tLab

Allows to see the malware from the inside

tLab system is a perspective product on defense from a new type of cyber threats, against which a typical antivirus is insufficiently effective: from zero-day attacks, targeted malicious software (malware) and APT attacks.

Autonomy

Full automation of malware analysis
 

Intellectuality

Deep analysis of malicious behavior, allowing detection of complex and hidden attacks

Performance

Fast verdict generation on the basis of an interactive report that allows to see the malware from the inside

Customer Benefits

Advanced attack detection

tLab identifies malware by deeply analyzing the system behavior of programs in an isolated environment. It uses a unique technology for behavior analysis at the level of activity trees, which describe the stream of malicious activity and the interrelations of executable objects. This technology allows you to detect hidden and complex malicious objects, invisible to traditional protection systems. tLab detects and blocks many types of malware, including, but not limited to: documents (rtf, doc, docx, xls, ppt, pdf), scripts (js, vbs, ps, cmd), web files (html, hta, flash), executable (exe, dll, java, class) and archives (zip, rar).

Detailed threat analysis

Unlike classic sandboxes, tLab not only detects and blocks attacks in real time, but also provides powerful tools for comprehensive threat investigation. tLab identifies the malware threat level and provides an interactive report with visualization of full activity and an indication of malicious functions. The report contains full malware analysis at various levels of detail, including static characteristics, types of detected functionalities, activity trees, behavioral context of an object of study, settings of the execution environment and aspects of the interaction between an object under study and a user.

Protection against nearly invisible attacks

Advanced user emulation (malware detonation)

Some types of unwanted and malicious software require interaction with the user, thereafter such samples will not be activated (detonated) until the user clicks on the corresponding elements of the graphical interface (buttons, text fields). Such threats include Trojans disguising themselves as legitimate software or unwanted software that requires a complete installation scenario. Ransomware Trojans may also require user interaction to perform some functionality, for example, gaining access to an attacker's server to download information on ransom payments. Detonating such malware objects requires an advanced and efficient user emulation system both at the level of scripted and auto-generated user activity scenarios.
In addition, some malware, in order to bypass sandboxes, can use a static graphical interface, i.e. instead of system window control elements (buttons), the window picture is used and the user's click on the button picture is monitored. As a result, sandboxes cannot recognize interface elements and, accordingly, cannot press and detonate malware. tLab incorporates a pattern recognition module to identify elements of static graphical interfaces, which allows you to detonate such a hidden malware.

Anti-dodge mode

tLab has the ability to counteract well-known sandbox bypass methods (evasion), including: detection of artifacts of the analysis environment (virtualization), postponed (delayed) execution, and a new method through micro-delay cycles. This technology to respond to sandbox bypass determines the effectiveness in detecting hidden targeted and atypical attacks, which, according to world practice, form the basis of the modern malware threat model.

System technical capabilities

tLab system provides uploading objects for analysis in several modes:

  • sending a file in manual mode;
  • uploading a group of files indicating the file to be launched (for analyzing a file with dependencies);
  • uploading a file with a file with command line arguments
  • automatic file sending via REST API (used by Web/Mail Gateway components)
  • uploading and receiving reports from TrendMicro products (integration)

Simulation (emulation) of user actions in the tLab runtime to activate malware:

  • user emulation according to activity scripts (selection of existing or creation of new scenarios for controlled detonation (activation) of objects);
  • user emulation without scripts (optimal activity);
  • detection of hidden threats using an atypical dialog box in the form of a static picture.

tLab provides anti-dodging - countering sandbox detection and bypass methods:

  • stealth-mode: hiding file system artifacts (files and processes) to prevent detection of the runtime environment from the malware;
  • camouflage (dynamic name substitution) of registry artifacts (keys, values, and branches) and devices to prevent the detection of the runtime environment from the malware;
  • Detection of objects using execution delays (delayed start), including micro-delay cycles. This functionality provides countermeasures to the dynamic analysis bypass mechanism through deferred ones performed by reducing wait times.

Export and reporting in tLab system:

  • several levels of detail of the behavioral report (the formation of interactive reports of different levels of detail and information content);
  • interactive visualization of the event tree - a sequence of potentially harmful actions with an indication of their relationship (tracking the source and distribution of malicious / suspicious activity);
  • detection of work with important files (opening, modification and deletion). Tracked: source type, number and category of files (for example, document, audio, accounting, etc.);
  • export the full report to a PDF document in English and Russian;
  • export and import of the white list of exceptions (using white sheets to identify some legitimate files);
  • access to the identified malicious object (file) by downloading from the web interface.

Verification and analysis of objects in the tLab system:

  • Analysis of files of different formats - documents (rtf, pdf, xlsx, docx, pptx, xls, doc, ppt, xlsm, docm, pptm, pps, ppsx, ppsm, dot, dotm, odt, xps), web files (html, mht, mhtml), executable files (exe, scr, dll, jar, msp, mst, msi, java, job, sct), scripts (ps1, sh (linux batch script), js, vbs, bat, ws), archives and client application files (iso, bzip2, rar, zip, gzip, arj, 7z, cab, msg, eml);
  • Behavioral analysis of files is carried out in Windows operating systems including: Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10;
  • Yara signature analysis
  • in-depth analysis of the behavior activity of the studied objects (programs) with tracking the flow of malicious activity and the behavioral relationship of the executed objects;
  • heuristic analysis of scripts - emulation of the progress of execution and identification of script behavior (detection of super-targeted threats sharpened by indicators of a specific group of machines, for example, user name, by emulating all code branches);
  • contextual analysis of documents to detect a malicious document at the anomaly level without signatures (allows you to detect malware threats with zero day exploits);
  • Static and heuristic analysis of documents of various types (rtf, pdf, xlsx, docx, pptx, xls, doc, ppt, xlsm, docm, pptm).

Deployment and integration

tLab provides prevention of malware attacks at the level of Email and Web traffic by integrating with our Mail and Web Gateway components and third-party solutions based on the REST API. TLab supports standard protocols: ICAP for Web Gateway and IMAP / SMTP for BCC mode (detection mode).

As the Mail Gateway, two solutions are used to choose from: our MTA server or a plug-in for the MS Exchange mail server. As a Web Gateway, a reliable open-source solution is used, which is a full-fledged Next Generation Firewall (NGFW) with a wide range of functionality.

These solutions analyze each attached file in the sandbox and, if threatened, cut dangerous files from the message. It is possible to check a group of files in one environment to detect component, distributed attacks. The tLab system has Context Document Reconstruction technology, which allows you to create a secure copy of any document for its replacement during the analysis. This allows you to verify documents in detail without violating the business processes of the client.TLab updates occur regularly and include: YARA semantic signatures (exploits), third-party / client antivirus signatures, white sheets, malicious behavior patterns, virtual machine images, and new threat detection and identification mechanisms.