The live Endpoint Analysis Scanner is a feature unique to Intezer that scans the memory of your machine, finding any traces of advanced in-memory threats such as malicious code injections, packed and fileless malware, or any unrecognized code.
The lightweight memory scanner is a single executable file that doesn't require installation and runs once on the endpoint, in user mode, and with admin privileges.
The memory scan takes several minutes and can be done simultaneously on several endpoints. Results from all scanned endpoints are available through the Endpoint and Memory Scans report, under the History tab.
Table of Contents
- Use Cases
- How Does it Work?
Quickly Triage a Suspected Endpoint
Incident investigations usually begin with a triggered alert. In order to determine the actual cause, you should investigate the originating machine. The readily available data you receive comes from logs and alerts of other network security products, but the ground truth is only found through memory analysis, which will reveal any malicious or unauthorized code that was executed, and usually is an advanced and time consuming process. Intezer’s Endpoint Analysis tool allows for a full memory scan and analysis of any live Windows machine within just a few minutes.
You can also use this feature to detect lateral movement by running the scanner at scale across your organization’s endpoints.
Accelerate Memory Forensics During an Incident
In some cases you do not always have access to live machines and instead only receive memory dump files from the suspicious endpoints. For this, you can accelerate the memory dump analysis process using Intezer Analyze Volatility Plugin.
Proactively Hunt for Malware Loaded to Memory
Running the endpoint scanner periodically, allows you to quickly and easily detect compromised endpoints within your organization.
How Does it Work?
If you are using Intezer EDR Connect, follow this guide: Intezer’s Live Endpoint Scanner Script - EDR Set Up. To run it directly on an endpoint, follow these steps:
- Download: Download the endpoint scanner and run it on the suspicious endpoint.
- Scan: Double click on Scanner.exe and enter your API key (you can find your API key on the Account Details page). It will collect all running code from memory. Please note: The scanner collects only executable code, not documents or any data that is not binary code.
- Analyze: The collected modules are analyzed using Genetic Analysis technology, sifting through every piece of binary code running in memory and referencing it against Intezer’s vast database of trusted and malicious code.
4. Review the Results: Go to the Endpoint and Memory Scans report, in the History tab, to find your scan results.
If any threats were found at this stage, Intezer will notify you. The endpoint analysis report includes:
- Verdict (whether the endpoint is infected or not)
- Classification (if infected, what is the exact malware threat?)
- Code and string reuse
- Process tree of the relevant findings
If any traces of malicious code are found in memory, the endpoints will be marked as "Infected".
- All the data accessible in the console is also accessible through an API.
- You can also refer to the endpoint FAQ section.
Acquit an Endpoint
During the analysis code from the endpoint’s memory is ‘genetically’ referenced against both Intezer and the organization’s code database. In order to avoid getting alerts for unknown pieces of code which are legitimate and distinct to your company, it is recommended to create a trusted baseline for your organization’s code by using the Acquit Endpoint feature.
After acquitting the endpoint, the analysis will be reanalyzed, and the unknown code will be privately indexed as Trusted.
- If you are using Intezer EDR Connect (such as with SentinelOne or CrowdStrike), follow this guide to set up the Live Endpoint Scanner Script in your EDR.
Troubleshooting Live Endpoint Analysis Scanner:
If you get the following error message when trying to run the scanner:
Failed to set SeDebugPrivilege. Reason: Failed to set token privilege. Reason: AdjustTokenPrivileges failed. Reason: .
This means the user running the scanner is not included in the “Debug programs” group policy.
Add the admin user used to perform the scan to the group policy. (No need to restart the host)
If you are unable to run the scan and receive one of the following errors:
It is possible one of the things below is the issue:
- SSL interception is being done - check if you modify the certificate while accessing analyze.intezer.com
- Inaccessibility - make sure you open the following ports:
443 (https) outbound to analyze.intezer.com.
80 (http) outbound to crl.godaddy.com.
- Proxy usage - in case the endpoint is behind a proxy server use the following command:
Scanner.exe -k API_KEY -p <proxy_address>
Error processing data:
When seeing this error:
There is an error processing data from the background process. Error reported: Cannot process an element with node type "Text". Only Element and EndElement node types are supported..
The endpoint analysis was made and the result can be viewed on the History page.
The issue is probably related to the host.
When running the Endpoint Scanner Script via the EDR and the scanner can not be downloaded with this error:
Error downloading the scanner. Error the remote name could not be resolved: '[intezerfiles.blob.core.windows.net](<http://intezerfiles.blob.core.windows.net/>)'
There is an issue downloading the scanner.exe file due to the host's inaccessibility.
Make sure the machine has access to the following addresses:
Incomplete scan result:
If the endpoint analysis result has returned as incomplete there could be a few causes.
Please contact support at firstname.lastname@example.org and attach the logs that can be found in the same directory that the scanner is located in, under the logs directory.
Didn't find what you were looking for? Need help?
You can contact our support team at email@example.com or by using the 'Help?' button on the Intezer Analyze platform.