Cerberus functions by using several DayZero signature-free techniques that can be split into three principal parts. First, Cerberus is listening to every process running on your computer, even those you don’t know are there. Cerberus is able to quickly detect suspect behavior. At this point, Cerberus raises a red flag, or, what we call a smoke signal.

As soon as the smoke signal appears, Cerberus uses a containment technique while the malware’s communications are being analyzed. This containment technique is used for quick reaction to threat and also acts as both a deterrent and sometimes is the only solution needed as Cerberus may bring the malware under control or exhaust its useful life. Cerberus is able to contain a suspect within milliseconds versus the much longer reaction time of other techniques. This step also allows marginal suspects to be analyzed without disturbing legitimate processes. This is of growing importance as many sites attempt to gather data for marketing purposes and may utilize techniques very similar to some worms and spyware.

The containment often results in modifying a worm’s behavior and if it stops its activity, and is not deemed a threat, it will be released. However, if it tries again, it will be contained again and analysis will begin again. One reason we allow releases to occur is that a legitimate site page may initially act much as a worm, and in fact could be infected. Also, worms are sometimes designed to act only once, or a limited number of times. But, even if a released worm self-mutates, Cerberus is designed to detect it again and take measures since Cerberus does not rely on signatures for detection.

The proprietary analyses that Cerberus performs then determine if the suspect’s actions are malicious or otherwise illegitimate. If its actions persist and are judged malicious or not for legitimate purposes, Cerberus will quarantine the process originating the malicious activity.