Signature-based Analysis
Comparing a file’s signature with an updated list of known malware signatures is the basis of standard antivirus protection and the basis of the Cybereason Anti-Malware service. The Cybereason platform uses signature-based analysis to scan files on access and to prevent access and execution if a file is malicious.
Note
Signature-based analysis is disabled by default. To enable this feature, use the System > Policy Management screen.
In this topic:
Protection against known threats video
How does signature-based analysis work?
Signature-based analysis utilizes file scans to find known malware.
By default, the Cybereason platform scans files that have extension types that can be executed, loaded, or run, because these files could contain malware or malicious content. For example, scanned files include files that have .exe, .dll, and .docx extensions.
Signature-based scans take place at the following times and locations:
Time of scan |
Description |
How to execute the scan? |
Location of scanned files |
|---|---|---|---|
On access file scans |
The Cybereason platform scans files when the end user attempts to access them. |
Automatic |
Local and network drives (note: Linux sensors do not scan network drives) |
Scheduled scan |
Administrators can configure periodic full or quick scheduled scans at specific times. |
Configure from the Sensor policy > Anti-Malware screen. |
Local drives |
On demand scan |
Administrators can select specific sensors and perform full or quick on demand scans. |
Perform from the System > Sensors screen. |
Local drives |
The Cybereason platform treats removable media such as USB and external hard drives as local drives and includes these removable media as part of scans. During scheduled scans, the Cybereason platform scans any files inside the USB drive. During an on-access scan, any files inside the USB drive are scanned once a user attempts to open a file or directory.
For more details on scans, see Configure scan properties.
If you enable Anti-Malware > Signatures mode, sensors receive signature database updates every 15 minutes from the NGAV Global update server, ensuring that the database remains current and helping the sensors detect and prevent known malware with very high accuracy. The sensor downloads 1.5 MB of Signature database updates per day.
Note
Signature-based analysis is supported on Windows, Mac, and Linux endpoints. For details on supported platforms, see Endpoint machine prevention features.
How does signature analysis determine if a file is malicious?
The Anti-Malware signatures analysis service scans files using advanced detection logic. The service also inspects the file to determine the file’s reputation and to search for malicious content embedded in the file, such as a module or script.
Depending on its findings, the Cybereason platform determines other actions:
Determination |
Reputation |
Anti-Malware Action |
|---|---|---|
File is infected. |
Allowlist |
Ignore the file and allow the file to be opened. |
File is infected. |
Neutral or Blocklist |
Prevent the file from opening. If Signatures mode is set to Disinfect, disinfect the file if possible, and report the event as an Endpoint Protection MalOp in the Malops management screen. If the malware cannot be fully cleaned from the file, remove the file from the machine (do not quarantine the file). If Signatures mode is set to Prevent, prevent the file from executing but do not modify or move the file. |
File is clean. |
Neutral or on allowlist |
No action is taken and the file can be opened. |
File is clean |
Blocklist |
Report the event as an Endpoint Protection MalOp in the Malops management screen. Allow the file to open. |
See Set Anti-Malware Signatures mode for details on how to manage the Signatures settings.