Q: What does SecondWrite do and who uses SecondWrite?
A: SecondWrite has developed an innovative automated malware analysis solution for detecting advanced malware including APTs, targeted attacks and zero-day evasions that defeat other solutions. Our technology automates traditionally manual reverse-engineering techniques to analyze and detect malware at scale.
Currently, SecondWrite is being used by several network security vendors, endpoint security vendors, threat intelligence and Incidence-response vendors, SOCs, and MSSPs to improve their malware detection capability.
Q: What makes SecondWrite different from other sandbox based solutions for detecting malware?
A: SecondWrite eliminates blind spots prevalent in existing automated malware analysis solutions. Other automated malware solutions are only based on monitoring the interaction of malware with its “external” environment, primarily the operating system’s resources on the computer. In addition, such tools are specialized to certain known evasion types.
Our sandbox is based on deep introspection and complete code exploration of malware using founding team’s ten years of research background in deep analysis of software and malware, and our patented technologies. This enables our sandbox to detect malware based on internal code behavior and overcome any evasion type, including zero-day evasions that are unknown to us.
Q: What is the input and output of your sandbox?
A: The input to our sandbox is a file or a URL submitted by the customer or security partner. The output is a report, available in both JSON and HTML formats. The report contains a score indicating how likely the file is malicious, and several details about its behavior.
Q: What input file types does your sandbox support?
A: Currently the file types supported are:
- PE32 Executables
- Office (Word, Excel, Powerpoint)
- URLs (websites)
- Archives: .zip, 7zip, .rar etc
Q: What Operating Systems are supported?
A: SecondWrite sandbox current supports Windows OS. The support for other Operating System will be rolled out in next few months.
Q: What deployments are supported?
A: Our preferred deployment is when the SecondWrite sandbox is hosted on our cloud platform. Our cloud can be accessed via a web-portal or via APIs provided. Both mechanisms are easy to use. The cloud offers greater ease of use with no installation needed, malware information sharing among customers, and Tier 1 support by SecondWrite. However, on-premise deployments are available, where the customer can install our software package on their own computers.
Q: What features does the web-portal contain?
The web-portal can be used for several functions: users can get a summary of your submissions so far, account information, links to their most recent submissions and a web interface to submit files. It is user friendly and easy to use.
Q: What does your report contain?
A: Our report contains a wealth of information on the file’s static and dynamic behavior, including at least the following:
- A score indicating how confident we are that the file is malicious.
- File header information.
- List of suspicious behaviors found, including the severity level of each.
- A classification of the malware (e.g., ransomware, spyware, Trojan, adware, phishing etc.)
- The IP addresses the malware attempts to connect to.
- A world map indicating the countries in which the connected-to IP addresses reside.
- Process graph showing what processes this file creates or interacts with.
- Files it reads, writes to, moves, and deletes.
- PCAP files containing the network traffic generated by this file.
- OS calls made by each process, along with arguments.
- Yara rules matched.
Q: What kinds of evasion does your tool handle?
A: Unlike competitor tools that are specialized to certain known evasion types, our sandbox can overcome any evasion type, including zero-day evasions that are unknown to us.