Wave Systems’ new endpoint security product relies on a chip on the computer’s motherboard to detect malware infections.
Rootkit attacks hide in host systems and evade many mainstream security methods such as antivirus software, Wave Systems said. They are hard to detect because they burrow into the BIOS and the Master Boot Record (MBR), making them invisible to the operating system or security software running within the operating system. Rootkits can also replace the machine firmware with a malicious one, causing even more damage.
“Since advanced persistent threats can sometimes appear as normal traffic, new rootkits often go unnoticed for long periods of time and cause severe damage in the form of infected systems and data loss,” Steven Sprague, CEO of Wave Systems, said in a statement.
Wave Systems addresses the problem by analyzing the information collected and stored within the Trusted Platform Module security chip which is built in and usually enabled on most modern systems. The TPM module can capture data about the PC’s overall health by keeping track of what is going on in the BIOS and MBR. By being able to see what is going on under-the-hood, TPM can see infections and malicious activity that the operating system can’t detect.
The TPM chip includes shielded memory locations called the Platform Configuration Registers (PCRs), Brian Berger, executive vice president of Wave Systems, told SecurityWeek. PCRs are storage locations designed to store hashes of critical start-up values, including statistics for pre-OS components such as the BIOS. Wave Endpoint Monitor analyzes these protected values and uses them to detect any changes in the pre-OS components, Berger said. When an anomaly is found, Wave Endpoint Monitor sounds an alert.
“Storing security data in hardware is inherently more secure than storing it in software,” Berger said.
Wave Systems piloted Wave Endpoint Monitor with “several government groups” over the past six months, according to the company. While information and details about the pilot program are highly confidential, Berger said the pilot programs ranged from lab to user environments. “The clients have been very positive about the results of the pilots,” Berger added.
Wave Endpoint Monitor can work with computers installed with any version of TPM 1.2, Berger said. Wave Systems offers a central, remote TPM management application that can help organizations centrally manage systems using TPM, Berger said.
“Wave Endpoint Monitor allows IT to utilize the hardware security you’ve already bought and deployed to ensure PC health from the start of the boot process while creating a higher level of trust in your endpoints,” Sprague said.
Related: Wave Systems Signs 15-year License Agreement with Samsung