Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

McAfee Deep Defender Security: Going Deeper to Protect the OS

The marriage of McAfee and Intel has produced some well-publicized announcements of late. First there was DeepSAFE; now there’s Deep Defender, new security software that McAfee execs are touting as a game-changer in the fight against malware.

The marriage of McAfee and Intel has produced some well-publicized announcements of late. First there was DeepSAFE; now there’s Deep Defender, new security software that McAfee execs are touting as a game-changer in the fight against malware.

McAfee Intel Security IntegrationUtilizing McAfee Global Threat Intelligence and heuristics, Deep Defender targets rootkits by focusing on the kernel level. According to Todd Gebhart, co-president of McAfee, the technology is the result of more than two years worth of work between Intel and McAfee, and will give the company a boost against competitors who will have to play catch-up.

Under the hood, the hardware-enabled protection offered by Deep Defender represents a change from McAfee’s traditional approaches to protecting the operating system (OS). Utilizing DeepSAFE, a memory software layer executing in VMX-root mode, Defender is able to gain deep visibility and take a number of actions to prevent attacks, including blocking and logging write attempts to the system’s interrupt descriptor table and system service dispatch table as well as preventing changes to the direct kernel object manipulation list and threads.

From the company’s FOCUS 11 conference in Las Vegas, Gebhart said that not only have threats multiplied, they are striking businesses in many ways as attackers target deeper layers of the system architecture. The benefit of Deep Defender, he explained, is that malware can’t hide from it when interacting with the operating system.

McAfee Defender“If we are going to realize our relentless pursuit of better, faster security, we need to be under the OS (operating system)…Deep Defender detects these interactions, allowing us to block an entirely new range of stealthy threats,” he said. “Deep Defender shows the power of what McAfee can do as part of the Intel family.”

For suspected or unknown threats, McAfee Deep Defender sends a fingerprint of the code to the McAfee Global Threat Intelligence network and then carries out the configured action, according to McAfee.

Still, Gartner analyst John Pescatore questioned whether this kind of “CPU-type integration” would provide a major breakthrough against attacks.

“Against old-style malware going after Windows-based PCs, servers and appliances, (this is) definitely progress,” he told SecurityWeek in an email. “But if you remember Microsoft touting Data Execution Prevention and Address Space Layout Randomization features baked into Windows, those features did not become killer against attacks, just against old-style malware. New targeted threats have no problem.”

Scott Crawford, research director of Enterprise Management Associates, called the product, which will support Windows 7 and Intel i3, i5 and i7 processors, an expected evolution of defense.

“More direct integration of McAfee capability with Intel platforms has certainly been expected since the acquisition of McAfee by Intel, but the concept is not new,” he told SecurityWeek in an email interview.

“To some extent, the idea of defending against threats at a level below or beyond the physical OS has existed in concepts such as Intel vPro technology,” he continued. “Though a number of systems ship with vPro on board, there does not appear to have been significant adoption of the full functionality. However, a similar concept exists in virtualization with the notion of control below the level of the virtualized system – and this is something that DeepSAFE takes advantage of directly.”

DeepSAFE uses Intel’s VT-x technology to monitor kernel activity and control memory access, which provides a more direct indication of malicious activity than signatures that must be tuned to each individual malware variant, he added.

“Because VTx is widely accessible – and, indeed, EU regulators require Intel to share enabling technology with other security vendors – I do expect others to adopt a similar approach as anti-virus and anti-malware must evolve beyond legacy approaches,” Crawford said. “Note, however, that DeepSAFE is Intel-specific. Intel does not have the strength in the mobile market of some competitors such as ARM, so that may limit its applicability. Mobile devices, however, often have a very different security model from Windows PCs, for example, so it remains to be seen how this trend will impact mobile technology vendors. I do, however, expect Intel’s competitors in areas where it is currently dominant to offer similar capability…(and for) this trend to spread throughout major competitors of both Intel and McAfee in their current markets.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.