Comparison of Malware Protection Options
The following table details the benefits and drawbacks of each type of file analysis, as well as the way each malware protection method determines a file's disposition.
|
Analysis Type |
Benefit |
Limitations |
Malware Identification |
|---|---|---|---|
|
Spero analysis |
Structural analysis of executable files, submits Spero signature to the AMP Cloud for analysis |
Less thorough than local malware analysis or dynamic analysis, only for executable files |
Disposition changes from Unknown to Malware only on positive identification of malware. |
|
Local malware analysis |
Consumes fewer resources than dynamic analysis, and returns results more quickly, especially if the detected malware is common |
Less thorough results than dynamic analysis |
Disposition changes from Unknown to Malware only on positive identification of malware. |
|
Dynamic analysis |
Thorough analysis of unknown files using Secure Malware Analytics |
Eligible files are uploaded to the public cloud or an on-premises appliance. It takes some time to complete analysis |
Threat score determines maliciousness of a file. Disposition can be based on the threat score threshold configured in the file policy. |
|
Spero analysis and local malware analysis |
Consumes fewer resources than configuring local malware analysis and dynamic analysis, while still using AMP cloud resources to identify malware |
Less thorough than dynamic analysis, Spero analysis only for executable files |
Disposition changes from Unknown to Malware only on positive identification of malware. |
|
Spero analysis and dynamic analysis |
Uses full capabilities of AMP cloud in submitting files and Spero signatures |
Results obtained less quickly than if using local malware analysis |
Threat score changes based on dynamic analysis results for files preclassified as possible malware. Disposition changes based on configured threat score threshold in the file policy, and from Unknown to Malware if the Spero analysis identifies malware. |
|
Local malware analysis and dynamic analysis |
Thorough results in using both types of file analysis |
Consumes more resources than either alone |
Threat score changes based on dynamic analysis results for files preclassified as possible malware. Disposition changes from Unknown to Malware if local malware analysis identifies malware, or based on configured threat score threshold in the file policy. |
|
Spero analysis, local malware analysis and dynamic analysis |
Most thorough results |
Consumes most resources in running all three types of file analysis |
Threat score changes based on dynamic analysis results for files preclassified as possible malware. Disposition changes from Unknown to Malware if Spero analysis or local malware analysis identifies malware, or based on configured threat score threshold in the file policy. |
|
(Block transmission of all files of a specified file type) |
Does not require a Malware Defense license (This option is not technically a malware protection option.) |
Legitimate files will also be blocked |
(No analysis is performed.) |
Note | Preclassification does not itself determine a file's disposition; it is merely one of the factors that determine whether a file is eligible for Dynamic Analysis. |