This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Anyone who has ever had to deal with a malware infection knows the trouble it can cause. Preventing malware from getting on your systems in the first place is critical. Comodo has a new approach to endpoint protection that's designed to deny malware the ability to take root and run.
First, a bit of background on the company, as this is important in how they approach the malware problem. Comodo says it is the largest certificate authority in the world. This gives it a very large whitelist of legitimate applications. Comodo also has had an anti-virus program on the market for years, and with 85 million users, this gives it a large blacklist of malicious programs and code.
Using the strengths of its digital signature-based whitelist and malware blacklist, and automatic containment for unknowns, Comodo has built a Default Deny Platform that it says prevents malware from infecting endpoints.
If you think about how malware typically enters a network, it starts at an endpoint. Someone opens an infected email attachment or a file on a USB stick, or follows a link to a compromised website where a drive-by download drops malware on the endpoint. Maybe a person installs an app or clicks on an ad that is preloaded with malware. In all these cases, the user's device is the point of entry for the malware.
The infection is able to happen because the dominant mode of operation of the endpoint today is "default allow." That is, the endpoint has an anti-virus/anti-malware application that investigates any new file or software the endpoint touches. If the AV/AM application doesn't recognize the code as malicious, the default policy says the code is allowed to run. This mode is becoming less and less effective as time goes by because the AV/AM tools can't keep pace with the creation of new malware—a million variations of code a day, according to Symantec.
Using a Default Deny Platform as its model, Comodo says it is better able to protect the endpoint. When the user interacts with a file or application, it is categorized as either known good, known bad or unknown. If the application or file is on a whitelist, it is considered good and allowed to run unfettered. If the application or file is on a blacklist, it is deemed to be bad and is prevented from running. If the application or file isn’t on either list it is labeled as unknown and automatically run in containment, protecting the endpoint while further analysis is conducted to determine the file's status before being allowed to run.
The unknown file goes into a small footprint virtual container on the user's device. The file is allowed to run in isolation inside this container while Comodo conducts analysis to determine a status of either good or bad. The user can interact with the file like normal, except that it can't leave the container, keeping the user protected.
At the same time, VirusScope, a local behavioral analysis engine, is looking at what behavior or action the file or application is doing within the container. If this engine determines the file is acting maliciously, the file/app is killed, the container is closed, and the application goes on the blacklist. If there is no malicious behavior, the application goes on the whitelist.
In parallel with the local analysis, the file/application is taken into Valkyrie, Comodo’s cloud sandbox where another 200 or so static and dynamic checks are applied to assess the file as either good or bad, typically within 45 seconds. If no definitive determination can be made, the file/app is sent over to Comodo's lab for human analysis. So there are multiple layers of analysis to look at the behavior of unknown files, and in the meantime the user can still use it in containment.
Comodo's approach differs from a pure sandbox approach in that the automatic containment is lightweight—similar to a Docker container. It's not a full virtual machine like some sandbox solutions spin up. Also, the container is typically used for a short time while a good/bad determination is made on the file, increasing performance and usability.
This solution from Comodo is called Advanced Endpoint Protection, and it's part of the Comodo One Enterprise platform. The Comodo One Client is what runs on the endpoint to intercept and render a good/bad/unknown verdict on files and applications. Comodo Advanced Endpoint Protection also includes a unified IT and security management console, to ease the job of IT operations and system administrators to keep endpoints protected.
The big differentiator of Comodo's Default Deny Platform is that it is a Verdict driven system designed to ensure no unknown process or executable has access to exploit the endpoint. Through this technology, if files are found to be malicious, they can be prevented from infecting the endpoints and spreading to the broader network.