Traditional signature based anti-virus/malware software is suitable for home users, but not for corporations. As seen repeatedly in the news, targeted attacks against specific companies are becoming more and more common. To combat this threat, advanced threat detection techniques are needed.
At first glance, FireEye resembles any other advanced firewall/gateway product. It automatically allows in known good binaries such as Windows updates and automatically blocks known malware by its signature. But most software falls into the wide ‘unknown’ category. This is where FireEye shines.
When an unknown binary is downloaded on the network, FireEye saves a copy. It then spins up a series of virtual machines using various combinations of OS, patch level, browser, etc. and attempts to execute the code using the same environmental variables that the real user would have had. This last point is key for detecting trojans that are highly targeted. Everything the software does, including outside communication, registry changes, file reads/writes, database access, etc. are logged. The unknown software is then given a risk potential rating and the results sent to the central log.
The central log also stores any suspect traffic. If malware has made it to a machine, it will usually make itself visible by communicating with suspect or known bad servers. This traffic is automatically tagged with a risk level based on behavior and known malware communication patterns.
IT security and operations can view these logs using the unstructured data-mining tool Splunk. FireEye integrates into Splunk so that users can quickly switch between generic Splunk searches and visualizations and the custom views implemented by FireEye.