DIY Tool Makes Your Own Antivirus Signatures
Big bad malware and zero-day attacks that fly under the radar of anti-virus software are hitting enterprises everywhere. With that in mind, HBGary is coming out with a 'do-it-yourself' tool to help security managers beat back Windows-based infections or prevent them while a zero-day outbreak is underway.
Called the Inoculator, it's an appliance that would typically sit inside the network, perhaps near Active Directory, and routinely perform a detection scan on Windows-based desktops and servers for signs of malware.
"If detected, it can remove it," says Greg Hoglund, CEO of HBGary. At the same time, Inoculator would install what he calls a "digital antibody" for a specific malware specimen to prevent re-infection. And that signature-based antibody could also be quickly loaded onto other enterprise computers to inoculate them against what might be an ongoing zero-day attack.
The detection process requires Inoculator to connect via remote procedure call to the end node with privileged access so it can carry out the scan. Hoglund says HBGary's scan process will look for things such as Zeus bots that are often missed by anti-virus. In general, it will look for ways malware can affect a computer system, such as registry keys, event logs and other indicators. "A scan policy once a night would be fine," Hoglund says.
Basically, the idea is that the Inoculator security manager will be able to create a specific signature defense for a detected malware specimen even before anti-virus software vendors may come up with one; it has been known to take a day or so even when well-recognized zero-day attacks have started.
Hoglund says he designed Inoculator because he has seen security managers in high-security environments using handmade tools for this purpose, yet he has never seen a commercialized product for this purpose.
One drawback to the self-administering signature antibody treatment is that a machine has to be re-booted for the process to be completed. Another may be that the Inoculator-delivered signature, designed to be "hard to remove" in order to stymie any re-infection by malware attack, may introduce unknown conflicts with anti-virus products.
Hoglund acknowledges he doesn't know how commercial anti-virus products would interact with an Inoculator-based signature, but says he'll be looking at that. But it's not necessarily bad if a commercial anti-virus product can see an Inoculator antibody inside a computer as an intruder, he adds.
In any event, the optimum scenario envisions that information about malware infections picked up by Inoculator or other means could be collected centrally by a security information and event management product. Inoculator is in beta now and is expected to ship by year end. Pricing has not yet been announced.
Read more about wide area network in Network World's Wide Area Network section.