MetaDefender Core Threat Intelligence Engine

Usage

MetaDefender Core can be configured to communicate with MetaDefender Cloud via the Threat Intelligence Engine. The engine uploads file to MetaDefender Cloud where two actions can be performed:

  • Multiscanning with 20+ engines

  • Sandbox Dynamic Analysis

Every workflow rule can be configured to send infected files to a special section called quarantine where the malware detected is pinned for future reference and where Threat Intelligence is performed. See this page on how to enable sending files to quarantine.

MetaDefender users have the ability to request another analysis report from MetaDefender Cloud for quarantined files by hitting the cloud button on the upper right corner.

images/www.opswat.com/uploads/assets/images/amsdgsadhagskjdhakjsa_190222_133824.png

The file is automatically uploaded and scanned, and the results are displayed when clicking on the file and selecting the "Threat intelligence results" tab:

images/www.opswat.com/uploads/assets/images/Screenshot-from-2019-02-22-15-17-33.png

For enabling the engine, users need to make sure you have the "Threat Intelligence" technology licensed and enabled. This is done on the activation key. If it is enabled, it can be found in the "Technologies” panel:

images/www.opswat.com/uploads/assets/images/Screenshot-from-2019-02-22-14-53-06.png

Use cases

It is often the case that certain files still cannot be trusted even after performingMmultiscanning. It could be that only a small number of engines detected the file as infected, or the file was detected as “Suspicious”.

In such cases, a second opinion is very valuable. MetaDefender Cloud has a set of engines that is different from MetaDefender packages (see the licensing page for the full list) and can return more accurate results compared to MetaDefender Core packages with up to 20 engines.

And in cases where Multiscanning is not enough to detect malware, Sandbox Dynamic Analysis can be used to perform extensive analysis on the file in search of unknown threats.

Settings

  • Before using the engine, the MetaDefender Cloud apikey needs to be pasted in the settings. The apikey can be found on the OPSWAT profile page

  • Sandbox analysis can also be configured. Users have the ability to select the:

    • The operating system that will be used to scan the files

    • Timeout: short or long analysis

    • Browser

images/download/attachments/4520803/imageti.png