FireEye malware blockers don't rely on signatures
- — 05 May, 2010 15:16
FireEye Wednesday unveiled its first appliances built for in-line blocking of Web and e-mail malware using wholly non-signature-based detection methods.
Ordinarily placed behind an organization's Internet perimeter firewall, the three versions of FireEye's Malware Protection System (MPS) can each detect and block inbound malware. They also monitor for any outbound communications from malware, such as bots trying to contact their master, on Windows-based machines that might have become infected.
FireEye's previous intrusion-prevention systems (IPS) were limited to monitoring malware but not blocking it.
"This is preventing malware and things missed by signature-based approaches," says Marc Maiffret, chief security architect.
The three FireEye MPS models are designed to perform in-line at varying speeds, with open failover. The MPS 2000 Series operates at 50Mbps; the FireEye MPS 4000 Series at 250Mbps; and the FireEye 7000 Series at 1Gbps.
Blocking traffic, as many IPS do today often using a mix of signature- and behavior-based recognition methodologies, is always problematic due to the question of false positives, and possibly blocking good traffic as well as bad.
Maiffret says it's anticipated there may be some false positives with the in-line MPS but that the level will be very low.The underlying proprietary technology that FireEye has developed makes use of what Maiffret calls a virtual-machine detection method that basically mirrors real-time traffic inside the MPS appliance and replays it against many applications on it to see if they're compromised or attacked. A decision is made to allow or block the traffic in near real-time. Maiffret says the FireEye appliances are primarily intended to intercept the majority of Web-based attacks.
The FireEye in-line MPS products cost from $24, 950 to the low hundred thousands depending on the model.
Read more about wide area network in Network World's Wide Area Network section.