In the first of a series of technical thought leadership papers, the article provides an in-depth look at memory scanning protection and how it works. Memory scanning involves searching within a process’s memory for threats, which can be achieved in various ways and at different times by security products. This can occur when a new process is created or regularly for all or some processes on the system. The article explains that behavioral triggers for memory scanning can include suspicious API calls commonly used in process injection techniques.
The article highlights that memory scanning has been a focus of research and development for almost a quarter of a century. The capabilities have evolved from periodic and on-demand scans to behavioral-based memory scans with Host-based Intrusion Prevention Systems (HIPS). The current capabilities employ sophisticated behavioral technology that adapts as the threat landscape evolves. The article emphasizes that the approach is not reliant on pattern-matching but employs more complex logic, such as a Turing-complete definition language.
The article discusses the increasing use of “fileless” techniques by threat actors, such as process injection, packers, virtualized code, and crypters, to run malicious payloads. These techniques make it difficult for security solutions to distinguish between clean and malicious files. The article also mentions that many of these techniques are easily accessible to threat actors through open-source code repositories or commercial frameworks designed for legitimate penetration testing.
The article explains that memory scanning takes advantage of the fact that when malware is loaded into memory, it must reveal itself in some way. By examining the region of memory where this occurs in real-time, security solutions can determine if a thread or process contains malicious code. The article acknowledges that memory scanning has historically been computationally expensive, particularly when scanning an entire system’s memory. However, the use of contextual cues and targeted scanning can help maximize performance.
The article describes different types of targeted memory scans based on “where” and “when” the scanning occurs. It explains that targeting by “where” involves scanning both the parent and child processes when a suspicious process spawns another process and injects into it. Targeting by “when” includes inline scanning triggered by a specific behavior, asynchronous scanning where the process continues while being scanned, periodic background scanning for dormant fileless malware, scheduled scanning at specific times or intervals, and post-detection clean-up scanning to check for remnants of a malicious process in memory.
To demonstrate the different types of memory scanning, the article provides an example using the Agent Tesla Remote Access Trojan (RAT). The article states that in a real-world environment, the product would block execution as soon as the malware triggers any of the behavioral protections.
Overall, the article provides a comprehensive overview of memory scanning protection, its evolution, and its application in detecting and preventing threats. It emphasizes the importance of adapting to fileless techniques used by threat actors and the need for targeted and efficient memory scanning.