BT

Discover What Malware is Really Doing with FireEye

| by Jonathan Allen Follow 553 Followers on Oct 08, 2014. Estimated reading time: 1 minute |

Traditional signature based anti-virus/malware software is suitable for home users, but not for corporations. As seen repeatedly in the news, targeted attacks against specific companies are becoming more and more common. To combat this threat, advanced threat detection techniques are needed.

At first glance, FireEye resembles any other advanced firewall/gateway product. It automatically allows in known good binaries such as Windows updates and automatically blocks known malware by its signature. But most software falls into the wide ‘unknown’ category. This is where FireEye shines.

When an unknown binary is downloaded on the network, FireEye saves a copy. It then spins up a series of virtual machines using various combinations of OS, patch level, browser, etc. and attempts to execute the code using the same environmental variables that the real user would have had. This last point is key for detecting trojans that are highly targeted. Everything the software does, including outside communication, registry changes, file reads/writes, database access, etc. are logged. The unknown software is then given a risk potential rating and the results sent to the central log.

The central log also stores any suspect traffic. If malware has made it to a machine, it will usually make itself visible by communicating with suspect or known bad servers. This traffic is automatically tagged with a risk level based on behavior and known malware communication patterns.

IT security and operations can view these logs using the unstructured data-mining tool Splunk. FireEye integrates into Splunk so that users can quickly switch between generic Splunk searches and visualizations and the custom views implemented by FireEye.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT