Stay Protected From Live PC Intrusion
Prevent Malicious Software from Getting into Your PC with FireTower

 

Autorun tagging and authentication technology

FireTower Guard Security Solutions

Sampan Security’s Autorun tagging and authentication technology, the underpinning of FireTower Guard security solutions, is designed to detect the presence of malware on your internet-connected computer and to specifically prevent zero-day attacks that bypass traditional anti-virus software.

A zero-day attack is a malicious attack that utilizes an unknown, undiscovered exploit to gain entry and cause harm to a computer system.  Traditional anti-virus software fails to detect and prevent a zero-day attack because of their reliance on signature-based detection.   Thus, they only succeed in detecting previously discovered malware.  The main purpose of FireTower Guard technology fills this need in computer security.

Persistence Key Marker Event through Windows Autorun Settings

Establishing persistence on a computer is a common goal for malware because it allows the malware to remain on the computer and execute through system restarts.  Persistence is typically achieved through the insertion of malicious Autorun entries and has long being recognized in the cyber security community as indicators of compromise.

The Autorun entry is used by Windows to determine what software is required to be executed automatically each time your computer boots up.  While it is a common tool used by legitimate software, it can also be used by malicious software in order to establish persistence on your PC.

Autorun settings have been long used by support professionals to diagnose and resolve crashes/instability, degraded performance, unwanted programs, and virus incidents.  Understanding and utilizing the data recovered from current Autorun utilities typically requires expert subject-matter knowledge in system security, performance, and recovery.  It takes a trained forensic investigator to make the assessments necessary for resolving system issues and for authenticating suspicious Autorun entries.  Furthermore, current Autorun utilities only allow for these assessments to begin long after attacks have occurred which make them incapable of providing real-time security.

Autorun Tagging and Authentication Technology

FireTower Guard Autorun Tagging and Authentication Technology is the first in the industry to provide a cloud-assisted, real-time Autorun authentication service and a just-in-time Guard protection service based on locale impacts from Autorun setting changes.   Within an enterprise environment, FireTower Guard is also coupled with a unique Inter-Host Intrusion Prevention System (IHIPS) for enterprise-wide protection against zero-day attacks and Advanced Persistent Threats.

Real-Time Autorun Tagging

FireTower Guard software installed on a Windows-based computer will record static metadata on existing Autorun settings upon initialization.  Both static and dynamic metadata are recorded in real-time when Autorun settings change.  Static metadata includes: Autorun categories (file or registry), Autorun type, entry name, target file metadata.  Dynamic metadata includes timestamps, “who” (the process) creates/changes the Autorun settings, footprints left behind by the “who”.  A temporal threat database is updated continuously for an automated  incident timelines analysis  for future attack prevention.

Real-Time Autorun Authentication Service

FireTower Guard, with the assistance from a cloud-based Autorun Setting Repository (ASR), uses the information collected through Autorun Tagging process to assess security ratings of incoming/changed Autorun tags. This Autorun Authentication is done through a whitelisted Autorun settings stored at Autorun Setting Repository (ASR) and maintained by the cyber security team at Sampan Security Inc.  Read More for additional details on Autorun Authentication Service.

Real-Time Autorun Just-in-time Guard Protection

FireTower Guard performs a just-in-time Guard protection service based on the Autorun Authentication from ASR, pre-configured endpoint security posture and assessment from the dynamic metadata collected through Autorun Tagging process.

ASR Proxy for FireTower Guard Business Enhanced Edition (Enterprise)

The FireTower Guard Business Enhanced Edition is a locally-hosted ASR proxy database in enterprise’s intranet which is accessible to only the company’s FireTower Cyber Console administrators.  By using ASR Proxy UI, the root administrator is able to configure “proprietary” and regular Autorun entries with appropriate ratings within the enterprise network.  Furthermore, the administrator can direct FireTower Guard at end point computers to carry out detection and quarantine operations.  FireTower Guard can then perform enterprise-wide Autorun interdiction based on these ASR proxy (a private and customized ASR) data instead of the public ASR.

Inter-Host Intrusion Prevention Systems (IHIPS)

For enterprise-wide deployment, FireTower Guard will upload the local threat database to an enterprise threat database for further IHIPS data mining.  IHIPS facilitates the automation of APT detection by performing data mining against the FireTower enterprise threat database on persistence key marker events in order to identify at-risk hosts and to detect and disrupt the malware kill chain  

Traditional APT Investigative Technique

When an intrusion is suspected, traditionally a team of forensic investigators will have to manually inventory, validate, and stack up Autorun settings (persistence mechanisms) to compare and contrast among thousands of computers in the enterprise (a typical Windows PC has several hundred such Autorun entries) and identify those entries with malicious intent.  However, with FireTower Guard installed, all of these Autorun settings from each PC will be automatically examined, inventoried, monitored, and validated for their authentication by FireTower Guard software at the endpoint host computers and update the FireTower Guard Enterprise Threat Database in real-time.

Under IHIPS, IT staff, with system security training, can concentrate on at-risk systems with unauthenticated persistence mechanisms which most likely have been infected by APT attackers during initial intrusion or subsequent lateral movement. 

FireTower Guard Can Serves as a Security Monitor for Enterprise

FireTower Guard can also serve as a security monitor at the enterprise’s security operation center already installed with traditional Anti-virus solutions to identify infected or at-risk systems through Autorun tagging and authentication technology.

In summary, FireTower Guard provides company administrators the tool to identify and neutralize zero-day attacks when any number of end point PCs are threatened.  FireTower Guard significantly increases the likelihood of managing malware threats.

 
 
 
  ©2012-2017 Sampan Security, Inc. All Rights Reserved.