maxkabakov - Fotolia

Q
Manage Learn to apply best practices and optimize your operations.

Why is the N-gram content search key for threat detection?

Detected malware can now efficiently be tracked due to VirusTotal's enterprise version of its software. Discover what N-gram is and how it can be used with Nick Lewis.

VirusTotal introduced an enterprise version that provides a faster malware search feature and uses N-gram content searches to identify threats. What is an N-gram content search and why is it so important?

The practice of identifying threats and sharing information about those threats with defenders was an extension of signature techniques that have long been used to defend against viruses and malware. While this was an extremely effective way to identify malware, it has since been updated with behavioral heuristics, anomaly detection and other updates. Using this practice at scale and allowing enterprise defenders to access underlying data may not have been common in the past, but recent developments by VirusTotal have introduced an enterprise version that gives large organizations another option for investigating incidents.

VirusTotal contains malware submissions and other related data which could include files, emails, IP addresses and URLs from researchers, defenders and attackers, each with their own reasons for using the service. One of the many new features introduced in the enterprise version is an N-gram content search. Most enterprises use VirusTotal to see if a particular file was detected by any of the included anti-malware engines. With the enterprise version, customers can keep their submissions and information private from other VirusTotal users.

An N-gram content search occurs when a string or multiple strings of characters are searched at the same time in a particular order to determine if a file is related to other files or malware. The strings could be specific functions in the malware that the malware author could have changed enough in the layout to change the malware's overall detection signature.

By searching for multiple specific signatures within a file, related malware can be identified without having a specific signature for the malware and, as VirusTotal notes, improved search speed. For example, an enterprise customer could submit a file of interest to see if it's been detected or is related to a previously detected malware -- this could help prioritize future analysis on the malware.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What program does your enterprise use for detecting and tracking malware?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close