The Good, The Bad, File States The Unknown

21 Oct, 2022 949 Views
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

In a perfect world, there would only be two kinds of files or processes: known good or known bad. Of course we don’t live in such a world and there is a vast expanse between the known good and known bad. This vast expanse in between good and bad, is the unknown and this is where most of the problems in security stem from.

The known good are files that have been indentified as benign and should run unencumbered. Bad files can cause damage to a system and should be stopped. Unknown files have not been seen in your environment before – they could be benign, but they may also be malicious.


The Good File States:

Certificates and Creating A Good File List

Xcitium is the largest brand of certification authorities in the world. Certification authorities issue digital certificates. These digital certificates are used for many reason and some of them are for encrypting sensitive information, we call this SSL, or digitally signing Applications so that the operating system will trust this digitally signed application when executing. As the largest single provider and exclusive provider to major technology leaders, Xcitium has an unparalleled visibility to all the legitimate publishers out there in the world, who are building and releasing applications. We use this expertise and knowledge and feed this into our containment solution as list of good files.

comodo File States illustration
antivirus File States lab

The Bad Files States:

Xcitium Antivirus Lab and Creating a Bad File list

Xcitium’s AV Lab knows the bad files hence can create a bad file list: Xcitium has one of the largest anti-virus labs in the world. It spans from the USA, to Romania, to Ukraine, Turkey, India, China. We draw from expertise from all around the world to help identify malware. Our Malware research labs are made of not only the best malware analysts in the world, but also equipped with the cutting edge technology to help identify latest malware using automated systems like Dynamic analysis, static analysis, behavioural analysis, reputation analysis and many more techniques. Xcitium also makes its automated systems for the good of everyone out there available for free at so that we can all join together in the fight against malware. CAMAS is a cloud based malware analysis sandbox that can verdict if a file is malicious or not and is available for free for anyone.

Arriving at a Verdict

In order to reach a verdict of whether something unknown is good or bad, it takes time to analyze and classify characteristics and behavior to come to a final conclusion. The amount of time it takes to reach a verdict represents a ‘window of exposure’ where there is risk in executing or opening a file and potentially an infection or ‘patient zero’ condition occurs. This is what occurs with conventional solutions that must analyze a ‘zero day’ attack to understand its behavior or arrive at a signature for inclusion in a blacklist.

arriving at a File States verdict
File States

Assumption-based vs Definitive Verdicting

Existing solutions typically evaluate a file or application to arrive at a decision on whether or not is is bad, but otherwise assume that the file is good. For example, conventional AV technology uses signatures to identity known bad files, but assumes that the remaining files are good. Similarly, “next gen” endpoint protection technologies look at behaviors and use artificial intelligence and machine learning techniques to identify applications as potentially bad, but assumes the remaining files are not bad. Xcitium uses a different approach to arrive at definitive verdicts of good and bad, and avoids the assumption-based approach found in conventional solutions.

Xcitium AEP and Definitive Verdicts

Xcitium Advanced Endpoint Protection leverages definitive verdicts to ensure that there are no unknown files able to inflict damage on unsuspecting users without impeding their productivity. The result is guaranteed protection without loss of time, money or user productivity

Related Sources:

Endpoint Detection
Endpoint Detection and Response