How Forensics is Better Than Detection

A friend and fellow colleague of mine Elijah Bagdonas recently sent me an awesome explanation of Check Point’s Forensics software. This software is a must have for any enterprise today. I wanted to share his writing with you.

 In the world of anti-malware most people are satisfied with good detection capabilities. But when we really stop to think about what detection gives us, it’s rather disappointing. It’s little more than a big red flashing light that says “ALERT: SOMETHING HAPPENED!” The question then becomes, what is that something that happened and what should I do about it? Here’s where the headache begins.

In most cases of virus detection the administrator has three realistic options:

  • Rely on Anti-Malware quarantine to clean up the mess
  • Re-Image the computer
  • Traditional forensic analysis

 In the case of Anti-Malware quarantine we first have to “know” about the malware. We must be able to identify a signature or behavior and be able to stop the infection before it starts. Sometimes malware can occur in a series of processes and we are only able to detect the last element in the chain. If we eliminate the known elements, the unknown elements can propagate again, putting us into an infection loop. We also can’t identify the damage done during the infection. Even though we detect the malware, it may have already accomplished its goal and we have no way of knowing.

Our second option has its own set of headaches. Re-imaging a computer is often the easy way out but it can be of great inconvenience to the user-base. This invasive process can often leave you with lost data and disruptive downtime to the end user resulting in lost productivity. This will also not protect you from future attacks of the same malware.

The final approach is traditional analysis of the machine to see what happened and how it can be reversed. Having this kind of skill with the advanced malware we see today is very scarce and requires specialized training. Traditional analysis is also very time consuming and costly to perform and with advanced malware, it can often clean up its own tracks before you get a chance to discover it.

There’s a better way

With the introduction of Check Point’s Endpoint Forensics we now have a way to see the whole picture. By keeping tabs on any and all changes that occur on the system, we can develop a comprehensive image of EXACTLY what happened when the infection hit in an easy to digest roadmap.



In this example, the oem7ec2.exe process triggered a malware event. Since we’ve been keeping tabs on the changes, we can backtrack and find out exactly what happened (even across system boots). Let’s look at the steps that brought us to this point.

  • Chrome process launched
  • Chrome exploit is used while browsing to launch handle.tmp process
  • tmp process schedules a shellcode download to occur on next boot
  • exe payload is downloaded and ran on startup
  • Malicious code runs and sends personal data to C&C center

Since we know the whole story and all of the processes involved, we can also see that companysecret.doc was sent outbound resulting in a loss of data.

With this roadmap, not only do we have the complete picture of the steps involved, but a means to clean it up. Knowing all the steps means we can dynamically generate a script to clean up the mess that was left behind for easy remediation.

Armed with knowledge of everything involved it’s easy to see why Endpoint Forensics is clearly better than detection.