- May 7, 2016
- 1,307
One of the new ways we are increasing protection is with a cool new proprietary technology called CyberCapture. CyberCapture dramatically raises the bar when it comes to protection against zero-second attacks.
Let me explain how it works, and take a look at the infographic below which shows the path of an unknown file.
The threat landscape has significantly evolved in recent years and malware has become a lucrative business for cybercriminals. Threats are becoming more sophisticated and the life span of malware has drastically changed with the heavy use of server polymorphisms and targeted attacks. Server polymorphism is where one malware sample targets a single user before the code morphs into a new sample and attacks the next user, enabling zero-second attacks that are very difficult to prevent using traditional protection methods. Since samples constantly morph, their life spans are radically shortened, allowing cybercriminals to focus on big and quick campaigns to hit the maximum number of victims within the shortest time frame possible. CyberCapture detects morphed, yet-unknown files in real time and thus protects you from zero-second attacks.
In a nutshell, CyberCapture is a cloud-based smart file scanner. Rather than relying on the latest definition updates, CyberCapture isolates suspicious files in a safe environment and automatically establishes a two-way communication channel with the Avast Threat Labs for immediate analysis. This allows us to clear away all the false code, misdirection, and other stuff malware creators use to mask malware’s true intentions. By peeling away layers of obfuscated code in the cleanroom environment of our cloud, CyberCapture is able to fully dissect the file and observe the binary level commands inside the malware and fully understand the instructions hidden there.
CyberCapture evolved from our DeepScreen technology, which used to analyze unknown files locally, in a virtualized “sandbox” environment. DeepScreen had two major problems, though. First, it relied on the NG virtualization component, which wasn’t compatible with all systems (it required certain settings to be enabled in the system BIOS etc.). And second, it allowed the suspicious file to run in the sandbox for only a very short time (typically 10-15 seconds), dramatically reducing the precision of the decision-making algorithm. By moving the technology to the Cloud, and taking all the time needed to properly analyze the file, we are now adding an additional layer of protection that will be extremely difficult for attackers to beat.
While developing CyberCapture, we put a great deal of effort into shortening the time between malware discovery and the deployment of a detection. We moved the technology to the cloud, so that we can leverage all of our heavy weapons to analyze samples in a controlled environment. Additionally, running our powerful detection engines on our backend means the cybercriminals have to touch our cloud to test our products abilities, which not only makes their lives harder, but also lets us see them.
Typically, the automated analysis will need up to two hours to make a reliable decision about the file. In certain cases, it will not be possible for our engines to make that decision, which is where our experienced analysts will step in to manually analyze the file. During that time, the file is still contained in the “capture” and hence cannot cause any harm. Once the analysis is complete, the user is notified about the result and the file is either quarantined or released from the capture and allowed to run.
CyberCapture is a new system and will take a bit of time to become fully tuned and productive. Because of the nature of its operations, CyberCapture continually gathers intelligence on new viruses. This means it will organically improve as it is used and, therefore, it will continue to iterate increased performance.
Let me explain how it works, and take a look at the infographic below which shows the path of an unknown file.
The threat landscape has significantly evolved in recent years and malware has become a lucrative business for cybercriminals. Threats are becoming more sophisticated and the life span of malware has drastically changed with the heavy use of server polymorphisms and targeted attacks. Server polymorphism is where one malware sample targets a single user before the code morphs into a new sample and attacks the next user, enabling zero-second attacks that are very difficult to prevent using traditional protection methods. Since samples constantly morph, their life spans are radically shortened, allowing cybercriminals to focus on big and quick campaigns to hit the maximum number of victims within the shortest time frame possible. CyberCapture detects morphed, yet-unknown files in real time and thus protects you from zero-second attacks.
In a nutshell, CyberCapture is a cloud-based smart file scanner. Rather than relying on the latest definition updates, CyberCapture isolates suspicious files in a safe environment and automatically establishes a two-way communication channel with the Avast Threat Labs for immediate analysis. This allows us to clear away all the false code, misdirection, and other stuff malware creators use to mask malware’s true intentions. By peeling away layers of obfuscated code in the cleanroom environment of our cloud, CyberCapture is able to fully dissect the file and observe the binary level commands inside the malware and fully understand the instructions hidden there.
CyberCapture evolved from our DeepScreen technology, which used to analyze unknown files locally, in a virtualized “sandbox” environment. DeepScreen had two major problems, though. First, it relied on the NG virtualization component, which wasn’t compatible with all systems (it required certain settings to be enabled in the system BIOS etc.). And second, it allowed the suspicious file to run in the sandbox for only a very short time (typically 10-15 seconds), dramatically reducing the precision of the decision-making algorithm. By moving the technology to the Cloud, and taking all the time needed to properly analyze the file, we are now adding an additional layer of protection that will be extremely difficult for attackers to beat.
While developing CyberCapture, we put a great deal of effort into shortening the time between malware discovery and the deployment of a detection. We moved the technology to the cloud, so that we can leverage all of our heavy weapons to analyze samples in a controlled environment. Additionally, running our powerful detection engines on our backend means the cybercriminals have to touch our cloud to test our products abilities, which not only makes their lives harder, but also lets us see them.
Typically, the automated analysis will need up to two hours to make a reliable decision about the file. In certain cases, it will not be possible for our engines to make that decision, which is where our experienced analysts will step in to manually analyze the file. During that time, the file is still contained in the “capture” and hence cannot cause any harm. Once the analysis is complete, the user is notified about the result and the file is either quarantined or released from the capture and allowed to run.
CyberCapture is a new system and will take a bit of time to become fully tuned and productive. Because of the nature of its operations, CyberCapture continually gathers intelligence on new viruses. This means it will organically improve as it is used and, therefore, it will continue to iterate increased performance.