Wednesday, May 7, 2014

Fire-Eye unqiue approach to combat malware

I thought we should take a look at Fire-Eye approach to combating malware. NetworkWorld Review: FireEye fights off multi-stage malware has written a interesting article on FireEye. Here are some excerpts.....

FireEye takes a new approach to malware detection with its NX appliances. As this Clear Choice test shows, the FireEye device allows advanced malware to proceed – but only onto virtual machines running inside the appliance.

Conventional approaches to fighting malware have limitations in combating multi-stage malware threats. A signature-based system might detect the existence of a malware binary file, but only once it’s been reassembled on the target – and by then the target is already compromised. Newer sandbox systems stop traffic before it reaches target machines, but they may not be able to assemble and analyze all the constituent parts of a multi-stage attack. Indeed, a key step in some exploit kits is to “fingerprint” versions of the hypervisor, OS, browser, and plug-ins before deciding whether to proceed.
......
......
Virtualization is FireEye’s key differentiator. Its appliances run multiple versions of Windows OSs, browsers, and plug-ins, each in its own virtual machine. Malware actually compromises a target (virtual) machine – and then and only then does the FireEye software record a successful attack. Network managers can configure the FireEye appliance to block such attacks, preventing their spread into the enterprise.
.......
......
FireEye’s technology complements rather than replaces an intrusion detection system (IDS). Unlike an IDS or IPS, it doesn’t have a library of thousands of attack signatures. Instead, it looks for actual compromises on its virtual machines......
......
.....
The appliance’s virtual machines represent various service pack levels of Windows 7 and Windows XP, along with many combinations of browser and Adobe Flash and Microsoft Silverlight versions. FireEye wrote its own hypervisor that makes virtual machines appear to run on bare metal. That’s useful to thwart exploit kits that skip execution on machines if they detect VMware hypervisors.......

No comments: