Skip to main content
Introducing Opcode Malware Classifier [CYFOX AG.AI]
Omer Kushmirski avatar
Written by Omer Kushmirski
Updated over 7 months ago

In the past, the number of harmful executables was relatively limited, making it manageable to maintain a blacklist of harmful executables by creating blocklisted hashes (an auto-generated unique ID of an executable file).

As technology advanced, more and more malicious executables were created, and attackers found ways to manipulate and change the hash to bypass traditional anti-viruses.

These developments led to an enormous number of new malicious hashes, with an estimated 500 million hashes being created per day as of 2023. This situation necessitated extensive research to identify new threats, rendering traditional antivirus and EDR solutions less effective than ever.
โ€‹

No Need To Keep Chasing After New Hashes

The Opcode Malware Classifier directly addresses the challenges posed by the vast number of new malicious hashes generated daily. By analyzing the fundamental components of executable files and investigating their assembly code, the engine can detect and prevent threats that traditional hash-based methods might miss. Instead of focusing on the easily manipulated characteristics on the surface, it examines the behavior of the file, providing a more robust and effective threat detection mechanism.

It is also important to mention that investigating new harmful hashes requires significant effort from research teams, making it quite challenging and inefficient to continually search for new malicious hashes. Today, more than ever, alongside security concerns, a more efficient method is required for operating successfully as a security business.

Disclaimer

The Opcode Classifier functions as an additional fully automated layer, meaning the end user or XDR admin does not need to take any action for it to operate and discover new attacks.

This layer works alongside the existing layers supported since version 2.0.

The functionality is supported starting from AG.AI Windows version 2.1. To ensure the opcode classifier is activated within your organization, verify that all agent (Windows) versions are currently at 2.1 or above. The XDR admin can check this information using the inventory page on the server. End users can verify by clicking on the Agent Icon on their computer and checking the details within the pop-up opened.

The Opcode In Action

How It Works

Like other engines integrated into the Agent (e.g., the static engine), each executable file is actively scanned by the Agent with each engine analyzing it at its own level. The two engines dedicated to handling executable files, the static engine and the opcode engine, scan each file simultaneously.

The static engine checks for any malicious files by analyzing their hashes (essentially looking at the file's surface), while the opcode engine opens the file in an isolated environment, examines its characteristics (analyzes the code), and provides a response (essentially looking beyond the surface).

The opcode engine, which is considered the more advanced of the two, is not meant to replace the traditional static engine but to work alongside it using a "first to notice" approach. This means that both engines will scan the file at the same time, and whichever engine detects malware first will initiate the mitigation process.

In the example below, you can see how the static engine identifies malware using hash blacklisting methods:

Step 1: An End User Downloads a File, Triggering an Attack Attempt

Step 2: The Static Engine Mitigates the Malware

Immune to Hashing Manipulations

As advanced attackers are often familiar with hash blacklisting methods, some may use hash manipulations to alter the hash and bypass traditional EDR and static engines.

However, even if they manage to bypass the signature-based method (static engine) by changing the hash, the opcode engine can still block the file before execution since the underlying behavior of the file remains unchanged.

Note that each time a file was mitigated, the Agent sent a notification, including which engine identified the malicious behavior. You can see that in each scenario, a different engine mitigated the attack: the static engine in the first instance and the opcode engine in the second.

Did this answer your question?