Sophos has launched a host intrusion detection (HIPS) technology it claims can spot malware before it has a chance to execute anywhere on the network.
Integrated into the company’s anti-virus scanning engine, the system uses what Sophos describes as “behavioural genotype protection” to analyse executable code at the network gateway, or before it runs on server or client PC.
Sophos makes big claims for this method of detection compared to traditional host-based intrusion technology, including that it detects and stops unknown malware, eliminates false positives, and does so without needing major software upgrades – all things traditional host systems have struggled with.
Because it is has a host-based element, it can filter malware before PCs – endpoints in security jargon - get infected, for instance, by email not picked up by spam filters or through malevolent websites.
"The beauty of Sophos's new technology is that there is no need to roll-out new software. For no additional cost, customers can benefit from the power of our Behavioral Genotype Protection on every single operating system platform that we support,” said Sophos CEO Steve Munford.
What makes the Sophos system able to avoid the scanning pitfalls of traditonal designs is harder to gauge. According to Sophos senior product manager John Shaw, the system used a complex form of heuristics. Instead of simply looking at one aspect of a suspect file for signs of malware, the new technology was able to grasp multiple elements of a file’s intention and design to discern infection.
“It scans for rules that describe multiple behavioural and other characteristics that have only ever been seen together in malicious code. Each of these rules is then tested against terabytes of data to ensure that there are no false positives,” he said.
“The vast bulk of new clearly malicious code that we see is delivered as a single file - typically Trojan horses. Because we scan and block these files before they get to run we can stop them before they execute payload and install other bits and bobs around a PC.”
Sophos has been unusually busy in this area recently, within a matter of days releasing a number of new-fangled security systems, including a rootkit detection tool, and a free application control system for stopping unauthorised applications such as Skype and P2P from running on corporate networks. The later also works from within the same management system as the company’s anti-virus scanner.
Existing customers can download an evaluation copy of the software for the relevant product and platform.