The software data center is a reality almost everywhere. Virtualization now is a way of life for most IT professionals. Malware hunters use virtualization to create safety zones for malware forensics. Virtualization has become the workhorse of our industry. With that as a backdrop, we hear more and more frequently that anti-malware tools just are not effective anymore. Malware is way too sophisticated for the types of protection that we have relied upon traditionally. So what is the answer?
A company called Bromium may have solved this one. The answer is not what it seems on the surface though. When you look at Bromium's vSentry, your first impression is, “… yeah…so it's a sandbox…nothing particularly amazing about that.” If that is your analysis, you'd be wrong and, according to Bromium, a lot wrong.
A sandbox, by the company's definition, is a layer between the malware you are dissecting – or protecting against – and the operating environment. As one who plays with malware as one of my favorite toys, I agree. I would not trust a sandbox that could be bypassed any number of ways by a really smart bit of code. That is why we use a virtual lab to play with our dangerous toys. Locking up a physical malware lab with CryptoWall could be a career-limiting move. Locking malware in (or out) is exactly what vSentry does. vSentry contains anything that needs protection inside a virtual environment and that environment uses a bare metal hypervisor – which they call a Microvisor - just as does our big VMware virtual cluster at the Center for Advanced Computing.
The problem with most anti-malware products is that to work they require signatures or they must execute for behavioral analysis. Heuristics are becoming easier and easier to fool as well, so we need something that is pretty foolproof, at least for the moment. By placing all vulnerable tasks in the Windows environment inside micro-VMs that are tied to the hardware, there is no way for malware to work through a sandbox layer and attack the operating environment. Each process gets its own micro-VM, and that VM is dissolved when the process stops, taking any malware with it.
Product vSentry Company Bromium
Price $150 list price (volume-based discounts available). What it does Creates micro-VMs to encapsulate running processes and protect them from malware. What we liked This is the most creative use of virtualization we've seen to date and certainly the best anti-malware protection around. We also loved its forensic capabilities. The bottom line Absolutely rock-solid malware protection and forensic diagnostic tool for endpoints, arguably the most vulnerable part of the enterprise.
|
Since the micro-VM is an environment in itself, instrumenting it is easy. That means that you can see exactly what the attacking malware attempted to do. That is a great forensic tool. That goes beyond simply knowing that an infection or attack was attempted. Because of the confines of the micro-VM, you simply can allow the malware to do its thing – to completion – and characterize it fully. That's another big forensic plus.
The process is pretty straightforward, but it is ingenious in its execution. There are two issues that need to be addressed to ensure isolation. First, processes cannot be allowed to write to a “golden image” that has been installed on the computer. When one of those golden images executes – in memory, of course – vSentry makes a copy and writes to the copy. This is exactly how we perform a computer forensic analysis. We don't work on the evidence – we work on a copy of it. Bromium calls this process “Copy on Write.” Windows sees the micro-VM as the executing task and the micro-VM isolates everything to its own Microvisor. Any attempts by malware to write to a dynamic-link library (DLL) or a memory image will be confined to the micro-VM.
The second issue is that malware often will try to infect anything it can see. In vSentry, the Microvisor restricts the micro-VM from seeing anything that it does not need to see in order to run. Think of this as a sort of “virtual machine need to know.” If the particular process caged in the micro-VM needs a resource, it can see it. If it doesn't, it can't. The need to know for network services is enforced by dividing a network into four security zones: untrusted internet, SaaS and cloud sites, enterprises intranet, and specific trusted sites. vSentry even provides firewalling up to layer 7.
Finally, vSentry limits a process's access to the Windows Registry. This prevents malware from modifying Registry entries, a favorite malware trick.
But what we liked – perhaps even more than vSentry itself – was its Live Analysis and Visualization (LAVA). With LAVA you can see the behavior of otherwise undetectable malware, including watching execution and capturing destinations – helpful in finding command-and-control servers – and seeing how the malware attempts to hook processes and modify the Registry.
Overall this is a first-rate tool and as a way of isolating a system from malware it is about the best we've seen.