MA: How Malware Analysis Works

Document created by RSA Information Design and Development on Jun 25, 2017
Version 1Show Document
  • View in full screen mode

Security Analytics Malware Analysis is an automated malware analysis processor designed to analyze certain types of file objects (for example, Windows PE, PDF, and MS Office) to assess the likelihood that a file is malicious. Using Malware Analysis, the malware analyst can prioritize the massive number of files captured in order to focus analysis efforts on the files that are most likely to be malicious. 

Security Analytics Malware Analysis detects indicators of compromise using four distinct analysis methodologies:

  • Network Session Analysis (network)
  • Static File Analysis (static)
  • Dynamic File Analysis (sandbox)
  • Security Community Analysis (community)

Each of the four distinct analysis methodologies is designed to compensate for inherent weaknesses in the others. For example, Dynamic File Analysis can compensate for Zero-Day attacks that are not detected during the Security Community Analysis phase. By avoiding malware analysis that strictly focuses on one methodology, the analyst is more likely to be shielded from false negative results.

In addition to the built-in indicators of compromise, beginning with Security Analytics 10.3, Malware Analysis also supports indicators of compromise written in YARA. YARA is a rule language, which allows malware researchers to identify and classify malware samples. This allows IOC authors to add detection capabilities to RSA Malware Analysis by authoring YARA rules and publishing them in RSA Live. These YARA-based IOCs in RSA Live will automatically be downloaded and activated on the subscribed host, to supplement the existing analysis that is performed in each analyzed file. 

Beginning with Security Analytics 10.4, Malware Analysis has features that support alerts for Incident Management.

Functional Description

This figure depicts the functional relationship between the Security Analytics Core services (the Decoder, Concentrator, and Broker), the Security Analytics Malware Analysis service, and the Security Analytics server.

The Malware Analysis service analyzes file objects using any combination of the following methods:

  • Continuous automatic polling of a Concentrator or Broker to extract sessions identified by a parser as potentially carrying malware content.
  • On-demand polling of a Concentrator or Broker to extract sessions identified by a malware analyst as potentially carrying malware content.
  • On-demand upload of files from a user-specified folder.

When automatic polling of a Concentrator or Broker is enabled, the Malware Analysis service continuously extracts and prioritizes executable content, PDF documents, and Microsoft Office documents on your network, directly from data captured and analyzed by your Security Analytics Core service. Because the Malware Analysis service connects to a Concentrator or Broker to extract only those executable files that are flagged as possible malware, the process is both rapid and efficient. This process is continuous and does not require monitoring.

When on-demand polling of a Concentrator or Broker is chosen, the malware analyst uses Security Analytics Investigation to drill into captured data and choose sessions to be analyzed. The Malware Analysis service uses this information to automatically poll the Concentrator or Broker and to download the specified sessions for analysis.

On-demand upload of files provides a method for the analyst to review files captured external to the Core infrastructure. The malware analyst uses Security Analytics to choose a folder location and identify one or more files to be uploaded and analyzed by Security Analytics Malware Analysis. These files are analyzed using the same methodology as files automatically extracted from network sessions. 

Analysis Method

For the Network analysis, the Malware Analysis service looks for characteristics that seem to deviate from the norm, much as an analyst does. By looking at hundreds to thousands of characteristics and combining the results into a weighted scoring system, legitimate sessions that coincidentally have a few abnormal traits are dismissed, while the actual bad ones are highlighted. A user can learn patterns that indicate anomalous activity in the sessions as indicators that warrant further investigation, Indicators of Compromise.

The Malware Analysis service can perform Static analysis against suspicious objects it finds on the network and determine whether those objects contain malicious code. For Community analysis, new malware detected on the network is pushed to the RSA Cloud for checking against RSA's own malware analysis data and feeds from the SANS Internet Storm Center, SRI International, the Department of the Treasury and VeriSign. For Sandbox analysis, the services can also push data into major security, information and event management (SIEM) hosts (the ThreatGrid Cloud). 

Security Analytics Malware Analysis has a unique method for analysis that is partnered with industry leaders and experts, so their technologies can enrich the Security Analytics Malware Analysis scoring system.

Security Analytics Server Access to the Malware Analysis Service

The Security Analytics server is configured to connect to the Security Analytics Malware Analysis service and import tagged data for deeper analysis in Security Analytics Investigation. Access is based on three subscription levels.

  • Free subscription: All Security Analytics customers have a free subscription, with a free trial key for ThreatGrid analysis. The Malware Analysis service is rate-limited to 100 file samples per day. The number of samples (within the set of files from above) submitted to the ThreatGrid Cloud for sandbox analysis is limited to 5 per day. If one network session had 100 files in it, customers would hit the rate limit after processing the one network session. If 100 files were manually uploaded, that would cause the rate limit to be reached.
  • Standard subscription tier: The number of submissions to the Malware Analysis service is unlimited. The number of samples submitted to the ThreatGrid Cloud for sandbox analysis is 1000 per day.
  • Enterprise subscription tier: The number of submissions to the Malware Analysis service is unlimited. The number of samples submitted to the ThreatGrid Cloud for sandbox analysis is 5000 per day.

Scoring Method

By default, the Indicators of Compromise (IOC) are tuned to reflect industry best practices. Each IOC is assigned a score ranging from -100 (good) to +100 (bad). During analysis, the IOCs that trigger cause the score to move upward or downward to indicate the likelihood that the sample is malicious. The tuning of IOCs is exposed in Security Analytics so that the malware analyst can choose to override the assigned score or to disable an IOC from being evaluated. The analyst has the flexibility to either use the default tuning, or to completely customize the tuning to specific needs.

YARA-based IOCs are interleaved with the built-in IOCs within each built-in category and are not distinguished from native IOCs. When viewing IOCs in the Service Configuration view, administrators can select YARA from the Module selection list to see a list of YARA rules. 

After a session is imported into Security Analytics, all of the viewing and analysis capabilities in Security Analytics Investigation are available to further analyze Indicators of Compromise. When viewed in Investigation, YARA IOCs are distinguished from the built-in native IOCs by the tag Yara rule.


The Security Analytics Malware Analysis service is deployed as a co-located service on a Security Analytics Server or with a dedicated RSA Malware Analysis host.

The dedicated Malware Analysis host has an onboard Broker which connects to the Security Analytics Core infrastructure (either another Broker or a Concentrator). Prior to this connection, a collection of parsers and feeds must be added to the Decoders that are connected to the Concentrators and Brokers from which the Malware Analysis service pulls data.  This allows suspicious data files to be marked for extraction. These files are malware analysis tagged content available through the RSA Live content management system.

Caution: The Malware co-located service (running on Security Analytics server) has a smaller database footprint, and its primary responsibility is to allow on-demand scans. Running this service in continuous mode may create performance issues which eventually make the service unusable due to volume of data. When using the Malware co-located service, you can upload the files through the Security Analytics user interface to check and validate the files. Only a dedicated RSA Malware Analysis host should be used in Continous Scan mode.

You are here
Table of Contents > How Malware Analysis Works