Enterprise Signatureless Malware Detection

ECAT V.3.3 new features

ECAT V.3.3 is now released, and adds a  lot for deploying ECAT in large environments where performance and scalability are critical. ECAT also has a new optional remediation module and added Forensics functionality. The key new features are:

  • ECAT Remediation: Sold as an optional Incident Pack license, ECAT Remediation is a silent remediation agent that can be pushed out on demand from the console to an endpoint identified as compromised.
  • MFT Viewer: This standalone utility is included in ECAT for viewing the underlying Master File Table in NTFS partitions. The MFT Viewer allows you to remotely download and dig into the $MFT (Master File Table) in a forensically sound manner and to locate remnants of a hack or deleted files anywhere on disk.
  • File download filter: Exclude downloads of known good/whitelisted files and/or those signed with valid Certs to reduce bandwidth and storage requirements in very large deployments.
  • Faster database scan report insertion speed: Tests indicate an
    improvement of around 70-90%.
  • Improvements in the Global Module List display: We reworked the GML
    display process. It now loads the first pages virtually instantaneously
    instead of having to wait for the whole table to be transferred to the
    console.
  • DLLs and communications identification in Network Monitor:
    Previously, the network monitor displayed the communications for each process but not which module loaded within that process is communicating.ECAT now tracks the connections made by this module by discriminating
    those made by the malware’s DLL from the regular IE browsing session. The operator has immediate access to the number of machines where this file is present since all scanned data are stored in a SQL DB. There is no need to rescan the environment to find the same file, streamlining forensics and incident management. The same can also be done with IP addresses.
  • Custom hash set support: You can now create a custom hash set and use it like the NIST or the SSGSR databases for whitelisting and baselining. Initially, data from previous assessments ( Blacklist/whitelist XML export file) and from the global module list will be importable. Other formats will also be added in the future.