Finally, deploying, maintaining, and updating agents on every endpoint can be challenging, especially in heterogeneous deployments where multiple versions of different operating systems and architectures coexist.Ī complementary approach to the detection of these sophisticated threats relies on off-line analysis of an endpoint’s memory dump, which is a snapshot of the contents of volatile memory at a specific point in time. Third, depending on how it is deployed, the agent not have access to specific portions of the user-space and kernel-space memory, and, as a consequence, may miss important evidence of a compromise. Second, a malware sample can detect the presence of an agent and attempt to either disable the agent or evade detection. First, the agent introduces a constant overhead in the monitored OS - caused by both the resources used by the agent process (e.g., CPU, memory) and the instrumentation used to capture relevant events (e.g., API hooking). However, this approach has a number of drawbacks. The most effective approach to the detection of these sophisticated malware components is to install on the protected operating system an agent that continuously monitors the OS memory for signs of compromise.
Memory analysis plays a key role in identifying sophisticated malware in both user space and kernel space, as modern threats are often file-less, operating without creating a file system artifact.
0 kommentar(er)
