Everyone uses VirusTotal’s free web page that allows you to check any file hash against multiple AV engines. But there’s so much more you can do with the massive amount of data they collect every day (2 billion file uploads and counting). And that’s good: just because the file you found on your network doesn’t show as being detected by any AV doesn’t mean it’s safe.
Once in a while that turns out to be the most dangerous type of file there is – a new one and only being used in a targeted attack against you. Or, just about as dangerous, it could be a zero-day exploit just now showing up. I’ll show you an example of that in this webinar.
But if you know what to look for you can still learn a lot about a given file that indicates its threat level, and VirusTotal tracks much more than AV engine analysis about each file they see and they make much of this free, in some very advanced user interfaces:
- Provenance – where did this file come from?
- History – when was this file first seen? How many times? How has the reputation of this file changed over time?
- Behavior – did you know that VirusTotal executes uploaded files in their sandbox and records what the file does?
- Referenced URLs – what websites and domain names does this file reach out to?
- Strings – I’ll show you how this is useful when threat hunting in your own logs
VirusTotal also captures data specific to different file types:
- On DLLs and EXEs you can examine “imports” which means what other DLLs and functions within those DLLs does this image call? That is extremely useful for identifying files that use potentially dangerous functionality in Windows or other programs
- With Flash, you can see if the file uses features of Flash that are particularly useful to bad guys, like ActionsScript3 and loadBytes functionality
- Other data specific to many other file types
In this real training for free webinar, I’ll take a zero-day exploit described by a well-known security research team and then show you how to use the data in VirusTotal and your logs to determine if that exploit is already being used in your network, and setup rules to alert you if it does show up.
I’ll also show you how to leverage VirusTotal to analyze a new file that bubbles up from any one of your security products or threat hunting activities. First, we’ll determine if this file has ever been seen before in the wild. How long ago? Does it share techniques common to other known malware? I’ll focus on the free functionality in VirusTotal and be sure to call out features that are part of a paid subscription.
Please join us for this real training for free event.