Sponsored: A deep dive into the workings of malware

In these days of working from home, there is hardly any insight into what people run locally, which business-critical data they store locally and whether a workplace is up-to-date. This quickly raises the question of what protection the antivirus solution used offers and whether it can withstand modern threats such as ransomware.

Due to the overwhelming amount of new malware, the flow of virus definition updates can no longer be kept. And that goes beyond all undiscovered ‘zero-day’ malware for which no virus definition is available anyway. In addition to focusing on prevention, the advice is therefore: bet on behavioral detection to detect malware during its execution.

Back to the beginning

Everyone knows antivirus solutions. They often protect the endpoint based on what they already know (signatures / known virus definitions).

However, developments in recent years demand more of an endpoint security solution. A multi-layered solution is desired, with attention to the pre-, on- and post-execution phases of malware and also offering the possibility to perform extensive forensic analysis and threat hunting. But which solution do you choose? After all, every solution seems to offer more or less the same, right?

The three steps of an effective next-gen EPS

Step 1: Pre-execution

When it comes to file-based malware, you would like it to be picked up immediately upon arrival at an endpoint by the Endpoint Protection solution. SentinelOne ensures that when a file hits the device, two processes start immediately in parallel.

Reputation check & static analysis

The reputation check ensures that everything known as malicious is blocked in advance. The SentinelOne agent checks the SentinelOne Cloud database in a few milliseconds. Simultaneously, the SentinelOne agent starts a static analysis of the file directly on the endpoint. The static analysis with the trained Deep File Inspection engine examines the structure of the file within a few milliseconds and can thus determine the context. Based on this, it is determined whether these intentions are malicious and should be quarantined. One of these two processes determines whether the file is malicious or benign. This is important for a modern endpoint protection solution, because it never involves dependence on the cloud. In the pre-execution phase, it can stop file-based malware completely autonomously, regardless of whether it is known or unknown malware.

Stap 2: On-executie

But what if something comes through the pre-execution phase? Or when there is a ‘fileless attack’? For example, an attack that uses a vulnerability on the system and runs completely in memory? Or perhaps an interactive attack? It is also necessary to assess all behavior during the execution of processes on a machine and to be able to intervene when behaviors ‘go the wrong way’. The SentinelOne agent’s behavioral engines monitor continuously and in real time what is happening on the machine and whether this behavior is malicious or benign.

Each endpoint continuously initiates chains of processes. Most of these chains (storylines) are fine, but some are not. The SentinelOne agent distinguishes these storylines in real time and uses a scoring mechanism to determine whether and when a storyline develops into malicious behavior. From then on, the agent intervenes immediately and is reported back to the management console right up to the source of the storyline, while being rewound simultaneously. In this way, the agent is able to – again completely autonomously – undo malicious activities.


The combination of pre-execution engines and on-execution engines in the agent not only ensures that malicious files and behavior capture rates are among the highest in the industry, but also minimize false positives is limited. Solutions that only focus on the pre-execution layer or cloud-dependent work generally show a (much) higher number of false positives. The pre- and on-execution engines in the SentinelOne agent are so balanced that the chance of being caught is extremely high and the number of false positives remains extremely low. In addition, the engines in the SentinelOne agent are designed to minimize impact on the system. Think of less than 1% CPU usage and less than 200 MB of memory usage.

Step 3: Post-execution

But it doesn’t stop here. In the event of a threat, you want the organization to be as fully informed as possible, with as little noise as possible. Of course without losing the possibility of in-depth analysis.

The SentinelOne incident overview shows all the details surrounding a threat. Important to note is that when an attack occurs using multiple attack techniques, the SentinelOne console automatically correlates it to an event. The aim is to provide a clear representation of the event as soon as possible

What details can we show then? Roughly speaking, an incident includes the endpoint, time of the event and reporting, who was logged in, the source file (hashes), which automatic actions were performed from the agent (kill, quarantine, remediate, rollback) and a list of indicators detected during the attack (linked to the MITER ATT & CK Framework).

The incident overview also offers the opportunity to view the storyline and to see which step was taken by the malware or attacker at what time.

Finally, there is the option to view all activities surrounding the incident. Think of auditing (who did what and when around the incident) and what actions the agent performed at what time.

Forensics (EDR)

So much for all elements related to the pre-, on- and post-execution phase of threats. These elements mainly focus on the threats themselves and all context and actions surrounding them. But what if you also want to search for non-malicious (so benign) activities? Or perhaps you want to see whether there are already preparatory – but not malicious – actions for an attack? Then SentinelOne’s deep visibility solution offers a solution. All endpoints equipped with an agent can be investigated by means of queries from the console. This is not only about current information, but also about activities that may have taken place at an endpoint months or even a year ago.

When a threat is detected by the behavioral engine, from which various indicators can be derived, the console automatically makes a storyline of it. This storyline can then be hunted. The Deep Visibility engine on the console then shows all the indicators of the attack and on which endpoints these indicators were also detected.

Suppose an incident has occurred in an organization. The indicators of this attack have been shared by this organization or other agencies. In a simple query, the SentinelOne protected endpoints can be checked on one or more of these indicators. A watchlist can also be created on which the endpoints are regularly checked for these indicators.

Obviously, the engines onboard the agent pick up behavior as soon as it becomes malicious, but this way behavior can also be detected before it reaches that state. It can then be treated in the same way as an actual threat, including all mitigation and remediation actions. Of course, unwanted non-malicious behavior is also detected.

Real-time insight into system-level behavior is not only indispensable for intervening in the event of unwanted activity. Proactively looking for signs of a possible threat is also child’s play. So when the director is at your desk, pointing to a newspaper article about a new ransomware or malware attack, you can guarantee him in no time that this threat will not manifest within the company, without the need to update about a signature database.