Make your own anti-virus signatures with DIY tool from HBGary

By , Network World |  Security, antivirus

Big bad malware and zero-day attacks that fly under the radar of anti-virus software are hitting enterprises everywhere. With that in mind, HBGary is coming out with a 'do-it-yourself' tool to help security managers beat back Windows-based infections or prevent them while a zero-day outbreak is underway.

The new CISO: How the role has changed in five years

Called the Inoculator, it's an appliance that would typically sit inside the network, perhaps near Active Directory, and routinely perform a detection scan on Windows-based desktops and servers for signs of malware.

"If detected, it can remove it," says Greg Hoglund, CEO of HBGary. At the same time, Inoculator would install what he calls a "digital antibody" for a specific malware specimen to prevent re-infection. And that signature-based antibody could also be quickly loaded onto other enterprise computers to inoculate them against what might be an ongoing zero-day attack.

The detection process requires Inoculator to connect via remote procedure call to the end node with privileged access so it can carry out the scan. Hoglund says HBGary's scan process will look for things such as Zeus bots that are often missed by anti-virus. In general, it will look for ways malware can affect a computer system, such as registry keys, event logs and other indicators. "A scan policy once a night would be fine," Hoglund says.

Basically, the idea is that the Inoculator security manager will be able to create a specific signature defense for a detected malware specimen even before anti-virus software vendors may come up with one; it has been known to take a day or so even when well-recognized zero-day attacks have started.

Hoglund says he designed Inoculator because he has seen security managers in high-security environments using handmade tools for this purpose, yet he has never seen a commercialized product for this purpose.

One drawback to the self-administering signature antibody treatment is that a machine has to be re-booted for the process to be completed. Another may be that the Inoculator-delivered signature, designed to be "hard to remove" in order to stymie any re-infection by malware attack, may introduce unknown conflicts with anti-virus products.

Originally published on Network World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question