About the Load Point Analysis scan in Symantec Help
|Article:TECH96291|||||Created: 2009-01-22|||||Updated: 2013-11-08|||||Article URL http://www.symantec.com/docs/TECH96291|
About the Load Point Analysis scan in Symantec Help
What is Load Point Analysis?
Within each of the various versions of Windows, there are specific locations within the file system and registry that are used to load applications and related files. While these are used by legitimate programs, they are also commonly used as attack vectors for malware such as viruses, trojans, worms, and spyware. Load Point Analysis examines files that launch from these locations in order to narrow down which files are less likely to be legitimate.
In the past, identifying unknown threats on a potentially infected computer involved going through a plain text listing of the files launched from the load points. The thousands of items in that list, with no context, made the task a daunting one for customers and technical support alike. The Load Point Analysis scan in Symantec Help (SymHelp) relieves most of this burden by automatically narrowing down the list to the most likely candidates.
This functionality is intended to supplement standard troubleshooting methods, and is not to be used as a replacement either for troubleshooting or, more importantly, for securing a computer.
What does Load Point Analysis do?
Load Point Analysis examines all of the files that start automatically on a computer and assigns a score to them. This score tells you which, if any, of those files should be investigated further in order to determine whether they are malicious.
The score that Load Point Analysis assigns comes from three criteria:
- File Certification
If the file is signed with a valid Authenticode or Windows Security Catalog certificate, then the file is not considered to be a risk and is not flagged for further investigation.
- Symantec Reputation Database
The Reputation Database is a repository of information that Symantec has about a large number of common files, and whether they are valid or malicious. For example, the Reputation Database has information on the file Notepad.exe, including the checksums for valid versions of the file. If Notepad.exe is called from a load point, Load Point Analysis submits information about the file on the computer, and the Reputation Database response indicates whether it is a valid version of the known file. This is the most useful and most heavily weighted criterion for determining the validity of a file.
The computer must have an internet connection in order to check the Reputation Database. If no internet connection is available, you can export a report and open it in the Support Tool on a different computer that has an internet connection in order to complete the Reputation Database check. Load Point Analysis cannot complete without completing the Reputation Database check.
- Local analysis
If the file is not in the Reputation Database and is unsigned, a score is assigned based on criteria such as the file creation date, size, and whether it is protected by the operating system.
Load Point Analysis also flags any Autorun.inf files as a potential threat, and presents their contents for investigation.
When the analysis is complete, SymHelp presents a report that shows which files warrant further investigation.
Running Load Point Analysis
What if Load Point Analysis identifies a potential risk?
If the Load Point Analysis flags a file with a low score, the first thing to do is a common-sense check of the files in question.
- Do the files belong to a program that you recently installed?
- Do the files belong to a program that you know to be valid?
If you are unable to determine the validity of the file, submit the files to Security Response for analysis. For Basic Maintenance, Essential Support, and Business Critical Services customers, contact Technical Support to submit the files.
If the file has a valid signature, then the file is assumed to be valid, and no further analysis is done.
If the file does not have a valid signature, the Support Tool looks up the file in the Reputation Database, to see whether it is known as a valid or a malicious file. The Reputation Database identifies the file by the file location and the SHA256 and MD5 hash values. The files themselves are not transmitted. Only executable and library files, and only those that are referenced by load points, are included in this analysis.
If the Reputation Database recognizes the file, it assigns one of the following scores:
If the file is not listed in the Reputation Database, it is then compared to the following list of criteria:
- Protected by the operating system
If Windows is protecting the file, then a high positive weight is associated with it. For more information on Windows File Protection read the Microsoft Knowledge Base article Description of the Windows File Protection feature.
- Creation date
Files that are newly created on the computer are more likely to be malicious than files that have been established on the computer for some time.
- File Size
Typically, threats are within a fairly small size range.
- Version listed
If a file has no version listed, or has a default value from Visual Studio, there is a negative impact on the score.
- Multiple extensions
If a file has more than one extension, such as a name ending in .jpg.exe, its score is lowered.
The tool provides the name of the vendor on a file if it is present in the file's metadata. However, no weight is associated with this.
This methodology skews the detection rate on the side of caution. This means that the tool will suggest files for further manual investigation that may not be malicious. This is normal and expected behavior. The benefit that the tool provides is that it reduces the number of data points that require manual investigation from thousands to dozens.
The Load Point Analysis does not determine whether files are or are not malicious. When the Load Point Analysis assigns a low score to a file, it is suggesting that further investigation is required.
Article URL http://www.symantec.com/docs/TECH96291