File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.
Some techniques use file signatures or file metadata to compare against historical collections of malware. Files may also be compared against a source of ground truth such as cryptographic signatures. Examining files for potential malware using pattern matching against file contents/file behavior. Binary code may be dissembled and analyzed for predictive malware behavior, such as API call signatures. Analysis might occur within a protected environment such as a sandbox or live system.
There are 5 countermeasure techniques in this category, File Analysis.
|File Analysis||D3-FA||File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.|
|- Dynamic Analysis||D3-DA||Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.||Malware Detonation , and Malware Sandbox|
|- Emulated File Analysis||D3-EFA||Emulating instructions in a file looking for specific patterns.|
|- File Content Rules||D3-FCR||Employing a pattern matching rule language to analyze files.||File Content Signatures , and File Signatures|
|- File Hashing||D3-FH||Employing file hash comparisons to detect known malware.|