Jon Oltsik of Network World recently posted a great article on McAfee’s new Advanced Threat Defense. McAfee Advanced Threat Defense is a new product that complements your existing McAfee network security products, providing a comprehensive solution to defend against advanced malware. You can read his article at: http://mcaf.ee/ots9p
Jon’s article points out one of the big benefits of Advanced Threat Defense – a holistic approach that not only identifies (FIND) advanced malware, but is also capable of blocking (FREEZE) and remediating (FIX) advanced malware. Jon rightly points out that the operational side of dealing with advanced malware is “killing the enterprise security team”.
But there is more to the story.
McAfee Advanced Threat Defense also can FIND malware better than other advanced malware appliances or sandboxes. How is that? Static code analysis.
Static code analysis is not some rudimentary look into file header information (PEInfo). In contrast, it looks into the executable code of the file, requiring a sophisticated disassembly of the actual file. It enables a holistic analysis of the file, which is important because it is not that difficult to evade dynamic analysis or sandboxing.
For instance, as a security analyst, would knowing that your sandbox’s report on a suspicious file only covered 57% of the executable code be important? What does the other 43% of the code do? How confident would you be in your report’s conclusions on the file, knowing that 43% of the code was never considered?
How about knowing that a suspect file is 71% similar to a known family of malware be relevant information? Would that raise your suspicion of that file? Irrespective of what behavior is seen through dynamic analysis, access to the file code through static code analysis makes it possible to compare the entire file code to other known malware samples. This kind of analysis is not possible by looking at the file header information.
These are just two quick examples of how static code analysis raises the bar advanced malware analysis. McAfee Advanced Threat Defense opens the door to a new level of analysis, because, after you have observed file behavior in a sandbox, there is still much more to the story.