Endpoint Security for Malicious Unknown Files Detection
An endpoint security solution is designed to secure all devices connected to an enterprise network from malware. However, not all endpoint security solutions are capable of unknown files detection.
A typical robust endpoint security solution follows a centralized approach to protect the various devices such as servers, workstations, laptops, tablets, mobile phones and other IoT devices. A centralized approach is the only way to effectively manage and secure hundreds or thousands of devices from malware and malicious intrusion attacks.
Hackers typically target endpoints as they are considered to be the most vulnerable node in the network. Hence, it is of paramount importance to secure the endpoints.
Three Types of Files
Endpoint security solutions have to encounter three types of files - the known bad files, the known good files and the unknown files. Some do not consider "known good" files - as this requires considerable resources and whitelisting of known good processes or executables.
Most Endpoint Security solutions are capable of detecting the known bad or malicious files, as this requires signature-based threat detection methods. This method, which is also called as blacklisting, requires the maintenance of a virus definition database. The capability of detection is entirely dependent upon the strength of the database. This is the traditional threat detection approach. Comodo Threat Research Labs (CTRL) provides the largest library of known “bad” files leveraging information gained from over 87 million computers/endpoints.
Robust cyber security products such as Comodo Advanced Endpoint Protection, also maintain a whitelisting database. This enables Comodo AEP to safely allow the known files to access system files quickly. Comodo AEP ensures that only files with a "known safe state" are allowed to run unfettered in the system.
The Default Allow Posture
It is an archaic posture followed by most endpoint security/antivirus solutions. This method allows all files - other than the known bad files - to have unfettered access to system files. This method surmises that all other files must be good/safe. But in reality, it is not so. Cyber criminals create variants of existing malware and these do not get detected by these endpoint security solutions. They successfully carry out their infection and only then do other security modules such as behavioral analysis detect the infection. If it is malware such as ransomware, then the impact of the infection will be visibly known.
Default Deny Posture
Comodo AEP is the only endpoint security solution that follows a Default Deny posture to block all files except the known good. The known bad is blocked.
Unknown Files Detection
The "unknown files" are automatically isolated in a sophisticated secure container until they are determined to be safe. Comodo has built its Automated Containerization Technology on its Default Deny Platform. The container is a combination of a virtualization of COM interfaces, disk, registry, and memory. The unknown file enacts its malicious activity and makes changes to the system, however, it is actually making changes only to the virtual system while the real system remains unaffected. The activity and behavior of the unknown file are observed, and the AEP obtains a verdict to determine if the unknown file is good or malicious. There are many techniques used to obtain an accelerated verdict. Static and dynamic analysis and expert human analysis is used to obtain the verdict.
Unknown Files Detection
Only Comodo AEP features an effective unknown files detection process to prevent zero-day attacks and patient zero scenarios to protect the enterprise network.