Skip to main content

Live Endpoint Analysis

  • Updated

If you are using Intezer EDR Connect for automating alert triage, follow this guide: Intezer’s Live Endpoint Scanner Script - EDR Set Up.

The live Endpoint Analysis Scanner is a feature unique to Intezer that scans your machine's memory, finding traces of advanced in-memory threats such as malicious code injections, packed and fileless malware, or any unrecognized code.

The lightweight memory scanner is a single executable file that doesn't require installation and runs once on the endpoint, in user mode, and with admin privileges.

The memory scan takes several minutes and can be done simultaneously on several endpoints. Results from all scanned endpoints are available through the Endpoint and Memory Scans report under the History tab.

Screenshot_2022-08-03_at_12.33.37_PM.png

Table of Contents

  1. Use Cases
    1. Quickly Triage a Suspected Endpoint or Detect Lateral Movement
    2. Accelerate Memory Forensics During an Incident
    3. Proactively Hunt for Malware Loaded into Memory
  2. How Does it Work?
  3. Acquit an Endpoint
  4. Automating Endpoint Forensics for Alert Triage
  5. Offline Endpoint Scanning
  6. Troubleshooting Live Endpoint Analysis Scanner

Use Cases

1. Quickly Triage a Suspected Endpoint or Detect Lateral Movement

Incident investigations usually begin with a triggered alert. To determine the actual cause, you should look into the originating machine. The readily available data you receive comes from logs and alerts of other network security products. Still, the ground truth is only found through memory analysis, which will reveal any malicious or unauthorized code that was executed. It is usually an advanced and time-consuming process.  Intezer’s Endpoint Analysis tool allows for a full memory scan and analysis of any live Windows machine within just a few minutes.

You can also use this feature to detect lateral movement by running the scanner at scale across your organization’s endpoints.

2. Accelerate Memory Forensics During an Incident

Sometimes, you do not always have access to live machines and only receive memory dump files from the suspicious endpoints. You can accelerate the memory dump analysis process using Intezer Analyze Volatility Plugin.

3. Proactively Hunt for Malware Loaded into Memory

Running the endpoint scanner periodically allows you to quickly and easily detect compromised endpoints within your organization.
 

How Does it Work?

If you are using Intezer EDR Connect, follow this guide: Intezer’s Live Endpoint Scanner Script - EDR Set Up. To run it directly on an endpoint, follow these steps:  

  1. Download: Download the endpoint scanner and run it on the suspicious endpoint.
  1. Scan: Double-click on Scanner.exe and enter your API key (you can find your API key on the Account Details page). It will collect all running code from memory. Please note: The scanner collects only executable code, not documents or any data that is not binary code.
  2. Analyze: The collected modules are analyzed using Genetic Analysis technology, sifting through every piece of binary code running in memory and referencing it against Intezer’s vast database of trusted and malicious code.

ep_scan_page.png

    4. Review the Results: Go to the Endpoint and Memory Scans report in the History tab to find your scan results.

     

    If any threats are found at this stage, Intezer will let you know. The endpoint analysis report includes the following:

    • Verdict (whether the endpoint is infected or not)
    • Classification (if infected, what is the exact malware threat?)
    • Code and string reuse
    • Process tree of the relevant findings
     
    ep_file_data.png

    If any traces of malicious code are found in memory, the endpoints will be marked as "Infected".

    • All the data accessible in the console is also accessible through an API.

    Scheduled tasks information is shown in the correlated tab:

    ep_schedule_tasks.png

     

    Acquit an Endpoint

    During the analysis, code from the endpoint’s memory is ‘genetically’ referenced against Intezer and the organization’s code database. To avoid getting alerts for unknown pieces of code that are legitimate and distinct to your company, creating a trusted baseline for your organization’s code is recommended by using the Acquit Endpoint feature.

    After acquitting the endpoint, the analysis will be reanalyzed, and the unknown code will be privately indexed as Trusted.

     

    Automating Endpoint Forensics for Alert Triage

     

    Offline Endpoint Scanning

    When the endpoint is disconnected from the internet, and the scanner can't access the Intezer instance, it's possible to store the scanner output offline, transfer the output to another location, then upload it for analysis to Intezer.

     

    Storing Scanner Output Offline

    When running the scanner from the command line, the --scans-output-dir (or -o) option allows you to specify the root directory where the Scanner will create a new directory for each scan. The name of each subdirectory will follow a fixed pattern: "scan_" + computer name + date and time. For example, if you run a scan on a computer named "MyPC" on January 1st, 2023, at 6:00 PM, the Scanner will create a directory called "scan_MyPC_2023-01-01_18-00-00". Additional subdirectories will be created for other scan-related data.

     

    Uploading Offline Scans to Intezer for Analysis

    The offline scans can be uploaded to the Intezer Analyze using either the 'EndpointAnalysis' class in the Intezer Python SDK or the Intezer Analyze CLI utility. To use the Analyze CLI utility, run the following command: intezer-analyze upload_endpoint_scan <path to scan>, where "<path to scan>" is the path to the scan subdirectory starting with the “scan_” prefix. The Analyze CLI utility can also upload multiple scans stored in the same root directory. The command to use is "intezer-analyze upload_endpoint_scans_in_directory <scan root directory>" where "<scan root directory>" is the path you provided in the “-o” option containing the “scan_” prefixed subdirectories.

     

    Troubleshooting Live Endpoint Analysis Scanner:

    • Missing privileges:

    If you get the following error message when trying to run the scanner:

    Failed to set SeDebugPrivilege. Reason: Failed to set token privilege. Reason: AdjustTokenPrivileges failed. Reason: [1300].

    This means the user running the scanner is not included in the “Debug programs” group policy.
    Resolution:
    Add the admin user used to perform the scan to the group policy. (No need to restart the host)

    • WINHTTP_CALLBACK errors:

    If you are unable to run the scanner and receive one of the following errors:

    WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED

    One of the below may be the issue:

    1. SSL interception is being done - add the SSL interception CA certificate to the host or exclude the URLs from the following issue.
    2. Inaccessibility - make sure you open the following ports:
      443 (HTTPS) outbound to analyze.intezer.com.
      80 (HTTP) outbound to crl.godaddy.com and ocsp.godaddy.com.
    3. Proxy usage - in case the endpoint is behind a proxy server, use the following command:
      Scanner.exe -k API_KEY -p <proxy_address>

    WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR

    As we support TLS 1.2 or higher, this error could be caused due to TLS 1.2 not being enabled.

    To enable it, please create the following registry values:

    1. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Client\\Enabled Type=REG_DWORD, Value=1
    2. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS1.2\\Client\\DisabledByDefault Type=REG_DWORD, Value=0

    • Error processing data:

    When seeing this error while running the Endpoint Scanner script via the EDR :

    There is an error processing data from the background process. Error reported: Cannot process an element with node type "Text". Only Element and EndElement node types are supported..

    This error can be dismissed. The endpoint analysis was made, and the result can be viewed on the History page.

    • Inaccessibility issues:

    When running the Endpoint Scanner script via the EDR and getting this error:

    Error downloading the scanner. Error the remote name could not be resolved: '[intezerfiles.blob.core.windows.net](<http://intezerfiles.blob.core.windows.net/>)'

    There is an issue downloading the scanner.exe file due to the host's inaccessibility.

    Make sure the machine has access to the following addresses:

    1. analyze.intezer.com:443
    2. intezerfiles.blob.core.windows.net:443
    3. crl.godaddy.com:80 and ocsp.godaddy.com:80 

    • Incomplete scan result:

    If the endpoint analysis result has returned as incomplete, there could be a few causes.

    Please try to reanalyze the scan, and if the issue persists, contact support at support@intezer.com and attach the logs that can be found in the same directory that the scanner is located in, under the logs directory.

    • Didn't find what you were looking for? Need help?

    You can contact our support team at support@intezer.com or by using the 'Help?' button on the Intezer Analyze platform. 

    Return to top