HBGary – Roll Your Own Malware Signatures

HBGary, makers of Active Defense and a half dozen FREE Tools that are always in my kit (like Fingerprint and Flypaper) is coming out with a ‘do-it-yourself’ tool to help security managers contain and control Windows-based malware attacks, or prevent them while a zero-day outbreak is underway. The product is in beta now and is expected to ship by year end.  Pricing has not yet been announced.

Inoculator is an appliance that typically sits inside the network, close to Active Directory, and performs detection scans on Windows-based desktops and servers for signs of malware.  The idea is that the Inoculator security manager will be able to create a specific signature defense for a detected malware specimen, even before anti-virus vendors come up with one.  A/V vendors have been known to take a day or more to develop and distribute their signatures, even when well-recognised zero-day attacks have started.

The detection process requires Inoculator to connect via remote procedure call to the end node with privileged access so it can carry out the scan.  HBGary’s scan process will look for things such as Zeus bots that are often missed by anti-virus.  In general, it will look for ways malware can affect a computer system, such as registry keys, event logs and other indicators.  The best case scenario suggests that information about infections picked up by Inoculator or other means would be collected centrally by a security information and event management product.

HBGary Press Release