Trend Micro Endpoint Security

Signature-based detection Traditional signature-based anti-virus and anti-malware offer a high level of protection against known threats in a very computationally efficient way. (The process of matching files against a list of known malware signatures is far less CPU-intensive than the more advanced behavior-based detection techniques.) But with new variants of crypto-ransomware being released every minute, the usefulness of signature based detection as a standalone security technique is waning. To provide any real value to an enterprise, it must be complemented by a wide range of other techniques. Still, signature-based detection should be a part of a multi-layered security approach, including:

• File and web reputation – Blocks the execution of any files, URLs and websites that match the signature of a known malicious item, but has difficulties with unknown/unrecognized threats (such as polymorphic or packed malware) or attacks originating from a ‘good’ ISP or data center.
• C&C blocking – Examines and shuts down endpoint traffic (over any port) that is attempting to connect to or contact a known command-and-control (C&C) server.

Non-signature-based detection These techniques defend against malware without requiring any previous knowledge of exact file signatures. Instead, they make determinations based on a file’s characteristics and behavior. Some of the techniques to be included in a multi-layered security approach include the following: Variant protection Variant protection looks for obfuscated, polymorphic or variants of malware by using fragments of previously seen malware and detection algorithms. Census check The likelihood that a file is malicious can be determined in part by its prevalence and maturity (i.e., how often it has been seen over a given time period). Files that have never been detected are considered to be more suspicious. This technique has proven to be quite strong against malware hash factories. Whitelisting check To reduce false positives on endpoint detections, all files should be checked against a database of known and verified good files. (As an example, Trend Micro’s certified safe software whitelist contains almost one billion known good files.) Behavioral analysis This technique examines an item as it is unpacked, looking for suspicious or unusual behavior in how it interacts with operating systems, applications and scripts — even if the item isn’t on a blacklist. While crypto-ransomware can easily pass by traditional anti-virus (by being a freshly compiled executable), it will behave suspiciously as it loads into memory, triggering further action. As attackers are still finding it difficult to evade behavior-based detection, this technique is a must-have for any organization. Behavioral analysis can take many forms, including:

• Script protection – Checks for malicious code or scripts within files attempting to execute on the endpoint (e.g., Office macros, scripts in PDF, PowerShell scripts).
• Injection protection – Blocks processes from injecting code where it shouldn’t be (such as program libraries).
• Suspicious action monitoring – Examines an item as it is loading or running, looking for suspicious behavior in how it interacts with other processes.
• Ransomware protection – Looks for rapid obfuscation/encryption of files by an unknown process, then terminates that process and restores the encrypted files.
• Memory inspection – Evaluates processes running in memory, scanning them for malware (or fragments of recognizable malware) as an item is unpacked into memory. This ensures malware packer tools can’t just obfuscate an older known piece of malware.
• Browser exploit protection – Uses emulation and algorithmic detection technology to protect against exploit code on web pages (e.g., exploits in Java and Flash).

Exploit prevention While there are hundreds of thousands of malicious files out there, there aren’t very many unique exploits that can be used to compromise a user’s system. As such, it is often easier to focus on preventing the exploitation of specific application or OS-related vulnerabilities rather than blocking the files themselves. Also known as vulnerability shielding, exploit prevention techniques can include:

• Host-based firewalls – Protects endpoints on the network using stateful inspection and network virus scanning.
• Exploit protection – Monitors programs that demonstrate abnormal behavior associated with exploit attacks, and uses multiple heuristic analysis techniques to detect exploit code on web pages as users attempt to access them with their browsers.
• Intrusion prevention – Blocks network-based exploits of known vulnerabilities in popular applications and operating systems by using host-based intrusion prevention (HIPS) rules that provide a virtual patch.