2.1.1. Introduction of engines
The GCenter uses several different engines for the following detections:
Detection type |
Engine |
Time of detection |
See |
|---|---|---|---|
Anti-viral analysis of files |
Malcore |
immediate on the network fux |
|
Anti-viral analysis of files |
Malcore retroanalyzer |
Delayed time after updating the Malcore engine database |
|
Powershell |
Malicious Powershell detect |
immediate on the network fux |
|
Shellcode |
Shellcode detect |
immediate on the network fux |
|
search in network fux for attack characteristics defined in rules |
Sigflow |
immediate on the network fux |
|
Malicious domain names |
DGA detect |
immediate on the network fux |
|
Search in the fux network for Attack compromise indices defined in rules |
Active CTI |
immediate on the network fux |
|
search in the fux network for Attack compromise indices defined in rules |
Retrohunt |
Delayed time after Retrohunt database update |
|
Search the ransomware executions |
Ransomware detect |
immediate on the network fux |
|
Search the communications to a malicious server during a Command and Control (C&C) attack |
Beacon detect |
immediate on the network fux |
|
Detect the malwares using rules |
Yara |
immediate on the network fux |
2.1.1.1. Detection by GScan
- Malware: submits files to the Malcore engine
- Powershell: scans files containing Powershell scripts and detects potential threats that can be used as a gateway to install malware on Windows.For malicious powershells, detection is based on a supervised machine learning model, and the fact that these scripts generally use offuscation techniques or similar (base64, concatenation, type conversion, etc).
- Shellcode: scans files to detect Shellcodes (a binary code designed to be injected and executed in a program by exploiting a vulnerability).