RTDMI

Advanced malware detection engines execute files, log the resulting activity, and then, after execution, look for and attempt to correlate malicious behavior. The correlation and scoring of these activities and behaviors are prone to both false positives and negatives. They are also prone to cause delays, unsatisfactory end user experience and subsequent IT ticket requests.

To allow malicious behavior to remain hidden, modern malware writers implement advanced techniques, including custom encryption, obfuscation and packing, as well as acting benign within sandbox environments. These techniques often hide the most sophisticated weaponry, which is only exposed when run dynamically. In most cases, these are impossible to analyze in real-time using static detection techniques. When SonicWall released Capture ATP, it was the industry’s first multi-engine sandbox that could block files at the gateway until a verdict. The multi-engine design answered the need to detect and stop evasive malware. Capture ATP was designed to process unknown files in isolated parallel environments to see what suspicious code intends to do, from the application, to the OS and down to the software that resides on the hardware.

As a next step, in February 2019, SonicWall released a new engine for Capture ATP called Real-Time Deep Memory Inspection (RTDMI) to improve the technology’s security effectiveness. Invented and developed by SonicWall’s Capture Labs threat researchers, the patent-pending RTDMI engine had already been running in the background of Capture ATP service for months beforehand, dynamically self-learning and self-enhancing. Additionally, after a year and a half of improvement, RTDMI was released as the core technology into the on-premise Capture Security appliance (CSa) in August 2020.

How it works

SonicWall RTDMI technology detects and blocks malware that does not exhibit any malicious behavior or that hides its weaponry via encryption. To discover packed malware code that has been compressed to avoid detection, RTDMI allows the malware to reveal itself by unpacking its compressed code in memory in a secure threat detection environment. It sees what code sequences are found within and compares it to what it has already seen. Identifying malicious code in memory is more precise than trying to differentiate between malware system behavior and clean program system behavior, which is an approach used by some other analysis techniques. Besides being highly accurate, RTDMI also improves sample analysis time. Since it can detect malicious code or data in memory in real-time during execution, no malicious system behavior is necessary for detection. The presence of malicious code can be identified prior to any malicious behavior taking place, thereby rendering a quicker verdict.

For the complete guide to RTDMI, download the full solution brief below:

 Solution Brief RTDMI