McAfee and Check Point turn to sandboxing to fend off APTs
- — 27 February, 2013 15:03
The effectiveness of antivirus protection has never been under greater scrutiny but McAfee and Check Point believe they have found a new story to counter some of the the doubt - sandboxing.
McAfee's story at this week's RSA Show is built around its recently-acquired ValidEdge, a small startup that came with an appliance for carrying out binary-level analysis and reverse-engineering of suspected malware files to see how they might affect endpoints such as PCs.
Importantly, the analysis involves actually running the application in a sandbox to see what it does in real time, an onerous procedure that requires full kernel isolation.
The system can also generate signatures from detected malware which can be used to remediate infections on PCs targeted while outside the network perimeter using the firm's established ePolicy Orchestrator management, McAfee said.
Check Point's equivalent comes in the form of its new Threat Emulation Software Blade, an upgrade aimed at customers already running the firm's systems.
The design principle is the same as McAfee, however, and involves emulating files in a sandboxed environment it believes to be suspicions, that is unknown to its ThreatCloud database.
Both systems are designed to fill the sort of gaps conventional antivirus has often struggled with such as spotting attacks that use malicious attachments without generating false positives.
Is sandboxing a fix-all? Despite the optimistic pronouncements of both companies, almost certainly not. The anxiety, of course, is the spate of Advanced Persistent Threat (APT) attacks that anecdotal evidence suggests are getting round today's defences without much trouble.
Part of the reason for this is that some of these attacks are infecting systems such as mobile devices outside the firewall, before being brought behind the perimeter when returning from their travels.
Spotting those means monitoring traffic moving inside the network and out through the firewall, often sent using encrypted command and control channels that are inherently tricky to detect. Many victims notice nothing until it is too late.
In McAfee's architecture, the command and control channel is supposed to be detected by Web Protection layer while in Check Point's universe the equivalent security is provided by its Anti-Bot Software Blade.
"Point products can't provide adequate protection against these advanced attacks, which is why McAfee is delivering an integrated, multi layered, managed solution that provides comprehensive malware protection across endpoints and networks," admitted McAfee general manager of network security, Pat Calhoun.
What the coming of the APT age heralds is that defences should be integrated and layered where once they would have been static shields looking after specific pieces of infrastructure.
It should be noted that sandboxing and emuation are far from a new technologies in the antivirus world; Sunbelt Software (acquired by GFI) started using it in earnest four years ago but only now is it being integrated into enterprise systems with sudden haste.
Check Point said its new Blade would be on sale by Q2 while McAfee plans to have integrated ValidEdge's technology in the second half of 2013, the firm said.