Three Reasons to Augment Dynamic Malware Analysis with Multi-scanning

It's no secret that we're big fans of multi-scanning here at OPSWAT, but one thing we haven't yet discussed is how it can be used alongside dynamic malware analysis tools. Multi-scanning should be a key component for those employing defense-in-depth solutions and malware researchers alike.

Here are three reasons to augment your dynamic malware analysis with multi-scanning:

Adding the strengths of multi-scanning to dynamic malware analysis tools increases throughput efficiency and malware detection rates, making it less resource and time-intensive for organizations to implement and maintain dynamic malware analysis solutions.

  1. Filtering for Known Malware

    Filtering for known malware using multi-scanning technology

    The simplest method for utilizing multi-scanning in a malware analysis stack is to identify and remove known threats from subsequent analysis steps. The primary benefit of this is to reduce load on dynamic tools, which are typically resource-intensive and have lower throughputs, allowing the system to efficiently process a larger number of files in total.
    In this situation, multi-scanning would typically be configured to categorize a sample as known malware if multiple scan engines detect it as a threat. Known malware would be removed from the processing queue for the dynamic analysis tools, thus freeing them up to analyze possible emerging threats. Multiple engine detection is an important part of this process to mitigate the possibility of false positives or newer or advanced samples, which may warrant further analysis, being removed from the queue.

  2. Data Point for Low Detection

    The converse of using multi-scanning as a tool to sort for known malware is using it as a data point to identify threats that may be particularly new or effective at evading detection. Knowing that a given sample is evading detection by many or all anti-malware engines can provide valuable data for identifying emerging threats, which otherwise may not seem unique or worth further analysis.

  3. Data Point for Geographic Analysis

    Multi-scanning with geographical data

    Multi-scanning with geographically diverse anti-malware engines adds additional benefits. Because the anti-malware community is very geographically specific, early detection by a given engine often correlates to the area where the malware was first released or is more prevalent. This adds an important data point, which can help analysts better understand the source of new threats.

For more information, please contact one of our cybersecurity experts.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.