/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsAccess-from-anywhere, provides a lot of convenience to enterprises for information dissemination by leveraging cloud and mobile devices. But, it has also opened up new areas to exploit for cyber-criminals, who now focus on low-level malware that evade OS-based security protection. The use of mobile devices for accessing enterprise information also leads criminals to target this area, and if recent trends are to be seen, it's Android that has become the favorite platform for mobile threats. To counter these threats security solutions have also become more innovative and intelligent. The McAfee FOCUS 11 security conference held at Las Vegas from October 18th — 20th 2011 was the podium where McAfee announced their next-gen security solutions.
McAfee Deep Defender
Maneuvering around the antivirus and other OS-based security solutions has become an easy task for cyber-criminals with the help of stealthy malware. Not only endpoints, but also servers that are used as virtualization platforms are also being attacked through kernel-mode malware. Such malware and rootkits that operate at kernel and firmware levels, can hide from being detected and also overwritten, and can also deactivate the antivirus or other security protection solution of the system. This has made the conventional security solution to be of no use as it is bound within the operating system's boundary. McAfee's Deep Defender helps in fighting back against such low-level coded malware and rootkit-based attacks. It leverages upon the hardware-assisted security enabled by the DeepSAFE technology, which McAfee has worked on along with Intel. This hardware enabled security protection operates between the CPU and the OS, thus protecting components residing on the physical memory and provides a holistic view of drivers and other software. Such behavioral monitoring of real-time kernel operations helps in revealing and removing advanced stealth attacks from the system. McAfee Deep Defender is currently supported only on Intel Core i3, i5 and i7 processors; and can be integrated with McAfee ePO (ePolicy Orchestrator) solution for efficient deployment and centralized policy management. Other functions that Deep Defender provides are listed below.
Real-time CPU and memory monitoring: Leveraging the DeepSAFE technology provides Deep Defender with low-level visibility into the memory processes to recognize evasive techniques used by stealthy malware like Zeus and Stuxnet. The hardware assistance comes in the form of enforcing Deep Defender to be the first process to be loaded before any other driver or process during the OS boot loading sequence. As Deep Defender becomes the first process to be loaded, it can monitor any driver or process that's being loaded during the OS boot-up and shall take evasive action against malware that it detects during this process. Thus it can detect kernel-mode malware to protect systems.
Zero-day protection: McAfee Deep Defender doesn't rely on the prior knowledge of a particular malware, rather it identifies the malicious behavior and takes appropriate action. For instance, if a rootkit tries to conceal a malware by attaching it to kernel-mode drivers, Deep Defender will not allow such malicious activity to happen and will eliminate the rootkit, thus giving zero-day protection.
Central management: With McAfee ePO you can deploy McAfee Deep Defender enterprise-wide on systems that support McAfee endpoint solutions. This will help you in adding more protection without additional management.
As the cyber-criminals use smarter methods to deploy and hide malware, still they can't hide malware while it interacts with the hardware or memory or OS.
Therefore, having the ability to monitor such interactions at the lowest hardware level gives McAfee Deep Defender unprecedented advantage over other conventional security solutions to curb kernel-mode attacks.
(The Author was hosted by McAfee in Las Vegas.)