Authored on: May 06, 2013
Today's anti-malware solutions running as applications above the operating system are no match for the stealth techniques used by today's malware developers. Hardware-assisted security products like McAfee Deep Defender take advantage of a "deeper" security footprint.
Researchers discover an average of 2,000 rootkits each day, according to McAfee® Labs™. Rootkits are an increasingly common form of malware built explicitly to hide malicious code. Once installed, a rootkit conceals itself and looks innocent to traditional file-based scans. The longer it stays hidden, the more damage the rootkit can do, especially when rootkits conceal secondary malware components, a common line of attack.
To prevent the rootkit from installing and cloaking itself and related malware, McAfee has invented endpoint detection more sophisticated than malware signatures and operating-system level heuristics.
This paper describes how McAfee Deep Defender moves endpoint security beyond the operating system. McAfee Deep Defender gets hardware assistance from Intel and uses a privileged early load position to uncloak, block, and remove the kernel-mode activities of stealthy rootkits.
Once McAfee Deep Defender has neutralized the rootkit, any malicious user-mode payload the rootkit was concealing lies exposed for detection and clean up by the traditional file-based scanning of McAfee VirusScan® Enterprise software. Both products interact with McAfee Global Threat Intelligence™ to minimize time to protection for the system and other potential targets.