Microsoft quietly launched an AI agent that can detect and reverse engineer malware

AI concept image showing digitized human eye monitoring digital interfaces and software. — (Image credit: Getty Images)

Microsoft has launched an autonomous agent for detecting malware – and it’s already completed a first-of-a-kind detection of an active hacking group.

Project Ire is an AI agent capable of reverse engineering software files to investigate whether they’re malicious and analyze their origins, even if they don’t match any previously-cataloged threats.

Powered by a combination of large language models (LLMs) and specialized cybersecurity analysis tools, the agent is intended to automate malware classification to ease cybersecurity analyst burnout.

In recent tests, Project Ire was exposed to known samples from a database hackers have used for living off the land attacks, alongside harmless Windows drivers.

The agent correctly flagged 90% of all files, with only a two percent false positive rate, confirming the malicious nature of files such as a kernel-level rootkit by identifying suspicious features like process termination and a web-connected command and control structure.

Microsoft researchers described its ability to blindly reverse engineer files as “the gold standard in malware classification”.

They added that Project Ire is the first reverse engineer at Microsoft to build a strong enough case against a specific advanced persistent threat (APT) malware strain to justify its automatic blocking in Windows Defender.

In a broader test, researchers exposed Project Ire to 4,000 files that were unclassified by Microsoft’s automated systems and would normally have to be reviewed by highly-skilled reverse engineers.

Project Ire achieved a precision score of 0.89, meaning 90% of the files it marked as malicious were indeed threats, alongside an overall recall score of 0.26 meaning it discovered around 25% of all the malware in the sample.

Microsoft noted the tool achieved these results autonomously, with none of the files it was exposed to having been present in its training data, adding that other autonomous tools made by Microsoft were unable to classify the files at all.

Project Ire was created as a joint project between Microsoft Research, Microsoft Defender Research, and Microsoft Discovery & Quantum.

Project Ire could shake up AI malware classification

Malware classification is a painstaking process, in which experts pore over hundreds or thousands of files to determine whether a given piece of software has a malicious purpose.

In the past it’s been nearly impossible to automate, as AI tools can’t easily reverse engineer files without their context. They also lack the ability to definitively validate whether a file is malicious, as specific features within software could have both malicious and benign purposes.

Microsoft has attempted to overcome these limitations through Project Ire by equipping it with multi-level reasoning capabilities and the ability to call open source tools, documentation, and decompilers via API calls.

Every time Project Ire analyzes a file, the agent first runs triage to classify it, note its structure, and capture any other details that could point to its purpose or origin.

It then reverse engineers the file’s control flow graph, a graphic representation of a program’s execution paths, using the open source frameworks angr and Ghidra.

Project Ire can then call specific tools via an API to investigate specific functions within the file, adding each finding to an auditable chain of evidence that human analysts can check afterward to validate the LLM’s findings.

It is capable of periodically cross-checking its own claims using a built-in ‘validator’ tool, which uses expert statements from human malware reverse engineers who helped build Project Ire as context for making a final call for whether the file is malicious or benign.

This is then summarized in a final report for analyst oversight.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Why ‘malware as a service’ is becoming a serious problem
Developers face a torrent of malware threats as malicious open source packages surge 188%
The best malware removal tools for your business in 2025

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.