Review: Minerva protects endpoints with trickery and deception

Minerva's Anti-Evasion Platform targets the new breed of environmentally-aware malware. The idea is that most normal threats will be blocked by traditional antivirus and Minerva will stop anything that attempts to get around that protection.

pc antivirus
Irina Tischenko/iStock/Thinkstock

The war for network security is increasingly coming down to skirmishes fought over endpoints. Most malware authors don’t care about an individual user’s laptop or desktop. It’s just a stepping stone to capture, mine for credentials, and leapfrog deeper into the heart of the network. But if threats can be stopped there, they won’t ever endanger core assets.

The traditional defense placed on almost every endpoint is antivirus. Even freshly-deployed machines running Windows 10 come equipped with Windows Defender as a free form of protection. And the good thing about antivirus is that, so long as the definitions are kept up to date, it can stop 90 percent or more of the most common threats, which are cataloged as signatures as soon as they are discovered anywhere in the world.

Running without antivirus on any endpoint today is practically cyber-suicide. But it’s not perfect. Most advanced and targeted threats are written to allow them to fly under the radar of antivirus, sometimes using previously unknown tactics that may not have been cataloged by antivirus programs.

In this cat and mouse game, which is so heated because endpoints are so important to both attackers and defenders, cybersecurity companies came up with ways to catch malware that tries to avoid traditional antivirus, or other signature-based protection. One of the most popular technologies is sandboxing, which forces suspected programs to run inside a virtualized environment so that their desired behaviors and patterns can be discovered. If malicious intent is found in a program, it can be analyzed, captured and ultimately killed.

But the battle rages on. Many malware programs these days have features that allow them to detect the presence of a sandbox or other protections beyond antivirus. Once any of these advanced defenses are detected, the malware can take steps to cloak itself, basically lying about its true intentions until it’s released back into a real environment, or simply destroying itself to prevent data collection about its creators, who will inevitably try again later.

It is this new breed of environmentally-aware threat that the Minerva Anti-Evasion Platform targets on endpoints. The idea is that most normal threats will be blocked by traditional antivirus and Minerva will stop anything that attempts to get around that protection. In fact, Minerva officials stress that their toolset won’t protect anything without some type of antivirus first installed. It’s designed to work with any antivirus program, including Windows Defender and any of the offerings from companies like Symantec, McAfee, AVG, TrendMicro and others.

The Minerva protection is installed as software, with the main interface and console running locally on a customer’s server or based within the cloud. Our test program was active on a physical server. Once installed, the program pushes agents out to every endpoint that needs to be protected. The agents are very lightweight, with each one taking up about 24 megabytes.

There are several modules within the Minerva toolset including Hostile Environment Simulation, Memory Injection Prevention, Malicious Document Prevention and Ransomware Protection. Two more, Endpoint Vaccination and Critical Application Protection are being worked on and should deploy over the next several months. All of them work together to trick malware about the environment that it’s running within.

Almost all environmentally aware malware knows to look for key indicators to prove that its running inside a sandbox. Minerva feeds it those prompts, convincing it that it has been placed inside a sandbox, thereby signaling it to hide and sleep, or to outright destroy itself. Those types of deceptive commands fed to the malware from Minerva don’t disrupt legitimate programs, which never look for those indicators. Each time that the Minerva Platform successfully interacts with a program, thereby spotlighting it as malware, an alert is sent to the main console, or to an SIEM if the host organization is so equipped.

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)