FireEye protects critical data, intellectual property, and resources against zero-day, targeted malware attacks that are costing enterprises, institutions, and governments billions of dollars in losses.

Today’s sophisticated malware employs such a wide range of evasive and disruptive tactics that it has made traditional network and host-based security obsolete. FireEye’s real-time, multi-protocol content analysis within virtual machines is the only integrated defense able to accurately identify these zero-day, targeted attacks. By utilizing inbound and outbound deep packet inspection within virtual machines, FireEye provides accurate, actionable alerts while also eliminating false positives to enhance IT productivity.

FireEye has also built a global malware analysis & exchange network to rapidly share anti-malware security intelligence to stop new inbound attacks and prevent unauthorized outbound data thefts.

Modern Malware Characteristics

There are four key parameters for evaluating malware threats – Stealthiness, Vulnerability Type, Targeting, and Goals. What follows is a description of modern malware using these four parameters:

• Stealthiness: Uses advanced techniques to obscure both infection and detection. Example: PDF Obfuscation.
• Vulnerability Type: Zero Hour – Attacks vulnerabilities before they are publicly known. Example: Aurora
• Targeting: Narrow and Specific – Targets specific companies and information. Example: Aurora
• Goals: High Value Theft or Business Sabatoge. Examples: Aurora, Theft of product plans, Theft of banking credentials

FireEye Malware Protection System

FireEye Malware Protection System (MPS) network security appliances prevent signature-evading Modern Malware from successfully gaining a foothold in the network and exfiltrating sensitive organizational data. FireEye MPS appliances operate in-line, using fast-path blocking to stop known inbound attacks and malware callbacks coupled with dynamic, real-time Malware-VM™ and Malware-Callback™ analysis filters to accurately detect zero-hour attacks and halt their spread and negate their ability to steal data resources.

The MPS Series of Internet security gateways deploy within minutes in an organization’s environment for malware analysis and threat prevention. Each appliance features a local graphical user interface management system, and can be optionally configured to connect to the FireEye Central Management System.

FireEye security appliances are designed support a range of network egress bandwidths accomodating large, global enterprises as well as small and medium enterprises. FireEye offers several unique benefits:

• Integrated Inbound & Outbound Blocking – Fast-path blocking of known attacks and malware callbacks is coupled with real-time Malware-VM and Malware-Callback analysis filters
• Real-time detection of zero-hour, targeted attacks – The Malware-VM filter features a multi-phase analysis using aggressive capture heuristics and deterministic virtual machine confirmation to eliminate false positives
• Outbound callback blocking – The Malware-Callback filter uses fine-grained, local and global malware intelligence to terminate data theft transmissions
• Multi-protocol protection - By analyzing traffic across protocols, FireEye can disrupt sophisticated malware, like Trojans, bots, worms, and rootkits, during all stages of the infection lifecycle: Initial exploit, Payload staging and installation, Network and System reconnaissance, and Data exfiltration.

How the FireEye Technology Works

At the core of each security appliance are the FireEye Malware-VM™ and Malware-Callback™ technologies, which combines inbound and outbound filtering to break the malware infection lifecycle.

Malware-VM Analysis

The Malware-VM filter features aggressive capture heuristics coupled with deep packet inspection within instrumented virtual machines. The first stage of aggressive capture heuristics maximizes attack detection and feeds the second virtual machine analysis stage, which confirms attacks and eliminates any false positives. As a result, the Malware-VM engine in uniquely designed to detect zero-day attacks while eliminating the false alerts that plague conventional security technologies. The Malware-VM analysis stage performs both static analyses to catalog information about suspicious binaries/URLs as well as dynamic analyses when it executes the potentially malicious binaries or Web pages. It identifies arbitrary code execution and when an exploit is confirmed by the virtual machine, malware and its outbound transmissions are blocked.

The FireEye Malware-VM Technology filter is one of the cores of all FireEye appliances and feeds dynamically generated security content into the FireEye MAX Cloud Intelligence. The Malware-VM filter offers true zero-day malware and targeted attack protection with the ability to detect embedded attacks within file formats, such as Adobe PDF attacks.

• Multi-protocol network traffic is inspected within the Malware-VM engine
• Using aggressive capture heuristics, suspicious traffic is replayed into virtual machines to confirm that a malicious infection is taking place and to eliminate false positives
• Malware and its callback channels are fingerprinted, blocked, and shared with the MAX cloud

FireEye has pioneered the use of transparent virtual machines, operating at the network level, to analyze for targeted, zero-day attacks and to block these infections and their callback transmissions in real-time. Each inspection virtual machine has specially built-in security instrumentation to analyze memory, CPU, network interface, and all other aspects of data and control flow within the virtual PC. With deep instrumentation, the FireEye Malware-VM filter is uniquely able to trace the full execution path of zero-day and known attacks as well as provide details on custom malware communication protocols.

Malware-Callback Analysis

Using the output of the Malware-VM analyses as well as MAX Cloud Intelligence data, the Malware-Callback filter blocks outbound malware transmissions to criminal servers stopping data exfiltration attempts. The malware content includes destination characteristics, such as IP and port, as well as communication characteristics, such as the malware protocol being used, to accurately stop data theft and identify previously compromised systems on the network. Organizations can now dynamically capture, fingerprint, and block zero-day malware and its unauthorized outbound callbacks to criminal command and control servers.

If you have a question or a comment, or would like more information or a demonstration, please let us know by completing the Contact Us box on the right side of this page.