With the rollout of DeepGuard 5, the newest version of F-Secure’s behavior-based analysis technology that blocks new and emerging threats, F-Secure will be able to detect exploit attempts without needing to know the vulnerability they are exploiting.
Exploits usually attack via malicious or compromised websites. They take advantage of flaws in the code of a computer’s installed applications to access the computer and infect it with malware that can spy on the user, steal passwords or other sensitive data, or even take control of the machine.
70 to 80 percent of F-Secure Labs’ top 10 detected malware are exploits – a growth in popularity that is largely due to exploit kits, which have made it simple for even the technically unskilled to break into computers.
“Malware can mutate in characteristics, but the constant is that it always does malicious things,” says Timo Hirvonen, Senior Analyst at F-Secure. “With exploits, their appearance can change and the vulnerability they use can change, but they always do what exploits do. Typical protection is related to the vulnerability being exploited, but we now detect exploits based on their behavior, offering better coverage because vulnerabilities aren’t always known.”
DeepGuard 5’s exploitation protection monitors the processes of programs that are commonly exploited, such as browsers, plugins, Microsoft Office, Java, and so on. It also watches programs used to open commonly exploited document types like Microsoft Word or PDF. DeepGuard blocks any suspicious or malicious behavior indicative of an exploit attempt.
Exploit interception is just the latest addition to DeepGuard, which addresses the weak point of traditional signature scanning: the need to have a malware sample in order to analyze it and then be able to protect from it. In the time it takes for a security lab to receive a sample and update protection, the malware could have already infected users. Compounding the issue is the exponential growth in new malware variants made possible by automated malware creation kits, which make it easy to spit out thousands of new variants.
“Top-line antivirus technology stopped being about blocking bad guys on a wanted list years ago,” says Sean Sullivan, Security Advisor at F-Secure. “Blocking malware requires understanding its behavior. That’s why we developed our first version of DeepGuard in 2006. And this newest version is our most powerful learner of bad behaviors yet.”
DeepGuard steps into action when a program is executed, and, to catch malware that would delay malicious behavior, it continuously monitors while the program is running. DeepGuard’s behavioral analysis and exploit interception constitute just two of F-Secure’s security layers, which also include browsing protection, signature scanning, file reputation analysis, and prevalence rate checking.