maxkabakov - Fotolia

Why is the N-gram content search key for threat detection?

Detected malware can now efficiently be tracked due to VirusTotal's enterprise version of its software. Discover what N-gram is and how it can be used with Nick Lewis.

VirusTotal introduced an enterprise version that provides a faster malware search feature and uses N-gram content searches to identify threats. What is an N-gram content search and why is it so important?

The practice of identifying threats and sharing information about those threats with defenders was an extension of signature techniques that have long been used to defend against viruses and malware. While this was an extremely effective way to identify malware, it has since been updated with behavioral heuristics, anomaly detection and other updates. Using this practice at scale and allowing enterprise defenders to access underlying data may not have been common in the past, but recent developments by VirusTotal have introduced an enterprise version that gives large organizations another option for investigating incidents.

VirusTotal contains malware submissions and other related data which could include files, emails, IP addresses and URLs from researchers, defenders and attackers, each with their own reasons for using the service. One of the many new features introduced in the enterprise version is an N-gram content search. Most enterprises use VirusTotal to see if a particular file was detected by any of the included anti-malware engines. With the enterprise version, customers can keep their submissions and information private from other VirusTotal users.

An N-gram content search occurs when a string or multiple strings of characters are searched at the same time in a particular order to determine if a file is related to other files or malware. The strings could be specific functions in the malware that the malware author could have changed enough in the layout to change the malware's overall detection signature.

By searching for multiple specific signatures within a file, related malware can be identified without having a specific signature for the malware and, as VirusTotal notes, improved search speed. For example, an enterprise customer could submit a file of interest to see if it's been detected or is related to a previously detected malware -- this could help prioritize future analysis on the malware.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing