The live Endpoint Analysis Scanner is a feature unique to Intezer that scans the memory of your machine, finding any traces of advanced in-memory threats such as malicious code injections, packed and fileless malware, or any unrecognized code.
The lightweight memory scanner is a single executable file that doesn't require installation and runs once on the endpoint, in user mode, and with admin privileges.
The memory scan takes several minutes and can be done simultaneously on several endpoints. Results from all scanned endpoints are available through the Endpoint and Memory Scans report, under the History tab.
Table of Contents
Use Cases
Quickly Triage a Suspected Endpoint
Incident investigations usually begin with a triggered alert. In order to determine the actual cause, you should investigate the originating machine. The readily available data you receive comes from logs and alerts of other network security products, but the ground truth is only found through memory analysis, which will reveal any malicious or unauthorized code that was executed, and usually is an advanced and time consuming process. Intezer’s Endpoint Analysis tool allows for a full memory scan and analysis of any live Windows machine within just a few minutes.
You can also use this feature to detect lateral movement by running the scanner at scale across your organization’s endpoints.
Accelerate Memory Forensics During an Incident
In some cases you do not always have access to live machines and instead only receive memory dump files from the suspicious endpoints. For this, you can accelerate the memory dump analysis process using Intezer Analyze Volatility Plugin.
How Does it Work?
If you are using Intezer EDR Connect, follow this guide: Intezer’s Live Endpoint Scanner Script - EDR Set Up. To run it directly on an endpoint, follow these steps:
- Download: Download the endpoint scanner and run it on the suspicious endpoint.
- Scan: Double click on Scanner.exe and enter your API key (you can find your API key on the Account Details page). It will collect all running code from memory. Please note: The scanner collects only executable code, not documents or any data that is not binary code.
- Analyze: The collected modules are analyzed using Genetic Analysis technology, sifting through every piece of binary code running in memory and referencing it against Intezer’s vast database of trusted and malicious code.
4. Review the Results: Go to the Endpoint and Memory Scans report, in the History tab, to find your scan results.
If any threats were found at this stage, Intezer will notify you. The endpoint analysis report includes:
- Verdict (whether the endpoint is infected or not)
- Classification (if infected, what is the exact malware threat?)
- Code and string reuse
- Process tree of the relevant findings
If any traces of malicious code are found in memory, the endpoints will be marked as "Infected".
- All the data accessible in the console is also accessible through an API.
- You can also refer to the endpoint FAQ section.
Acquit an Endpoint
During the analysis code from the endpoint’s memory is ‘genetically’ referenced against both Intezer and the organization’s code database. In order to avoid getting alerts for unknown pieces of code which are legitimate and distinct to your company, it is recommended to create a trusted baseline for your organization’s code by using the Acquit Endpoint feature.
After acquitting the endpoint, the analysis will be reanalyzed, and the unknown code will be privately indexed as Trusted.
Additional Resources
- If you are using Intezer EDR Connect (such as with SentinelOne or CrowdStrike), follow this guide to set up the Live Endpoint Scanner Script in your EDR.