Advanced Malware Protection with Network Security Platform

McAfee Network Security Platform customers have benefited from malware protection for some time now. Most customers already use McAfee Global Threat Intelligence (GTI), which has been available since the 6.0 release. The largest and most used reputation service, with over 64 Billion queries per day, GTI classifies files as either good (whitelist) or bad (blacklist), and also supports gray listing through levels of file suspiciousness.

Network Security Platform release 7.5 takes network security malware protection to an unprecedented level. It starts with a vision to provide the best malware protection

  • One engine is not enough – use various engines and heuristic analysis
  • Provide import options for custom fingerprints
  • Inspect virtually every type of file (MS Office, PDF, EXE & DLL files, Android packages, etc.)
  • PDF needs special attention – build signature-less protection against PDF-based attacks
  • Build an extensible framework that delivers target-aware dynamic analysis
  • Save the file for further investigation and forensics

Network Security Platform malware protection policy is simple. Select engines for inspecting file types, edit blocking actions, and configure file storage – that’s all.

 

As of release 7.5, the following engines are supported:

  1. Custom fingerprints – Build a local database of custom fingerprints (MD5 hashes). For example, one of our customers had almost 2000 Android 3rd party apps that they wanted to detect, and all they did was to import the customer fingerprints.
  2. McAfee GTI file reputation – Since release 6.0, customers have had access to the largest cloud-based security intelligence network.PDF-based JavaScript emulation – Sophisticated emulation technology, which extracts JavaScript, detects shellcode in the PDF, and then alerts the system. For example, 13 out of 17 Metasploit PDF based attacks use JavaScript.
  3. Advanced Anti-Malware – McAfee Network Threat Behavior Analysis now includes an advanced anti-malware engine that inspects files forwarded to it from Network Security Platform sensors, including common formats such as MS Office files, PDF files, DLLs, compressed files, archive files, and Android Application Packages.
  4. Cloud-based sandbox analysis (limited Beta only) – If a suspicious file cannot be classified as good or bad by the previous engines, it can be sent to the cloud for an in-depth dynamic analysis.

How does it all come together?  Network Security Platform combines the responses from the different engines to calculate a confidence score for each file, taking blocking actions as needed.

So far, customers who deployed release 7.5 are seeing great results and we encourage all customers to try it out and let us know how it goes.

Leave a Comment

2 × 5 =