google WorkSpace.

The price starts at 4,400 yen per account per year (for 50 to 500 accounts).The introduction support will be provided separately as an option.

Click here for details

summary

In order to prevent malware infection that causes a tremendous damage to the company once it is invaded and infected, multi -layered defenses that combine various security tools and technologies, including virus software, are essential.However, recently, the evolution of targeted attack technology, including targeted attacks, has increased the risk of transmitting unknown malware through multi -layer defense mechanisms, making it difficult to prevent infections.。

For this reason, it is important to use a multi -layer defense mechanism to stop invading and infection as much as possible, and to minimize the damage in the event that it is infected as soon as possible.The malware detection service provides a mechanism to detect malware, including unknowns, using the latest security technology and tools, such as sandboxes, under monitoring and operation by security engineers with advanced security knowledge.。Especially for companies with high security knowledge, it can be said that the malware detection service is well worth considering the introduction.

However, when using it, we have solidified the policy to some extent, such as what kind of system and information you want to protect your company, the scope of the application, the use in the spot, or the period when you want to monitor 24 hours a day, 365 days a year.We recommend that you estimate and consult with the vendor.This is because, even if the service is relatively expensive and increasing the number of surveillance unnecessarily, it is more likely that the cost will not be worth it just because the cost is high.

In addition, it is a good idea to formally formulate the action plan after being infected with malware, at least in the company, without leaving the vendor.We hope that the contents of this article will help you to consider the introduction of the malware detection service.

If you are looking for a malware detection service, you can download the service introduction material here.

Download malware detection service materials

Agree of the Terms of Use and Privacy Policy, and download the materials.

サービスClick here for details

Malware detection service

Malware detection service

AI Sandboxを利用した不正コード・Malware detection service。独自の4フェーズの処理を通して、既知のマルウェアだけでなく、ウィルススキャンやEDRなどでは検...

Agree of the Terms of Use and Privacy Policy, and download the materials.