Symantec Aims to Defeat Stealthy Malware by Sanitizing Files

The new "Disarm" feature in Symantec's messaging security software sanitizes common file formats, stripping away scripts and anything that could be malware.

Antivirus software does quite well against opportunistic attacks sent out to a massive number of people in hopes of getting some small fraction to click on a link or open a file. But attacks targeting just a few people, or even a single person, are much harder to detect.

Security firm Symantec aims to tackle the problem, announcing this week it will add a new feature to its messaging security software that will create clean versions of any file sent to a company's employees.

In addition to attempting to detect malicious files, the company's email gateway software will clone any Microsoft Office or Adobe PDF file—two formats commonly used by attackers to deliver malicious code—creating a copy that has been cleansed of any potential scripts and malware. The approach, which the company calls Disarm, will sanitize the files, rather than attempt to detect whether they will do something bad, said Kevin Haley, director of Symantec's security response group.

"We don't have to sit there and decide whether is it a targeted attack or not, is there an exploit in there or not," Haley said. "We are just going to make sure that every document has been cleaned, so there is no chance of one of these things getting through."

Targeted attacks, also known as advanced persistent threats (APTs), typically use email messages specifically crafted to persuade the target to click on the malicious link or open the attachment.

Because the messages appear to come from a recognizable contact or colleague, targeted employees are more likely to fall for the fraud. Known as spearphishing, the technique has led to the compromise of many major companies, including security firm RSA, the New York Times, and numerous other companies, government agencies and nonprofit organizations.

Since attackers have access to the types of antivirus software used by their victims, they can tailor attacks to evade the defenses. Sanitizing the files allows Symantec to make the files safe. To test the approach, Symantec processed every targeted attack that the company recovered in the past year and found that 98 percent were blocked by Disarm.

"These are attacks that were entirely unknown and would therefore have likely evaded all traditional scanners, heuristics, emulators and even Virtual Execution (VX) solutions," Symantec said in a blog post about the new technology.

Sanitizing files is not necessarily a new approach. A variety of scripts exist on the Internet to pull out personal information from documents, a simplified version of what Symantec has done. And companies have had the ability in the past to create a policy to block all scripts from running in Office documents.

Yet, the technique is promising as a way to prevent malicious software from running on corporate systems.

"It is a simple solution, but a very powerful one," Haley said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...