Responding to Incidents and spotting Malware with Mandiant Red Curtain
written by: Mark Muller•edited by: Bill Bunter•updated: 8/8/2011
Mandiant Red Curtain is a tool helping incident responders finding malware but can also be used by everyone complementary to their malware scanner. Here you find the design and use of Mandiant Red Curtain explained along with useful tips.
slide 1 of 10
What Mandiant Red Curtain?
Mandiant Red Curtain (MRC) is a tool which helps incidents responders and computer specialists finding malware. Often, malware does not hide in plain sight and isn’t a rootkit either. Instead those malicious pieces of software use a variety of obfuscating techniques in their effort of avoiding detection. However, obfuscation likely leads to high entropy in data streams, a property which is examined by MRC along many other footprints of malware.
slide 2 of 10
To setup or run Mandiant Red Curtain Microsoft .NET Framework 2.0 needs to be installed. You can check whether it is already present in Control Panel where you add, remove or view installed programs. If it missing you can download it from Microsoft for free.
Mandiant Red Curtain 1.0 needs approximately 4 MB of disk space only.
slide 3 of 10
The installation is easy and starts with the welcome screen, followed by EULA. On the next screen you can change the install path as well as switching the installation from including everyone to just me if you want. In the window after the pre-installation summary click Close when the installation is complete.
slide 4 of 10
The MRC GUI obeys the KIS (Keep It Simple) paradigm, and lets you navigate to a file or folder you want to scan for malware. Its result window, exemplified in the second image below, contains an overview of Mandiant Red Curtain results along pertinent details such as anomalies found in the details screen.
I suggest sorting the view with descending threat score.
slide 5 of 10
slide 6 of 10
Based on common entry points of malware as well as footprints including, but not limited, to obfuscation, encryption and compression Mandiant Red Curtain calculates a threat score for files and folder it analyzes. The higher the threat score the higher the probability that a certain file or executable is malware.
Reported suspicious files must be further examined and analyzed though, but this a common a situation for people trained in incident response, and, in fact, the nature of the game and not a deficit of the software.
Thus, MRC can be a free helpful tool, and the software ships with an agent for data collection without the need for the full install of Mandiant Red Curtain on a remote machine.
slide 7 of 10
It took Mandiant Red Curtain approximately twice as much time to scan my C drive than it takes my anti-virus scanner, but MRC displayed a number of high score items along with their anomaly that my antivirus/antimalware software never reported.
slide 8 of 10
Help & Support
The concise help file explains the inner workings of Mandiant Red Curtain and is definitively worth reading. When I sent the vendor an email requesting further information regarding system requirements they did not respond within 5 business days.
slide 9 of 10
Price to Value
Mandiant Red Curtain 1.0 is completely free.
slide 10 of 10
The Bottom Line
Mandiant Red Curtain 1.0 is a helpful tool for incident responders and people having a stake in computer security. MRC can not only be used to deal with an intrusion or malware infection, but also act like a malware scanner, giving another view of your system’s security. Given the numbers of 0-day malware in the wild I strongly recommend beefing up your antimalware protection with a tool like MRC.