RSA ECAT software is an enterprise malware threat detection and response solution that enables you to easily detect, monitor and protect your environment from undesirable software and the most elusive malware — including deeply hidden rootkits, Advanced Persistent Threats (APTs), Metasploit’s Meterpreter and viruses.
With ECAT, analysts and incident response teams don’t waste time filtering through background noise and false positives. With the industry’s broadest whitelisting and software reputation services built in and powerful enterprise-wide anomaly detection, known good files are quickly identified and added to the baseline, highlighting truly malicious activity for immediate attention.
In one integrated package, ECAT provides:
for all Windows environments, scaling up to 20,000 endpoints per ECAT server.
ECAT Feature Summary:
Custom low-level access parsers for disk, memory access, registry access
Live code integrity check to find malware code hiding in trusted applications
The ECAT workflow to find unknown malware in large environments is:
1. Deploy and Scan
The ECAT agent is a self-contained executable deployed on servers and workstations that you want to assess or monitor. It coexists peacefully with existing security solutions.
Once deployed, the agent reports to a centralized ECAT server from which it receives instructions. When a scan is requested, using a set of low-level functions, it performs an inventory of all running processes and drivers and conducts a number of checks in order to identify behavior related to malware.
Among these checks, the agent validates Windows kernel internal structures, searches for signs of malware trying to conceal its presence, scrubs the memory for Metasploit traces and validates integrity of key kernel and user modules.
The information gathered during the scan process is sent to a centralized server for analysis. Unknown files are automatically downloaded from the scanned computers and run through OPSWAT Metascan Antivirus to find viruses missed by the corporate antivirus solution.
The ECAT console presents the operator with a complete view of the scanned computers along with a machine suspect level (MSL) indicator for identifying which computers should be investigated first.
Whenever possible, ECAT correlates a suspicious behavior with its author: a driver, a process, a DLL or a memory block (floating code). ECAT then displays contextual intelligence about the author:
Metadata: file time, file size, file attributes, MD5
Code signing information and validation
Correlation across the environment
Bit9 threat level
Known anomalies database correlation
A suspicious module can be whitelisted, blacklisted or graylisted by the operator. Once categorized, the module is then considered as such for the whole environment. The operator can also add a comment to be later included in the report.
To accelerate the whitelisting process a scan of a clean computer (usually from a standard enterprise image) should be conducted as a baseline.
ECAT has an optional remediation module sold as an Incident Pack license. If a scan determines an endpoint is compromised with malware that the AV missed and which can be identified by the remediation module, the remediation agent can be pushed out by the operator to clean the endpoint.
The ECAT agent can be configured to perform a scan at scheduled time intervals.
When a change occurs, the Machine Suspect Level (MSL) of the affected computer rises and the operator can quickly pinpoint the cause. Recurrent assessment processes will flag newly installed executables or malware.
ECAT does not block new applications from executing. Maintenance scans can therefore be run multiple times per day for only a few minutes at a time.
5. Forensics data gathering and analysis
ECAT includes a set of tools to gather key information needed for a complete forensic analysis and cybercrime investigation. Key amongst these tools are:
Full memory downloads: ECAT can pull down from a suspect machine a complete live memory dump for further analysis.
MFT Viewer: Locate and remotely download hacked and deleted files in a forensically sound manner
For more information on ECAT and how ECAT can detect compromised systems in your environment, contact us for a demonstration or evaluation, download the ECAT datasheet or download our whitepaper.
You can get an overview of ECAT in this video:
Or watch ECAT in action here:
Our mailing list
Silicium Security has been acquired by EMC and is now part of RSA, The Security Division of EMC. Find more details here . The ECAT team is based in Quebec, Canada. For more information about ECAT Advanced Malware Detection, email us at email@example.com or get our full contact details here. You can stay updated by subscribing to our newsletter or our blog.