CrowdStrike Falcon® Malquery FAQ

Falcon MalQuery is an advanced, cloud-based malware research tool designed to enable malware researchers, security forensics, incident response, and cyber threat intelligence teams to find historical and related malware samples for further investigation.

Falcon MalQuery is based on the fact that malware developers reuse code and infrastructure - and this reuse leaves traceable fingerprints. If you can identify these fingerprints, or artifacts, in other malware samples, you get a glimpse into the ancestry of the malware and expand your detection capabilities, further your understanding, and protect your organization.

When investigating new malware samples, you most likely begin by detonating the file in a malware sandbox that will identify interesting strings and potentially malicious domains and IPs. Falcon MalQuery is used just like a search engine. You can search for these strings (or use YARA rules) across Falcon MalQuery’s massive, multi-year collection of over 3.5 billion malware samples. The results include IOCs, links to download the related malware samples, attribution, links to the actor profiles, and much more.

A demo of how Falcon MalQuery works in operation is available in the CrowdStrike Tech Center.

Moving faster than the adversaries and understanding threats in context are key to gaining the tactical advantage needed to defend organizations from today’s sophisticated attacks. The reality for security professionals today is that their research tools are simply too slow. It can take hours or days to understand an attack and take protective action. They have to contend with slow queries, disjointed, incomplete data sets and too many false positives, making it difficult to understand and thwart threats strategically. Search engines have revolutionized the speed at which research is conducted in all other aspects of modern life and the Falcon search engine does the same for cybersecurity.

The Falcon MalQuery service is focused on speeding up and improving the malware research capabilities in the modern, next-gen SOC. It has been designed to enable and assist a variety of security functions, such as malware research, security forensics, incident response, and cyber threat intelligence.

Falcon MalQuery is a highly efficient search engine that saves security professionals and researchers time by providing instant access to vital information, including:

• Byte sequences or byte pattern combinations including ASCII and Unicode
• YARA-based file/sample lookups across the entire history of samples contained within the sample set — including the ability to download selected matched samples
• Results such as related hashes, malware disposition, file attributes, malware family and adversary attribution with links to appropriate CrowdStrike Falcon® Intelligence Premium™ intelligence reports.

There are a number of key differentiators:

• Speed: Falcon MalQuery is one of the fastest malware search engines in the security industry — over 250 times faster than other search tools. This is made possible by the patent-pending “n-gram” indexing technology.
• Clarity: Search results come from the largest and most complete collection of malware available in the industry. Falcon MalQuery indexes both a file’s metadata and the actual content within the file to ensure all data is discoverable by the user. Those results are then augmented with threat intelligence so the severity and context of the threat is clear.
• Protection: Faster and more accurate search results enable security professionals to build better protection rules. These rules empower security professionals to quickly pivot and hunt for new threats, while also enabling the deployment of protection rules to other security solutions that you may have at your disposal, ensuring proactive defense against tomorrow’s threats.

Falcon MalQuery supports the following search types:

• Fuzzy searching: This is supported for sequences of bytes or combinations of byte patterns, including ASCII and Unicode strings.
• Exact searches: These are similar to “fuzzy” searches, but validate all results before returning them to the user.
• YARA hunting: This allows users to perform file/sample lookups based on fully featured YARA rules.

Falcon MalQuery is file-type agnostic and new file types can be added as needed. The file types that are currently indexed include: Composite Document Files (CDF), Compiled Java, Dalvik Dex , Microsoft Word (DOC, DOCX), ELF 32-/64-bit, executables (EXE), EMAIL, HTML documents, Hangul Word Processor File (HWP), Java Archive Data, Windows shortcut (LNK), Mach-0 , PDF, PE32, PE64, Perl script, PowerPoint (PPT, PPTX), Python script, Python byte compiled, Rich Text (RTF), ASCII Text, Microsoft Excel (XLS, XLSX), Shockwave Flash (SWF).

Yes, you do not need to use the CrowdStrike Falcon® endpoint protection solution to use Falcon MalQuery. It is licensed as a yearly subscription and customers can access the service using the highly secure, cloud-native Falcon Platform. For information on how to subscribe, call 1.888.512.8906 or contact falconxsales@crowdstrike.com

Falcon MalQuery is licensed on a subscription basis, based upon the number of malware searches performed per month. For more information, please contact us.