Views:

Meaning of DDI rules:

  • 707 MALWARE: High Callback to IP address in Virtual Analyzer C&C List.

    When this rule is triggered, it means DDI detected an IP connection to C&C server

    .
  • 708 MALWARE: High Malware file hash from Virtual Analyzer feedback.

    When this rule is triggered, it means DDI detected a file that was analyzed by Virtual Analyzer before and was determined as high risk malware.

  • 709 MALWARE: High Callback to URL in Virtual Analyzer C&C List.

    When this rule is triggered, it means DDI detected a URL request to C&C server.

Process of how the rules are composed:

  1. DDI sends files to Virtual Analyzer (either internal or external).
  2. The Virtual Analyzer analyzes the received files and then returns a feedback list to DDI. Only files detected as high risk malware will be recorded in the feedback list, the full report for all files are sent seperately.
  3. DDI receives the feedback list and adds the entries into its database.
  4. The CAV module in DDI uses the entries in the database and matches it against the following rules:
    • 707 - IP/Port information
    • 708 - sha1
    • 709 - Uniform Resource Locator (URL)
Keywords: rule 707,rule 708,rule 709,rule ID 709,rule ID 708,rule ID 707,composing rule id 707,composing rule id 708,composing rule id 709,707 MALWARE,sha1 708