How does the emulator in Symantec Endpoint Protection detect and clean malware?

Symantec Endpoint Protection
14 introduced a powerful new emulator to protect against malware from custom packer attacks. For Auto-Protect and virus scans, this emulator improves scan performance and effectiveness by at least 10 percent from previous releases. This anti-evasion technique addresses packed malware obfuscation techniques and detects the malware that is hidden inside custom packers.
What are custom packers?
Many malware programs make use of “packers,” or the software programs that are used to compress and encrypt files for transport. These files are then executed in memory upon arrival on the user's computer.
While packers themselves are not malware, attackers use them to hide malware and obfuscate the code’s real intention. Once the malware is unpacked, it executes and launches its malicious payload, often bypassing firewalls, gateways, and malware protection. Attackers have shifted from using commercial packers (such as UPX, PECompact, ASProtect, and Themida) to creating custom packers. The custom packers use proprietary algorithms to bypass standard detection techniques.
Many of the emerging custom packers are polymorphic. They use an anti-detection strategy whereby the code itself changes frequently, but the purpose and functionality of the malware remains the same. Custom packers also use clever ways of injecting the code into a target process and change its execution flow, frequently throwing off unpacker routines. Some of them are computationally intensive, calling special APIs that make the unpacking difficult.
Custom packers have grown increasingly sophisticated to hide the attack until it’s too late.
How does the
Symantec Endpoint Protection
emulator protect against custom packers?
The high-speed emulator in
Symantec Endpoint Protection
fools malware into thinking it runs on the regular computer. Instead, the emulator unpacks and detonates the custom-packed file in a lightweight virtual sandbox on the client computer. The malware then opens up its payload in full, causing threats to reveal themselves in a contained environment. A static data scanner, which includes the antivirus engine and heuristics engine, acts on the payload. The sandbox is ephemeral and goes away after the threat is dealt with.
The emulator requires sophisticated technology that mimics operating systems, APIs, and processor instructions. It simultaneously manages the virtual memory and runs various heuristics and detection technologies to examine the payload. It takes an average of 3.5 milliseconds for clean files and 300 milliseconds for malware, at about the same time it takes client users to click a file on their desktop. The emulator can detect threats quickly with minimal performance and productivity impact, so client users are not interrupted. In addition, the emulator uses a minimal amount of disk space, a maximum of 16 MB memory in the virtual environment.
The emulator works with other protection techniques, which include advanced machine learning, memory exploit mitigation, behavior monitoring, and reputation analysis. Sometimes multiple engines come into play, collaborating in a response to prevent, detect, and remediate attacks.
The emulator does not use the Internet. However, the engines within the static data scanner may require the Internet based on the malware that the emulator extracted out of the custom packer. See:
How do I configure the emulator?
The emulator is built into the
Symantec Endpoint Protection
software so you don't need to configure it. Symantec regularly adds or changes the emulator content for new threats and releases quarterly content updates to the emulator engine. By default, LiveUpdate automatically downloads this content with the virus and spyware definitions. See:
Symantec Endpoint Protection Manager
does not include separate logs for the detections that the emulator makes. Instead, you can find any detections in the Risk log and Scan log. See: