The RDS5201 Rootkit Detection System is a custom-built hardened appliance, which detects low-level, zero-day rootkits—the lethal payload of most APTs. The detection is direct (i.e., not done by statistical analysis or other indirect techniques) and is coupled with immediate, automated, live visual forensic data.
The RDS5201 serves as a smart proactive sensor against APT attacks in IT networks and reduces the agonizing detection of APTs from weeks/months to seconds, and is the first and only technology capable of detecting and alerting against such threats in real-time.
Rootkits work at the lowest levels of the operating system (OS) they intend to attack. Common detection and prevention mechanisms are part of the "attack target," allowing rootkits to disable the installed anti-malware client applications. The only way to overcome low-level rootkits is by allowing the security application to execute with a higher security privilege than the attacked OS; provide complete control of the platform hardware; and monitor all activities of the OS and its applications. It must also be self-protecting, non-bypassable and tamper-proof.
The RDS5201 is based on the LynxSecure separation kernel and hypervisor that offers a non-detectable secure platform that is used to exercise potential infections and with the introduction of the patent-pending rootkit detection feature from the 5.2 release. These stealthy threats are revealed as they attack their virtual victim.
LynxSecure is the most privileged monitor in the RDS5201 platform, and constantly monitors for malicious and irregular activity in key disk areas (MBR, key blocks and sectors); physical memory areas; CPU instructions and data structures; interrupt data structures etc. This detection is completely OS-agnostic, as it's situated below any of the guest OS.
Upon detection, the RDS5201 immediately alerts and sends an automated live forensics report to its dashboard. The report contains visual representation (such as the clean and infected disk sectors in-memory data structures), allowing rapid and focused threat response. The RDS5201 can also be connected to other network protection systems such as SIEM and threat-management systems, offering an early warning mechanism that complements and enhances existing security solutions.