Microsoft’s New AI Agent Project to Detect Malware with Reverse Engineering Tools

Microsoft has unveiled Project Ire, an autonomous AI agent capable of reverse engineering and classifying malware at an unprecedented scale. 

The breakthrough system achieved a precision rate of 0.98 and a recall of 0.83 during testing on Windows drivers, marking a significant advancement in cybersecurity automation. 

Project Ire represents the first AI system to author a conviction case strong enough for automatic malware blocking, successfully identifying advanced persistent threat (APT) samples that Microsoft Defender has since blocked across their billion-device network.

Key Takeaways
1.  Project Ire automatically analyzes and identifies malware using advanced decompilation tools.
2. Achieved 98% precision in testing with only 4% false positives on challenging real-world samples.
3. Deploying across Microsoft Defender's 1 billion device network to automate threat detection.

Automated Malware Analysis

Project Ire operates through a sophisticated toolkit of reverse engineering instruments, including the angr framework, Ghidra decompiler, and Microsoft’s proprietary memory analysis sandboxes based on Project Freta. 

The system constructs detailed control flow graphs to map software behavior, enabling comprehensive binary analysis without human intervention. 

Through its tool-use API, Project Ire can invoke specialized functions to examine file structures, reconstruct execution paths, and identify malicious code patterns.

The AI agent employs iterative function analysis, systematically examining each component while building a “chain of evidence” for auditable decision-making. 

This approach allows the system to handle complex samples like Trojan:Win64/Rootkit.EH!MTB (SHA256: 86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62), where it successfully identified kernel-level rootkit behaviors including process termination functions and HTTP command-and-control communications.

During evaluation against nearly 4,000 “hard-target” files that stumped automated systems, Project Ire achieved 0.89 precision with just a 4% false positive rate. 

The system correctly classified samples like HackTool:Win64/KillAV!MTB (SHA256: b6cb163089f665c05d607a465f1b6272cdd5c949772ab9ce7227120cf61f971a), identifying functions that terminate antivirus processes by searching for specific executable names, including ‘avp.exe’ and ‘360Tray.exe’.

Project Ire’s validator tool cross-references findings against expert knowledge, ensuring accuracy in complex scenarios. 

When analyzing anti-debugging mechanisms involving software interrupts (int 0x29 and int 0x3), the system appropriately flagged uncertain claims for human review, demonstrating sophisticated uncertainty handling.

Integration Into Microsoft Defender 

The prototype will be deployed as Binary Analyzer within Microsoft’s Defender organization, addressing analyst burnout and standardizing threat classification across global operations. 

Built on the same agentic foundation as GraphRAG and Microsoft Discovery, Project Ire leverages large language models with specialized security expertise.

Microsoft’s collaboration with Emotion Labs contributed crucial innovations in cyber autonomy, while the system incorporates multiple open-source tools, including decompilers and binary analysis frameworks. 

The ultimate goal involves detecting novel malware directly in memory at a global scale, transforming how organizations defend against evolving cyber threats through autonomous AI-driven analysis.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial