Do Endpoint Security Solutions Detect Unknown (Potentially Malicious) Files
An endpoint security solution is a centralized approach to protect all devices connected to an enterprise computer network from malware. Different types of devices are connected to an enterprise/corporate network – this includes servers, workstations, laptops, tablets, mobile phones and other IoT wireless devices. There are hundreds of endpoint security solutions that offer to provide security, however, most of them still follow an antiquated approach to prevent malware infection which is ineffective. These solutions follow a default-allow approach – they allow all processes and executables to have access to system resources except the known bad files. These endpoint security solutions do not block the "unknown files". The default allow posture fails to detect processes or applications that contain new malware.
The Three Types of Files
An endpoint security solution has to tackle three types of files (or two types – depending on its capabilities). The known bad (malicious) files, the known good (benign) files and the unknown (to-be-determined) files. The known bad files are malicious files whose signatures are available on blacklisting databases (signature-based methods) – which are also called virus definition databases.
The virus definition databases require great effort and cyber security companies that detect the malware usually share the virus definitions as part of a cooperative effort. However, not all virus definition databases contain definitions of all existing malware. Hence, the effectivity of an Endpoint Security solution to detect known malware is dependent on the number of virus definitions in the database. Comodo Threat Research Labs (CTRL) provides the largest library of known “bad” files, that are leveraged from over 85 million Windows PC users.
The known good (benign) files – these are known good files and very few endpoint security solutions maintain a database of such files. Maintaining such a database is not an easy task. Comodo has the most comprehensive library of all known “good” code files. Identifying a process or file as a known good file enables safer and better system performance.
The Unknown Files
Typical endpoint security solutions DO NOT block unknown files. They believe the unknown files to be good and allow them unfettered access to the system files. It is only after the infection takes place or if any malicious behavior is observed that the endpoint security gets alerted. And by that time it may be too late.
Comodo uses a multi-layer, modular approach to allow all known good, block all know bad files, and automatically isolate the remaining unknown files in a secure container.
Automated Containerization Technology
Comodo’s automated containment technology is built on its Default Deny Platform. All unknown processes or executables are automatically contained in a high-performance container until they are determined to be safe to use. The container combines a virtualization of COM interfaces, disk, registry, and memory. The unknown file believes that it is making changes to the actual system, however, it is actually making changes only to the virtual system. The behavior of the unknown file is observed and an accelerated verdict is determined to decide if it is good or malicious. Static and dynamic analysis complemented with fully-integrated expert human inspection is employed to reach an ultimate resolution.
Comodo’s automated containerization technology has proven to stop zero-day attacks. Comodo Advanced Endpoint Protection (AEP) is the only endpoint protection solution that protects endpoints against unknown files (zero-day malware), as well as all known malware.