Modern malware is at the heart of many of today's most sophisticated network attacks, and is increasingly customised to avoid traditional security solutions.
It is therefore necessary to isolate all unknown and untrusted threats for forensic analysis without allowing any contact with the network.
The solution... Next generation malware protection
This is an integrated approach that addresses the full malware lifecycle from preventing infections, identifying unknown or targeted malware as well as pinpointing and disrupting any active infections is now available.
A sophisticated engine exposes targeted and unknown malware through direct observation in a virtual environment, while the next-generation firewall ensures full visibility and control of all traffic including tunneled, evasive, encrypted and even unknown traffic.
When the firewall encounters an unknown .EXE or .DLL that has been delivered by any application, even those that are encrypted with SSL, the file can be submitted to a virtualized sandbox, where observation of more than 70 malicious behaviors that can reveal the presence of malware. Submissions can be made manually or automatically based on policy.
When a sample is identified as malware, the sample is passed on to a signature generator, which automatically generates a signature for the sample and tests it for accuracy. The new signature is then distributed in the next content update. Signatures are developed for the all-important command and control traffic, enabling staff to immediately disrupt the communications of any malware inside the network.
In addition to providing protection, administrators have access to a wealth of actionable information about the detected malware through the sandbox portal. A detailed behavioral report of the malware is produced, along with information on the user that was targeted, the application that delivered the malware, and all URLs involved in the delivery or phone-home of the malware.
The virtualised sandbox makes use of a customer's on-premises firewalls in conjunction with the cloud-based analysis engine to ensure in-line performance, while using the cloud to deliver the fastest protections for all enterprise locations.
Organisations can use the application control to deploy firewall policies that control those applications that may be used by botnets as propagation channels or for command and control. Examples include:
The threat prevention engine can identify and block a wide range of known botnets, such as Dark Energy and Rustock while scheduled threat signature updates ensure that newly discovered botnets are also identified and blocked.
The behavioral botnet report analyses a range of datapoints including unknown applications, IRC traffic, malware sites, dynamic DNS, and newly created domains and the results are displayed as a list of potentially infected hosts that can be investigated as members of a botnet.
