Packed files are unpacked and all data extracted, executables are identified and decrypted. The engine performs all simulations in an integrated closed virtual environment and analyses files for exploits, scripts, iframes, java scripts, actions scripts, macros, and embedded font- or PE-files. Scripts like HTML, XML, Java Script, VBS, MIRC Script, Web Script, X Script, BAT, TXT or binary files are checked for jump and calls, executed and monitored.
Within the virtual environment, API calls are replaced with own features. The behavioural analysis contain API calls, reloaded files or DLLs, and opcodes. Edited storage areas and unpacked codes and files are monitored and measured.
Additionally, the behaviour of files after starting the simulation has to be monitored and measured, too: Some viruses use techniques to test their environment and recognize testing environments. Calls for APIs to compare register values, tests of error codes after using wrong parameters or the search for certain files within the process environment block might point to camouflage functions of a virus.