RSA ECAT Signature-less Malware Detection
Detect. Analyze. Act.

Attackers continuously use new, hard-to-detect methods to compromise hosts, establish a hidden presence on target systems, and exfiltrate sensitive data out of organizations. As traditional security systems are easily bypassed with these methods, organizations need a solution to quickly detect and investigate advanced threats.

RSA ECAT (Enterprise Compromise Assessment Tool) is an enterprise malware-detection and response solution that enables organizations to easily scan and monitor Windows endpoints for even the most elusive malware – including deeply hidden rootkits and other advanced threats used in targeted attacks.

By automating the detection of anomalies within applications and memory, RSA ECAT employs a fundamentally different approach than traditional anti-malware solutions. The cornerstone of this approach – per-process live memory analysis – provides a granular view of what’s happening in memory to quickly find traces of compromise and malicious activity.

As a result, analysts and incident-response teams don’t waste time filtering through background noise and false positives. With the industry’s broadest whitelisting and software-reputation services built in, known good files are quickly identified and added to the baseline, highlighting truly malicious activity for immediate attention.

In one integrated package, RSA ECAT provides:

• Assessment
• Detection
• Analysis
• Remediation Option
• Forensic Data Gathering

Assess
RSA ECAT agents are deployed on servers and endpoints to identify all running processes and drivers using a set of low-level functions. The agent conducts numerous checks to identify behavior related to malware. Information gathered during the scan is sent to a centralized server for analysis.

Detect
The RSA ECAT console presents a complete view of the scanned computers along with a machine suspect level (MSL) to identify which should be investigated first.

Analyze
RSA ECAT correlates a suspicious behavior with its author – a driver, a process, a DLL, or a memory block (floating code) – then displays contextual intelligence about the author (metadata like file size, file attributes, MD5 file hash). Suspicious modules can be whitelisted or blacklisted by the operator. Once modules are categorized, organizations can quickly identify the same suspicious behavior across the entire environment.

Remediate
If the analysis determines that an endpoint is infected with malware, an optional remediation agent can be pushed out by the operator to clean the endpoint.

Gather Forensic Data
RSA ECAT includes a set of tools to gather information for a complete forensic analysis and cybercrime investigation, including:

• Full memory downloads: Pull a complete live memory dump from a suspect machine for further analysis
• Master File Table (MFT) Viewer: Locate and remotely download hacked and deleted files in a forensically sound manner