BT

InfoQ Homepage News Discover What Malware is Really Doing with FireEye

Discover What Malware is Really Doing with FireEye

Bookmarks

Traditional signature based anti-virus/malware software is suitable for home users, but not for corporations. As seen repeatedly in the news, targeted attacks against specific companies are becoming more and more common. To combat this threat, advanced threat detection techniques are needed.

At first glance, FireEye resembles any other advanced firewall/gateway product. It automatically allows in known good binaries such as Windows updates and automatically blocks known malware by its signature. But most software falls into the wide ‘unknown’ category. This is where FireEye shines.

When an unknown binary is downloaded on the network, FireEye saves a copy. It then spins up a series of virtual machines using various combinations of OS, patch level, browser, etc. and attempts to execute the code using the same environmental variables that the real user would have had. This last point is key for detecting trojans that are highly targeted. Everything the software does, including outside communication, registry changes, file reads/writes, database access, etc. are logged. The unknown software is then given a risk potential rating and the results sent to the central log.

The central log also stores any suspect traffic. If malware has made it to a machine, it will usually make itself visible by communicating with suspect or known bad servers. This traffic is automatically tagged with a risk level based on behavior and known malware communication patterns.

IT security and operations can view these logs using the unstructured data-mining tool Splunk. FireEye integrates into Splunk so that users can quickly switch between generic Splunk searches and visualizations and the custom views implemented by FireEye.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.