Phase 3: Automated Detection

After Traps analyzes the memory dump, Traps automatically performs secondary analysis, the results of which you can use to verify the legitimacy of a prevention event. The secondary analysis provides greater insight into the nature of the event by using detection tools—including ROP chain detection and heap spray detection—to identify additional malicious activity traces.
If the detection tools successfully identify malicious activity traces, Traps stores the information to a system log file on the endpoint using the following syntax: Traps prefix-unique client ID-event ID. Traps also reports the detection to the ESM Server. The ESM Console displays the results in the
Traps Automatic Dump Analysis
section for each prevention event record including whether or not each detection tool was successful in identifying additional malicious activity. If Traps fails to capture the memory, creates the dump file incorrectly, or otherwise fails to complete the secondary analysis, the ESM Console hides this section in the event record.
If the detection tools identify one or more additional malicious activity traces there is a high likelihood that the prevention event is a legitimate threat.
To further troubleshoot or analyze security events, view the forensic data that Traps collects as described in Phase 4: Collection of Forensic Data.

Recommended For You