Security startup Minerva Labs is enhancing its technology offerings with the latest update of its Anti-Evasion Platform. The new platform provides protection against ransomware, memory injection and malicious document attacks.
Many forms of modern malware make use of evasion techniques to avoid being detected or blocked by security software. The promise of Minerva's Anti-Evasion Platform is that it can deceive malware about what's actually present on a given system.
"We don't look for malware; instead we use deception on the endpoint to trick malware into not working on a system," Lenny Zeltser, vice president of products at Minerva, told eWEEK.
When attackers try to evade detection on endpoints, there are certain techniques they use, Zeltser said. One technique is anti-sandboxing, whereby the malware will not deploy if it detects it is running inside of an isolated area of a system. Minerva's platform can make it look as though the endpoint is a sandbox, which according to Zeltser, would mean the malware would not deploy.
Deception is not a new idea in cyber-security, with multiple vendors including Illusive, TrapX and Attivo Networks providing deception technologies. Zeltser said that Minerva's approach is not a network-level deception, but rather is very focused on the endpoint.
"On the endpoint we have a very lightweight usermode agent that intercepts API calls," he said. "We are very careful to only intercept API calls that could be used for evasive tactics."
Zeltser added that in contrast to anti-malware vendors that build a complete sandbox that has to intercept many API calls and create a simulated environment for malware to run, Minerva's platform is smaller. He noted that everything on the system is real except for a few lines of code used for deceiving malware.
Among the capabilities of the enhanced Minerva Anti-Evasion Platform is mitigation against memory injection attacks. The system is also able to provide mitigation against malicious document files that attempt to infect endpoints. Zeltser explained that malicious Office macros tend to interact with Microsoft Windows in a certain way, often by attempting to launch a script interpreter or powershell. When a macro attempts to launch a script interpreter, the Minerva Labs platform will report back to the macro that the interpreter is not present on the system.
"Macros in Microsoft Office are a feature, so there is nothing to patch," Zeltser said. "So when you look at how malicious macros get past traditional antivirus, we see that it's often difficult to distinguish between a malicious macro and a legitimate one."
The updated Minerva platform also provides an enhanced ransomware mitigation module that provides a backup capability to further protect data at risk. Advanced forms of ransomware will first look to see if certain security protections are in place before attempting to encrypt user data, Zeltser said.
"Our ransomware protection module provides a last line of defense, intercepting attempts to destroy or encrypt document files," he said. "As ransomware is tricked into thinking it's encrypting files, we're actually backing up files."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.