Carbon Black, Worlds First Surveillance Camera for CPUs, Now Features Generic Dropper Detection
Posted Dec 26 2012 6:33am
Carbon Black, the world’s first ‘surveillance camera’ for computers, designed to provide IT professionals and security practitioners with key data and insight into where and when a security incident has occurred, is now equipped with a plugin that detects dropper behavior.
The addition of this plugin in version 2.4 of the Carbon Black software means that users will be able to see anytime a process exhibits the behavior of a dropper (writes a file and then executes it).
Since this behavior occurs naturally in software that updates itself periodically, antiviru vendors find it difficult to differentiate between good and bad dropper behavior (even though most malware exhibits this kind of behavior regularly).
Carbon Black allows users to see all processes that exhibit this behavior and quickly hone in on the ones that are most worrisome. Users who currently have Carbon Black installed will have the ability to go back in time and check for malicious dropper behavior by updating to version 2.4.“Dropper behavior is extraordinarily common in malicious software,” said Carbon Black CEO Michael Viscuso. “Having the visibility to detect this behavior near real-time will help catch intruders before they infect the entire network.”
This release comes on the heels of version 2.3 in June, which marked a banner day for Carbon Black. In that release, the software was equipped with a free VirusTotal plugin that could be configured to scan every single binary that has ever been executed on a network with 43 different AVs.Two separate AV tests conducted by Carbon Black, one in March and one in July, showed that the combined power of 43 AVs was much more effective at detecting malicious malware samples than any single AV.“The common thought is that AV isn’t performing like it used to,” said Viscuso. “However we have two studies showing that the combined power of the AV industry is quite proficient – identifying all malicious samples on day 1 of our tests.”At its core, the ‘surveillance camera’ in Carbon Black allows users
to collect and retain five key elements – as they are occurring:
1.A record of execution
2.A record of files system modifications
3.A record of registry modifications
4.A record of new outbound network connections
5.A copy of every unique binary executed
Most importantly, Carbon Black also maintains the relationship between each of the above events. What this means is that you can trace every network connection to the process that created it, every file to its creator, every binary to its parent, etc. By retaining the
between these events, Carbon Black helps customers answer questions that previously seemed impossible.Unlike other products that rely on snapshots in time, Carbon Black sets itself above by collecting these five events as they are occurring, versus in hindsight, and makes the data available to its in a central location. This data can then be analyzed in near real time, very much like our VirusTotal plugin and, now, our generic dropper detector to identify malicious or unwanted behavior as quickly as possible.
Carbon Black is currently offering live demos of their software as well as a free 30-day, fully functional license for those who download the software.More information about the software is available on carbonblack.com.