McAfee overhauls its malware protection approach

The new functionality is included in the just-released McAfee Complete Endpoint Protection suites for enterprise and business.

“This signals a pretty big shift from mainstream approaches to security, particularly when it comes to hardware-enhanced security and application control, and whitelisting,” said Dan Wolff, product manager for McAfee Endpoint Security, in an interview with Infosecurity. “It matches the dramatic shift we see in the sophistication of malware, especially things that target root kits and boot drivers, which hide from traditional security approaches.”

He noted that new malware tactics are outstripping traditional anti-virus protections. “One of the things that we’re seeing more and more of are coordinated attacks, like Operation High Roller, that are a combination of social engineering and malware,” Wolff said. “They’re even using call centers to proliferate malware.” In one such scam, end users get a call from someone purporting to be from Microsoft support, explaining that there’s a problem within their PC. After a bit of “support” forensics, the agent will direct the user to go to a specific website and enter information, upon which malware will be deployed.

He also said that McAfee has this year seen the rise of server-side software. While things like banking trojans are client-side attacks that target an end-user and bide their time until that person logs into online banking, server-side attacks implement malware on a gateway or web server, and are able to intercept a vast amount of relevant information at once. “It’s like implementing a big filter on a river instead of putting a gate on every tributary to wait for one fish to come along,” Wolff said.

To meet the new threat landscape, McAfee has engineered what Wolff said is a brand-new approach within its endpoint product suites. For instance, the Deep Defender rootkit protection takes a new tack to traditional security by linking security from chip to OS to applications, in order to specifically target stealthy malware and persistent attacks. To do that, it is made to be the first software to load after BIOS, ahead of rootkits and boot kits. That way, it can look at all downstream activities for malware-like behaviors upon loading, stopping malicious software and then removing it.

Meanwhile, traditional blacklisting of certain insecure applications has been a long-standing approach to security for businesses. And when it does come to whitelisting, limiting software to a certain number of functions takes a cue from curated app stores – administrators have a menu of things they can choose from to implement on servers. Wolff explained that this model breaks down when it comes to desktops.

“Desktops are more flexible, there are many more applications that users need, there are always lots of things that are updating, and end users have more administrative rights,” he said. “So that’s been a challenge for whitelisting because companies want to allow users to work the way they do and to give end users flexibility.”

McAfee’s approach allows users to install what they choose, but that software will be reported to the management console, where an administrator can review it either before or after installation. McAfee runs the requested download against a database of known applications, all carrying a score of between 1 and 5 that indicates the riskiness of the software, to allow for an at-a-glance assessment approach. If the administrator approves the download, it can then be added to whitelist policy for the entire organization.

The Enterprise suite also contains Risk Advisor, which helps IT staff understand where the immediate threats are so that they can prioritize their time. For instance, when Patch Tuesday updates come out, it incorporates the information and cross-references with what’s running on corporate machines, to assess asset vulnerability. Then, it overlays information about which security products are implemented, to determine which of the machines already have protection against the vulnerabilities.

“This puts the whole picture together and shows which machines absolutely must be patched,” Wolff said. “So IT staff can plug the immediate holes and then test the patch updates for the rest of the machine on a more relaxed timeframe. People have said that this gives them their weekends back.”

Other functions include the Real Time for McAfee ePolicy Orchestrator (ePO), which uses a specialized design and best practice questions and actions within the workflow to help administrators understand their security posture quickly, and take action to manage potential risks. It includes mobile device management and mobile data security, along with support for Macs and Linux.

Wolff also pointed out that in testing, the new approaches have shown a starling 100% success rate. In comparative testing done by AV-Test, McAfee software scored 100% in rootkit protection with McAfee Deep Defender. In a study conducted by West Coast Labs, McAfee software scored 100% in malware protection with the combination of McAfee Application Control, McAfee VirusScan Enterprise, and McAfee Host Intrusion Prevention, three of the central products in the McAfee Complete Endpoint Protection – Enterprise suites.

“This is a whole new approach, and it’s necessary as malware keeps evolving,” Wolff said. "This is a big shift for us."

What’s Hot on Infosecurity Magazine?