To correctly understand the format used to present the information in the action list, a parallel needs to be drawn with the natural language:
All actions have as the subject the file classified as malware. This subject is not indicated in each line of the action table because it is common throughout the table.
All actions have a verb which relates the subject (the classified threat) with an object, called the entity. The entity is indicated in the Path/URL/Registry key/IP:port field of the table.
The entity is complemented with a second field which adds information to the action, which is the Hash/Registry Value/Protocol-Direction/Description field.
The example below illustrates two actions carried out by the same hypothetical malware:
Date |
Times |
Action |
Path/URL/Registry_Key/IP:Port |
Hash/Registry Value/Protocol-Direction/Description |
Trusted |
3/30/2015 4:38:40 PM |
1 |
Connects with |
54.69.32.99:80 |
TCP-Bidrectional |
NO |
3/30/2015 4:38:45 PM |
1 |
Loads |
PROGRAM_FILES|\MOVIES TOOLBAR\SAFETYNUT\SAFETYCRT.DLL |
9994BF035813FE8EB6BC98ECCBD5B0E1 |
NO |
The first action indicates that the malware (subject) connects to (action) the IP address 54.69.32.99:80 (entity) through the TCP-bidirectional protocol.
The second action indicates that the malware (subject) loads (action) the library PROGRAM_FILES|\MOVIES TOOLBAR\SAFETYNUT\SAFETYCRT.DLL with hash 9994BF035813FE8EB6BC98ECCBD5B0E1
As with natural language, two types of sentences are implemented in Adaptive Defense 360:
Active: These are predicative actions (with a subject and predicate) related by an active verb. In these actions, the verb of the action relates the subject, which is always the process classified as a threat, and a direct object, the entity, which can be multiple according to the type of action.
Passive: These are actions where the subject (the process classified as malware) becomes the passive subject (which receives rather than executes the action), and the verb is passive (to be + participle). In this case, the passive verb relates the passive subject which receives the action with the entity, which performs the action.
Examples of active actions are:
Connects with
Loads
Creates
Examples of passive actions are:
Is created by
Downloaded from
An example of a passive action is:
Date |
Times |
Action |
Path/URL/Registry_Key/IP:Port |
Hash/Registry Value/Protocol-Direction/Description |
Trusted |
3/30/2015 4:51:46 PM |
1 |
Is executed by |
WINDOWS|\ explorer.exe |
7522F548A84ABAD8FA516DE5AB3931EF |
NO |
In this action, the malware (passive subject) is run by (passive action) the WINDOWS|\explorer.exe program (entity) with hash 7522F548A84ABAD8FA516DE5AB3931EF
Active actions let you inspect in detail the steps taken by the malware. By contrast, passive actions usually reflect the infection vector used by the malware (which process run it, which process copied it to the user's computer, etc.).
Related topics