Search
Browse by Topic
- Ferris Deliverables
- Topics
- Vendors, Products, Gossip
- Attenex
- Autonomy/Zantaz
- AXS-One
- Blue Coat
- Borderware
- C2C
- CA/Ilumin
- CaseCentral
- Cetaphora
- Cisco/Ironport
- Clearswift
- Clearwell
- Code Green
- CommVault
- EMC
- Proofpoint/Fortiva
- GFI
- Global Relay
- Google/Postini
- H&S
- HP/IAP
- IBM CommonStore
- IBM Notes/Domino
- IBM Quickplace
- Intradyn
- Iron Mountain/Stratify
- Kazeon
- LiveOffice
- Marshal
- McAfee
- MessageLabs
- MessageOne
- MessageSolution
- Microsoft Exchange/Outlook
- Mimosa
- Open Text/Hummingbird
- Oracle/Stellent
- Orchestria
- Proofpoint
- Quest
- Recommind
- Reconnex
- RPost
- Seagate/EVault/MetaLINCS
- Sherpa Software
- SonicWALL
- Symantec/Vault/Veritas/Vontu
- Tablus
- Titus Labs
- Trend Micro
- Vericept
- Waterford
- Websense/PortAuthority/ SurfControl
- ZL Technologies
Why Hasn’t Zero-Hour Sandbox Protection Taken Off?
Comment on this (0 comments)
May 25, 2007
|
|
A few years ago, a new technique for catching zero-hour viruses became available. Here, control software emulates a receiving PC and executes file attachments. The emulated PC is monitored for errant behavior.
This appears to be a very useful technique for zero-hour virus control, which can slip by using signature-based methods.
Avinti’s iSolation Server is the main illustration. However, it’s been slow to take off. Why is this? The main reasons appear to be:
- The hardware required to run emulations is substantial.
- Integrating the emulator with other malware control techniques is clumsy and increases TCO. It’s much easier and more efficient to apply all the control technology to freshly arriving email in one place, than to route incoming email through a lot of separate malware processing stages.
In the Avinti model, such emulation is done inside a virtual machine (e.g., using VMWare) at a central server. Other vendors instrument the actual desktop machine by intercepting (or “hooking”) key Windows APIs.
… David Ferris and Richi Jennings
Please Wait
Leave a Reply