The marriage of McAfee and Intel has produced some well-publicized announcements of late. First there was DeepSAFE; now there’s Deep Defender, new security software that McAfee execs are touting as a game-changer in the fight against malware.
Utilizing McAfee Global Threat Intelligence and heuristics, Deep Defender targets rootkits by focusing on the kernel level. According to Todd Gebhart, co-president of McAfee, the technology is the result of more than two years worth of work between Intel and McAfee, and will give the company a boost against competitors who will have to play catch-up.
Under the hood, the hardware-enabled protection offered by Deep Defender represents a change from McAfee’s traditional approaches to protecting the operating system (OS). Utilizing DeepSAFE, a memory software layer executing in VMX-root mode, Defender is able to gain deep visibility and take a number of actions to prevent attacks, including blocking and logging write attempts to the system’s interrupt descriptor table and system service dispatch table as well as preventing changes to the direct kernel object manipulation list and threads.
From the company’s FOCUS 11 conference in Las Vegas, Gebhart said that not only have threats multiplied, they are striking businesses in many ways as attackers target deeper layers of the system architecture. The benefit of Deep Defender, he explained, is that malware can’t hide from it when interacting with the operating system.
“If we are going to realize our relentless pursuit of better, faster security, we need to be under the OS (operating system)…Deep Defender detects these interactions, allowing us to block an entirely new range of stealthy threats,” he said. “Deep Defender shows the power of what McAfee can do as part of the Intel family.”
For suspected or unknown threats, McAfee Deep Defender sends a fingerprint of the code to the McAfee Global Threat Intelligence network and then carries out the configured action, according to McAfee.
Still, Gartner analyst John Pescatore questioned whether this kind of “CPU-type integration” would provide a major breakthrough against attacks.
“Against old-style malware going after Windows-based PCs, servers and appliances, (this is) definitely progress,” he told SecurityWeek in an email. “But if you remember Microsoft touting Data Execution Prevention and Address Space Layout Randomization features baked into Windows, those features did not become killer against attacks, just against old-style malware. New targeted threats have no problem.”
Scott Crawford, research director of Enterprise Management Associates, called the product, which will support Windows 7 and Intel i3, i5 and i7 processors, an expected evolution of defense.
“More direct integration of McAfee capability with Intel platforms has certainly been expected since the acquisition of McAfee by Intel, but the concept is not new,” he told SecurityWeek in an email interview.
“To some extent, the idea of defending against threats at a level below or beyond the physical OS has existed in concepts such as Intel vPro technology,” he continued. “Though a number of systems ship with vPro on board, there does not appear to have been significant adoption of the full functionality. However, a similar concept exists in virtualization with the notion of control below the level of the virtualized system – and this is something that DeepSAFE takes advantage of directly.”
DeepSAFE uses Intel’s VT-x technology to monitor kernel activity and control memory access, which provides a more direct indication of malicious activity than signatures that must be tuned to each individual malware variant, he added.
“Because VTx is widely accessible – and, indeed, EU regulators require Intel to share enabling technology with other security vendors – I do expect others to adopt a similar approach as anti-virus and anti-malware must evolve beyond legacy approaches,” Crawford said. “Note, however, that DeepSAFE is Intel-specific. Intel does not have the strength in the mobile market of some competitors such as ARM, so that may limit its applicability. Mobile devices, however, often have a very different security model from Windows PCs, for example, so it remains to be seen how this trend will impact mobile technology vendors. I do, however, expect Intel’s competitors in areas where it is currently dominant to offer similar capability…(and for) this trend to spread throughout major competitors of both Intel and McAfee in their current markets.”
