Malware is excellent at its job – and you need to be excellent at yours to defend against it. Traditional security systems and anti-virus are successful at identifying existing signatures but are defenseless against more recent highly malleable and malicious threats. Hackers often just create new variants of existing malware or leverage effective zero-day techniques against you and your business. How do you defend against this constantly evolving threat? You need to evolve.
“Engine Zero” has been created to ensure that zero threats will affect your network and give you complete and wholistic protection against zero-day vulnerabilities. Engine Zero is only one of many malware inspection engines embedded in Sangfor’s network security solutions, end point solution and Neural-X cloud platform.
Traditional malware detection usually falls into the following categories:
• Signature based detection:
Often used by traditional anti-virus vendors, hash (MD5) of all known malicious files are computed and stored in an anti-virus database. Each time a suspicious file is inspected, its MD5 is computed and then compared against the other files existing in the AV database. While this method is effective, fast and industry-tested, it requires daily upkeep of a huge database of known malware samples, often hundreds of megabytes, and daily endpoint updates. While maintaining this constant vigilance is still valuable and effective at combating known malware, it is still ineffective against fast-evolving malware and malware variants.
• YARA type Script Engine:
This script examines the suspected files/directories and matches strings as they are defined in the YARA rules with the file. YARA approach does a better job than AV in terms of covering more families of malware however still falls short in detecting newly created malware.
• Virtual Execution/Sandboxing:
Virtual execution and sandboxing is the process of detonating malware within a controlled virtual environment and monitoring the post execution behavior. The nature of malware presents several challenges to this method. Malware is getting smart enough to recognize when it’s in a sandbox environment and learns to avoid them in the future if the sandbox isn’t invisible (and they usually aren’t). The other challenge with sandboxing is that it takes a long time for inspection, and often not broadly deployed at all parts of the network, or even at many organizations, allowing malware to bypass it .
While variants were notoriously difficult to detect in the past, we are getting more accurate with our detection techniques. However, with increased knowledge comes increased resource consumption and a pitifully slow detection speed.
How Does It Work
Based on years of diligent security research on malware characteristics, Sangfor has developed a supervised learning model. To train and ensure the accuracy of this model, we then applied tens of millions of malware samples while using advanced Artificial Intelligence capabilities to enable our engines to run and teach themselves, expanding our capacity to discover unknown malware and their families.
Engine Zero is not the only line of defense within Sangfor’s security portfolio, including network gateways, endpoint protections and cloud-based security as a service. Other defense including threat intelligence, sandboxing, and botnet detection capabilities are all working in concert to provide a comprehensive coverage for malware detection.
Coverage of known and zero-day attacks. Our engine released in June of 2017 has proven itself able to detect high-profile malware such as BadRabbit ransomware, first seen in Oct 2017, without any previous signatures.
In recent tests our malware detection rate scored the highest in terms of accuracy, surpassing other vendors and open source alternatives.
This engine is very efficient and utilizes very little resource. Only such efficiency can provide malware inspection on the network gateway with very little performance impact.
Engine Zero Validation: Unmatched Protection for Ransomware
Engine Zero and Ransomware
• Adaptability: Demonstrated to offer the best coverage for known and unknown ransomware even without prior training (example: BadRabbit).
• Accuracy: In 60,000 recent ransomware sample tests, Engine Zero scored the highest among similar solutions.
• Speed: Customers using our next generation firewall (NGAF) can use Engine Zero to detect ransomware at line rate.