Stateful application control blocks 100% of previously unknown malware, closing the security gap left by traditional antivirus (AV) software, according to endpoint security firm Trusteer.
The security firm estimates that 70-80% of enterprise malware infections are through the exploitation of zero-day vulnerabilities.
Exploit code is typically embedded in legitimate external content, such as a PDF or compromised website, and is able to infect computers without users' knowledge.
Traditional AV software is unable to block such unknown exploits because it relies on a blacklist of known malware.
Alternative application control and whitelisting solutions allow only "trusted" files to execute on the endpoints and are more resilient to evasion tactics.
Stateful application control
70-80% of enterprise malware infections are through the exploitation of zero-day vulnerabilities
But due to the dynamic nature of the user environment and frequent changes to application files, organisations find these solutions difficult to implement and maintain, according to Trusteer.
The security firm’s new approach uses endpoint agent software to monitor the execution of endpoint applications that process external content to assess the application state.
The Apex software looks at memory and kernel processes to determine the application state, and will block all but the narrow range of known legitimate application states identified by Trusteer.
“Applying our deep application knowledge, we found that there are relatively few legitimate states across all applications and platforms,” said Dana Tamir, enterprise security director at Trusteer.
Apex can identify all legitimate states an application can have, such as when a user downloads a file or updates an application, but will terminate any exploitation process, she told Computer Weekly.
More on zero-day vulnerabilities and exploits
- Oracle rushes out patches for Java zero days
- Disable Java to protect from latest zero-day
- Microsoft issues quick fix for IE zero-day vulnerability
- Microsoft investigates IE zero-day flaw
- Zero-day exploit for Yahoo Mail goes on sale
- MySQL security analysis: Mitigating MySQL zero-day flaws
- Private market growing for zero-day exploits and vulnerabilities
- Adobe investigates zero-day that bypasses Reader X sandbox
Uninterrupted service for users
Apex is designed to block the exploit without interrupting the user with alerts or questions.
“A console allows IT admins to see what exploits have been blocked, but the actual process is invisible to the user,” said Tamir.
While Trusteer claims Apex will block all application exploits, if a computer is compromised through direct infection from a USB stick, for example, the software is designed to block all data theft.
Apex will detect and block all attempts by malware to hijack legitimate processes in an attempt to bypass traditional security controls to exfiltrate data, said Tamir.
A third layer of protection is provided in the form of controls designed to stop credential theft by blocking users from using enterprise usernames and passwords for non-enterprise applications.
According to Tamir, the Apex agent has no effect on system resources. Unlike AV agents, the Apex agent does not run a scan, but merely checks application states when required.
Apex was launched to the US market at RSA Conference 2013 in San Francisco in February. It is to be launched to the European market at Infosecurity Europe 2013 at Earls Court in London on 23-25 April.