SAN FRANCISCO — Intel’s McAfee security subsidiary has acquired advanced functionality designed to identify sophisticated, hard-to-detect malware than eludes most conventional securityware.
The company said Feb. 26 at the RSA Security Conference that it has acquired the ValidEdge “sandboxing” technology from LynuxWorks to augment its anti-malware portfolio.
This approach identifies a suspected intruder, isolates suspected malware from the rest of the device operating system, runs it in the protected sandbox, and then deletes, quarantines or holds it for further action by the user.
“Regardless of whether a file is going through the IPS, Web gateway, email gateway—it doesn’t matter —we analyze the file in three ways,” Pat Calhoun, McAfee’s senior vice president of network security, told eWEEK. “First, we do a standard AV [antivirus] check, then we figure out the reputation of that file [matching it against a database with 110 million other file types in the McAfee database], and we look at the machine code to see if it’s doing anything suspicious. We do that today.
“What we just acquired [ValidEdge] allows us to take the file, re-create the endpoints [devices] in a virtual machine that talks to our EPO [ePolicy Orchestrator], which knows the configuration of every endpoint. Malware takes advantages of vulnerabilities in a specific operating system, a version, a patch level, whatever. We know the precise configuration of the endpoint, we re-create them in a VM, we run the file and we see if it does anything malicious.”
Calhoun said that unlike other sandboxing solutions, this one—when integrated with McAfee’s other network and endpoint anti-malware products—will automatically block future attacks by convicted malware samples. It also will provide signature information so that already infected endpoints can be remediated automatically by ePolicy Orchestrator.
McAfee plans to deliver the first product that integrates the sandboxing functionality in the second half of 2013.