How detection layers work

ESET Dynamic Threat Defense uses 4 separate detection layers to ensure the highest detection rate. Each layer uses different approach and gives its verdict over the sample. The final assessment is the result of all information about the sample. See the overview of the process in the scheme below:

layer_overview_small

Click the image for the full size picture.

Layer 1: Advanced unpacking and scanning

Upon entering the initial layer of ESET Dynamic Threat Defense - the so-called Advanced unpacking and scanning layer - static samples are matched against ESET’s threat database: enriched with experimental and yet to be distributed detections as well as against a comprehensive list of clean, potentially unwanted (PUA), and potentially unsafe (PUsA) items. Malware often tries to thwart detection by hiding its malicious core behind a range of packing layers; thus, for a proper analysis, this coating needs to be removed. ESET Dynamic Threat Defense uses Advanced unpacking and scanning to achieve this by utilizing highly specialized tools based on packers that ESET researchers have found in malicious code. These specialized unpackers peel away malware’s protective layer, allowing ESET Dynamic Threat Defense to match the sample against the enriched threat database once more. The Advanced unpacking and scanning layer classifies the sample as malware, clean, PUA, or PUsA. Due to security risks and hardware demands associated with the unpackers, as well as other incorporated procedures, a high-performance and secure environment is required. This unique environment is provided by ESET Dynamic Threat Defense’s robust and resilient cloud infrastructure.

layer_1

Layer 2: Advanced Machine Learning detection

Each item submitted to ESET Dynamic Threat Defense is also subject to static analysis via Advanced Machine Learning detection, producing basic characteristics of the sample. As analyzing compressed or encrypted code with no further processing would only attempt to classify noise, the submitted item simultaneously undergoes another – more dynamic – analysis that extracts its instructions and DNA genes. By describing a sample’s active features and behaviors, malicious characteristics of packed or obfuscated objects are uncovered even without executing it. Information extracted from all previous steps is further processed by a small army of carefully chosen classification models and deep learning algorithms. Finally, all this information is consolidated via a neural network that returns one of four probability levels – malicious, highly suspicious, suspicious, and clean. In case this or any other ESET Dynamic Threat Defense layer is not used, an “analysis not needed” message is displayed. Due to the complexity and hardware demands of these procedures, a significantly more powerful infrastructure than the one provided by a user’s endpoint is necessary. To handle the computation-heavy tasks, ESET engineers devised a superior and complex set of systems – ESET Dynamic Threat Defense.

layer_2

Layer 3: Experimental detection engine  

To further analyze each sample, a deeper and behavior-focused analysis is necessary to complement the previous findings. To gather this type of threat intelligence, another ESET Dynamic Threat Defense layer steps in – namely, the Experimental detection engine. It inserts the suspicious item into a set of precisely configured systems that closely resemble full-scale machines using various operating systems – a kind of “sandbox on steroids”. These highly controlled environments serve as monitoring cells fitted with a legion of ESET’s detection algorithms logging every action. To identify hidden malicious behavior, the Experimental detection engine also produces a large quantity of memory dumps. These are subsequently scanned and matched against ESET’s enriched threat database that incorporates unpublished and experimental detections, ensuring highly accurate detection results and an extremely low number of false positives. Intelligence gathered by the Experimental detection engine is also compiled into a comprehensive list of events detected by the sandbox, which is then used for further analysis in the final ESET Dynamic Threat Defense detection layer – In-Depth Behavioral Analysis.

layer_3

Layer 4: In-Depth Behavioral Analysis

In the final ESET Dynamic Threat Defense layer, known as In-Depth Behavioral Analysis, all sandbox outputs – including files created or deleted on the hard-drive, entries added to or removed from the Windows system registry, all external communication attempts, and scripts that are being run – are subject to a thorough behavioral analysis. In this stage, ESET Dynamic Threat Defense is focusing on malicious and suspicious actions such as attempted connections to web locations with bad reputations, use of known malicious objects, and use of unique strings generated by particular malware families. In-Depth Behavioral Analysis also breaks up the sandbox outputs into logical blocks, which are then matched against an extensive and periodically reviewed database of previously analyzed patterns and chains of actions to identify even the slightest indication of malicious behavior.

layer_4

Final result

ESET Dynamic Threat Defense combines all available verdicts from the detection layers and evaluates the sample's status. The result is delivered to user's ESET security product and their company's infrastructure first.

Layer_verdict