Damballa updates botnet detection

Version 3.0 of its Failsafe system features more granular control for customers using its management console, along with agentless sensor technology that watches for botnet activity without using signatures.

The company’s anti-virus study found that 3-5% of enterprise assets are compromised by botnets, because enterprise-level anti-virus and IPS software fails to catch between 20-70% of new threats, said Damballa's CEO Steven Linowes. The company was citing figures from real-world deployments, it said.

“We don’t use signatures or anti-virus. We use machine learning and that kind of technology,” said Linowes, arguing that the product is specifically tuned to botnet command and control, rather than focusing on network behavior analysis. “The key to all of this is that these compromised assets require external communications to co-ordinate their activities.”

The product, which doesn’t install any sensor software on the host, also includes an optional cloud-based protection model. “Our sensor is located out of line. We construct binary executables and score them as malware or not malware, and if the customer turns cloud analysis on, we can upload it to Damballa for deeper analysis,” he said.

The appliance only recognizes and alerts administrators to malware, but doesn’t clean it. The company does have a separate prototype product called Replicator, which it says will remove malware products.

What’s hot on Infosecurity Magazine?