New approach blocks all zero-day malware, says Trusteer

Antivirus products

New approach blocks all zero-day malware, says Trusteer

Warwick Ashford

Stateful application control blocks 100% of previously unknown malware, closing the security gap left by traditional antivirus (AV) software, according to endpoint security firm Trusteer.

The security firm estimates that 70-80% of enterprise malware infections are through the exploitation of zero-day vulnerabilities.

Exploit code is typically embedded in legitimate external content, such as a PDF or compromised website, and is able to infect computers without users' knowledge.

Around 98% of these exploit new vulnerabilities in Java, while the remainder mostly exploit previously unknown vulnerabilities in applications such as Adobe Acrobat, Flash and Microsoft Office.

Traditional AV software is unable to block such unknown exploits because it relies on a blacklist of known malware.

Alternative application control and whitelisting solutions allow only "trusted" files to execute on the endpoints and are more resilient to evasion tactics.

Stateful application control

70-80% of enterprise malware infections are through the exploitation of zero-day vulnerabilities

Trusteer

But due to the dynamic nature of the user environment and frequent changes to application files, organisations find these solutions difficult to implement and maintain, according to Trusteer.

The security firm’s new approach uses endpoint agent software to monitor the execution of endpoint applications that process external content to assess the application state.

The Apex software looks at memory and kernel processes to determine the application state, and will block all but the narrow range of known legitimate application states identified by Trusteer. 

“Applying our deep application knowledge, we found that there are relatively few legitimate states across all applications and platforms,” said Dana Tamir, enterprise security director at Trusteer.

Apex can identify all legitimate states an application can have, such as when a user downloads a file or updates an application, but will terminate any exploitation process, she told Computer Weekly.

Uninterrupted service for users

Apex is designed to block the exploit without interrupting the user with alerts or questions.

“A console allows IT admins to see what exploits have been blocked, but the actual process is invisible to the user,” said Tamir.

While Trusteer claims Apex will block all application exploits, if a computer is compromised through direct infection from a USB stick, for example, the software is designed to block all data theft.

Apex will detect and block all attempts by malware to hijack legitimate processes in an attempt to bypass traditional security controls to exfiltrate data, said Tamir.

A third layer of protection is provided in the form of controls designed to stop credential theft by blocking users from using enterprise usernames and passwords for non-enterprise applications.

According to Tamir, the Apex agent has no effect on system resources. Unlike AV agents, the Apex agent does not run a scan, but merely checks application states when required.

Apex was launched to the US market at RSA Conference 2013 in San Francisco in February. It is to be launched to the European market at Infosecurity Europe 2013 at Earls Court in London on 23-25 April.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy