Make your own anti-virus signatures with DIY tool from HBGary

Inoculator designed to let security manager create anti-malware signature on fly

Big bad malware and zero-day attacks that fly under the radar of anti-virus software are hitting enterprises everywhere. With that in mind, HBGary is coming out with a 'do-it-yourself' tool to help security managers beat back Windows-based infections or prevent them while a zero-day outbreak is underway.

The new CISO: How the role has changed in five years

Called the Inoculator, it's an appliance that would typically sit inside the network, perhaps near Active Directory, and routinely perform a detection scan on Windows-based desktops and servers for signs of malware.

"If detected, it can remove it," says Greg Hoglund, CEO of HBGary. At the same time, Inoculator would install what he calls a "digital antibody" for a specific malware specimen to prevent re-infection. And that signature-based antibody could also be quickly loaded onto other enterprise computers to inoculate them against what might be an ongoing zero-day attack.

The detection process requires Inoculator to connect via remote procedure call to the end node with privileged access so it can carry out the scan. Hoglund says HBGary's scan process will look for things such as Zeus bots that are often missed by anti-virus. In general, it will look for ways malware can affect a computer system, such as registry keys, event logs and other indicators. "A scan policy once a night would be fine," Hoglund says.

Basically, the idea is that the Inoculator security manager will be able to create a specific signature defense for a detected malware specimen even before anti-virus software vendors may come up with one; it has been known to take a day or so even when well-recognized zero-day attacks have started.

Hoglund says he designed Inoculator because he has seen security managers in high-security environments using handmade tools for this purpose, yet he has never seen a commercialized product for this purpose.

One drawback to the self-administering signature antibody treatment is that a machine has to be re-booted for the process to be completed. Another may be that the Inoculator-delivered signature, designed to be "hard to remove" in order to stymie any re-infection by malware attack, may introduce unknown conflicts with anti-virus products.

Hoglund acknowledges he doesn't know how commercial anti-virus products would interact with an Inoculator-based signature, but says he'll be looking at that. But it's not necessarily bad if a commercial anti-virus product can see an Inoculator antibody inside a computer as an intruder, he adds.

In any event, the optimum scenario envisions that information about malware infections picked up by Inoculator or other means could be collected centrally by a security information and event management product. Inoculator is in beta now and is expected to ship by year end. Pricing has not yet been announced.

Learn more about this topic

Anti-virus didn’t help in zero-day attack on power plant

Diary of a mad McAfee anti-virus victim

HBGary releases Aurora detection tool

Insider Tip: 12 easy ways to tune your Wi-Fi network
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies