Most organisations today tend to deploy a mixture of security solutions to protect their endpoints. This typically includes at least one traditional antivirus solution, sometimes several. Threats are now coming in many different guises and it has never been easier to generate new and unique attacks that can evade traditional signature based antivirus. Traditional antivirus and endpoint security solutions struggle to protect users and systems against evasive, unknown or zero-day attacks. Where Traps differs is in its unique combination of the most effective, purpose built malware and exploit prevention methods.

Traps is considerably enhanced by leveraging Palo Alto Networks’ WildFire cloud-based malware analysis environment. WildFire’s sandbox can rapidly detect unknown malware and automatically reprogram Traps in order to prevent previously undetected malware. Currently WildFire has the ability to turn the unknown threat into a known and preventable threat in around 5 minutes, worldwide. WildFire further reinforces the fact that the days of solely relying on manually distributed signature updates are simply no longer up to the job.

So how does it work?

Let’s take a closer look at how Traps combines several prevention methods to instantly prevent both known and unknown malware from infecting a system.

The Traps Multi-Method Exploit Prevention System.

This is an innovative new approach to preventing exploits. Instead of focusing and reacting to millions of individual attacks, specific pieces of malware or the underlying software vulnerabilities, Traps focuses on the core techniques and exploits that are used.

To perform a successful attack, each piece of malicious software has to carry out a series of exploits or utilise a specific technique to subvert an application. Traps looks for these exploits and blocks them immediately upon the attempted execution. By using this technique the prevention is now extended beyond traditional detection by pre-defined and distributed signatures. With Traps it becomes futile to simply modify an existing piece of malicious code or create an entirely new piece of malicious code to avoid signature-based detection. The vast majority of malware uses different versions of the same tried and tested exploits, by detecting the exploit you can prevent even previously undetected malware.

Memory Corruption Prevention

Memory corruption is a category of exploitation techniques where the exploit manipulates the operating systems normal memory management mechanisms for the application opening the weaponised data file that contains the exploit. This system will recognise and prevent these exploitation techniques before they even have a chance to subvert the application.

Logic Flaw Prevention

Logic Flaw is a category of exploitation technique that allows the exploit to manipulate the operating systems normal processes which are used to support and execute the target application opening the weaponised data file. For example, the exploit may alter the location where DLLs (dynamic link libraries) are loaded from, placing them into an applications execution environment so that the exploits malicious DLLs can replace them. The Logic Flaw Prevention method within Traps recognises these techniques and stops them before succeed.

Malicious Code Execution Prevention

In most cases, the end goal of exploitation is to execute some form of code that is embedded within a malicious data file. This prevention method recognises the exploitation techniques that allow the attackers malicious code to execute and subsequently blocks them before they succeed.

Traps Multi-Method Malware Prevention System.

Like its close relative which handles exploit prevention, the malware prevention system also uses a multi-method approach to prevention, maximising the coverage against malware whilst simultaneously reduce the surface of attack. The system also contributes to increasing the accuracy of malware detection. Combining several prevention methods, the system is able to prevent both known and unknown malware from infecting a system.

Admin Override Policies

Allows organisations to define policies based on the hash of an executable file, controlling what is and isn’t allowed to run in any environment. This fine-grained whitelisting/blacklisting capability controls the execution of any file. It works based on user defined conditions that tie into any object that can be defined within Microsoft Active Directory.

Trusted Publisher Execution Restrictions

This method allows organisations to identify executable files that are among the ‘unknown good’. They are considered ‘unknown good’ because they are published and digitally signed by trusted publishers – entities that Palo Alto Networks defines as reputable software publishers.

WildFire Inspection & Analysis

Leveraging the power of Palo Alto Networks’ WildFire cloud based malware analysis environment. Providing the rapid detection of unknown malware and automatic reprogramming of Traps to prevent newly discovered / known malware. Traps will query WildFire with the hash of any executable file before its allowed to run, assessing its standing within the global threat community. If it has been deemed malicious, Traps will automatically reprogram itself to prevent the execution of that file from that moment on. If the file is completely unknown, Traps will submit it to WildFire for complete inspection and analysis, including detonation within the sandbox. Should this file turn out to be malicious, WildFire will distribute knowledge of this new threat worldwide in around 5 minutes

Static Analysis via Machine Learning

Delivering an instant verdict on any unknown executable file before it is even allowed to run. Traps examines hundreds of the characteristics of a file in a fraction of a second, rapidly determining if it is malicious or benign without relying on signatures, scanning or behavioural analysis. Allied with the global threat intelligence available through WildFire, the machine learning aspect of Traps can be trained to autonomously recognise malware, including variants that have never been seen before. Producing unmatched levels of effectiveness and accuracy without any manual intervention.

Policy-Based Execution Restrictions

Organisations can easily define policies to restrict specific execution scenarios, therefore reducing the potential attack surface of any environment. For example, Traps can be configured to prevent the execution of files from the Outlook ‘temp’ directory or prevent the execution of a particular file type directly from a locally connected USB drive or device.

Adding to these five features, Traps will also quarantine malicious executables in order to prevent the spread of infected files to other users. Although essential in most environments, this capability is particularly useful in preventing the inadvertent spread of malware into organisations where network or cloud based data storage and SaaS applications are automatically syncing files across multiple users and systems.

As you can already see, Traps is a prevention-focused endpoint security solution with formidable capabilities. The third major part to Traps is its place within the Palo Alto Networks Next Generation Security Platform. We will go into a lot more detail on the NGSP in future articles.

Next week in Part Two of our series of Traps Endpoint Security articles we’ll look at the Traps Agent and some of the technical architecture behind it.

If you’re interested in trying out Traps, or any aspect of the Next Generation Security Platform, please get in touch with us to arrange an interactive demonstration where you can fully test out these products.

Tesrex also offers a range of Assessment Services where we will give you an in-depth analysis and report on your Network Environment, your Security or your Unified Collaboration eligibility/solution. Contact us to arrange a consultation and to find out more about how our Assessments can help you understand where you are and how to get to where you want to be.