Guides

How to Use Malware INFO: A Safe First Investigation

A beginner-friendly workflow for moving from a suspicious Windows file to explainable evidence without losing safety or context.

How to Use Malware INFO: A Safe First Investigation

Start with the right expectation

Malware INFO is a local-first Windows investigation application. It combines reputation context, layered local scans, behavioral triage, Real-time Guard evidence, quarantine, reports, and licensed deep-analysis tools.

It does not make unknown code safe to run on your normal computer, and it does not replace antivirus, EDR, XDR, SIEM, or an isolated analysis lab.

Never execute an unknown file on an everyday or production computer. Live analysis belongs only in an authorized disposable VM or approved sandbox.

1. Check the Home workspace

Open Malware INFO from its tray icon and review the Home workspace. Confirm the active edition, license state, Guard status, and scan-engine status before beginning an investigation.

Malware INFO Home workspace
Malware INFO Home workspace

Professional and Enterprise systems show Real-time Guard availability. A red tray shield is an attention state: it can indicate Free Edition, paused/disabled Guard, or a disabled Guard scan engine. It is not by itself a malware alert.

2. Preserve the suspicious file’s identity

Before changing, moving, or executing the file, record:

  • Original file name and path
  • File size
  • SHA-256
  • Source and discovery time
  • The user, alert, email, download, or process that led to the file
  • Any antivirus or EDR action already taken

This information lets another analyst verify that later lookup, scan, quarantine, and report evidence refers to the same object.

3. Use Lookup when policy permits

Lookup can review hashes, files, URLs, domains, and IP addresses. Begin with a hash when possible because it provides reputation context without uploading the complete file.

Malware INFO Lookup workspace
Malware INFO Lookup workspace

Review the summary, detection ratio, comments, relationships, and raw evidence together. A third-party reputation result is intelligence context—not an automatic local verdict.

Uploading a file is a separate explicit action. Do it only when your organization permits sharing that file with the selected service.

4. Run layered local scans

Use Basic Scan for known-bad hash evidence and Advanced Scan for HEX signatures and YARA rules. Choose only the scope needed for the case.

Malware INFO Scans workspace
Malware INFO Scans workspace

Confirmed hash, HEX, or YARA evidence can support containment. Heuristic and Zero-Day findings require analyst review. Always read the engine, source, reason, path, signer, and related activity before acting.

5. Correlate with Zero-Day and Guard evidence

Zero-Day Scan and Real-time Guard can add process, command-line, trust, persistence, registry, network, file, timeline, and executable-memory context.

Malware INFO Real-time Guard workspace
Malware INFO Real-time Guard workspace

Interpret the decision labels carefully:

  • Observed means activity was recorded without a malicious verdict.
  • Allowed means current policy did not block the event; it does not certify safety.
  • AlertOnly means review is required but automatic containment was not justified.
  • Detected means a configured confirmed-detection source matched.
  • Quarantined means a supported file moved into protected containment.

One row rarely tells the whole story. Correlate parent/child processes, file writes, persistence, registry changes, network activity, signer state, and confirmed scan evidence.

6. Contain only after review

Quarantine is containment, not permanent deletion. Before restoring or deleting an item, confirm its hash, source, detection reason, business purpose, and related activity.

Do not restore an uncertain file directly into an active startup path, service path, Run key, scheduled task, or production location. Restoring a file does not automatically make it trusted.

7. Export an analyst-readable handoff

Use the product’s report/export workflow and retain the manifest and SHA-256 inventory. Record the case ID, source computer, product version, edition, UTC collection time, analyst, evidence gaps, and any AV action.

Reports, dumps, and archives may contain real malicious bytes or secrets. Transfer them only through an organization-approved evidence channel.

When to use Enterprise deep-analysis tools

Payload Dumper, Dump Analyzer, and API Dumper are selected-process Enterprise workflows. Use them only when ordinary lookup, scan, and Guard evidence cannot answer the approved investigation question.

Safe Trace is least invasive. Deep Trace changes target timing and may trigger anti-debug behavior. Begin with Safe Trace and choose Deep only when supported exact API entry/return evidence is necessary and the isolated lab accepts the impact.

Continue learning

Open the in-app Help for edition details, complete workflows, evidence terminology, troubleshooting, and safe-lab guidance. Help is currently available in 22 languages.

You can also review the complete website FAQ and edition feature comparison.