McAfee Deep Defender: from plugging holes to protecting from the inside out


    When Intel acquired the McAfee antivirus software developer in 2010, there was a lot of talk in the professional community about the appropriateness of this deal. Comments were then given at the highest level, some of them appeared on the hub . Meanwhile, now, after only two years, the logic of integration seems to be ironic: the possibilities of purely software protection against malicious code are almost exhausted, a transition to combined, hardware-software solutions is necessary. We’ll talk about them today.


    Number of new malware. McAfee data.

    The history of the struggle of antivirus programs with malicious code recalls the chronicle of the “trench warfare” of the First World War: the same protracted positional battles and the same lack of hope for decisive success. Rather, it is even the other way around: while viral evil continues to complicate the algorithms of its behavior, the options for an “asymmetric response” among its fighters are becoming less and less. Including due to the fact that the antivirus is a little more than just a program for the OS, which can be counteracted with the help of other programs, it can be misleading, and finally, simply destroyed. On the other hand, tracking suspicious activity at the application level requires a large amount of resources, and they are not infinite in the system, and anti-virus software is always forced to take this into account. In general, the more intense the struggle, the more problems. The situation is somewhat similar to that which is shown in the title picture: the cube has a finite size, and the holes in it can be made as many as you like. Now imagine that someone has to plug them ...
    And then it's time to talk about those very new approaches. Having received the prefix "An Intel Company", McAfee continued to develop a system that combines its own software solutions with the capabilities of Intel processors, and first of all (but not only) - Intel VT-x hardware virtualization (supported by Intel Core i3, i5 and i7 processors). The general protection scheme looks something like this:




    The DeepSafe component boots to and from the operating system. Located “below” the OS kernel (closer to the hardware), it with minimal resources, real-time monitors the memory and processor in all operating modes of the OS, starting from loading drivers and ending with the launch of any kind of software (unauthorized or from submission) user). DeepSafe triggers fire so quickly that malicious code does not even have time to execute properly. All cases of suspicious behavior of executable program modules and other “strange rustles” in the core of the DeepSafe system are reported “up” to the agent Deep Defender, who decides on actions appropriate to the level of danger.

    McAfee ePO Deep Command Infrastructure

    In turn, the Deep Defender protection agents installed on user computers are subordinate to the McAfee ePolicy Orchestrator (ePO) centralized control panel, which implements the unified corporate security policies by the numerous tools developed by Intel and McAfee: in addition to those already listed, this is Intel vPro , Intel Anti-Theft and others. This is the macro level of protection at the level of the company's network infrastructure. Let us return, however, to the micro level - a single PC processor.

    Which antivirus can be called ideal? (For brevity, we mean any malicious code.) One that does not affect other software components of the system does not take resources from them and generally does not manifest itself, silently doing its job. It is precisely this result that must be sought, and the only way to achieve it is to transfer the maximum number of protection components to the hardware level, in close proximity to the processor.
    Intel has made undeniable successes along these paths: these are the technologies that control code execution right now:
    • System Boot Protection (Intel TXT - Trusted Execution Technology)
    • Software Attack Protection (Intel VT-x - Virtualization Technology for IA-32, Intel 64 and Intel Architecture)
    • DMA Direct Memory Access Protection (Intel VT-d - Virtualization Technology for Directed I / O)
    • BIOS Attack Protection


    Let's briefly examine how Intel VT-x technology serves as a guard of law and order.


    VM Control Structure (VMCS) allows the hypervisor to track the execution attributes of software code at the processor primitives level. The hypervisor itself is located in a space isolated from the OS, so it is able to monitor software at various privilege levels without any changes.
    What is the prospect of combined protective solutions? In increasing the monitoring parameters and complicating the nature of the responses. For example, if we talk about the core of the system, we can distinguish a number of its critical program interfaces, which are simply necessary to control — primarily those that are usually used to inject malicious code into it. Particular care will have to surround the drivers loaded into the system, which by their nature often become sources of problems.
    As for the application level, it is important here to achieve full monitoring of critical APIs without slowing down the programs, but also without a chance to avoid control. New approaches do not reject old proven methods, such as self-monitoring of anti-virus software, placing suspicious objects in a secure runtime environment (sandbox) - all this in one form or another will exist in the future, enriched with new functionality. But the vector of development has already been set, and we expect the main achievements in this direction.
    As we can see, the defense “from below” has yet to make a difficult path. But there is apparently no other option.

    Also popular now: