Research Dept

I’ve worked at Prevx since early 2005, predominately in the Research Team. We have, what would be considered by most, a small team. In reality, the way in which we operate (community based) a small team is all that’s needed. Working in such a close knit group, enables us all to be knowledgeable in most areas of the department rather than specialising in one specific sector.

A daily routine for me would be:

- Check our “Real Time Feed” for emerging threats not picked up by existing signatures/rules.

- Adjust existing capture methods to include/exclude certain programs/files.

- Add additional capture methods for new emerging threats/tighten existing ones.

- Add manual detection for files not caught through automated processes.

- Carry out live infections to check determinations/product cleanup.

- White-list “known good” files.

- Liaise with customers to resolve any issues they may have with detection/cleanup/false positives.

We’re lucky with regard to the product and tools we have at our disposal, enabling us to deal with vast amounts of data in a short space of time. With data being fed from the agents and various other channels, we can quickly lock on to emerging threats.

As certain malware strains become more and more targeted, and with few samples available, these can bypass conventional radar (similar to a fighter plane flying below a certain height to avoid detection), this is where behavioural detection kicks in. By monitoring how a file gets on to a PC and what happens once it’s on there, we are able to see trends and patterns emerging giving us an indication of whether this might be malicious or not. In times when we really aren’t sure, we can request the file from the agent and run the file manually.

In recent months we’ve had a big upswing in the sheer volume of data, partially down to our increased user base, but also a sign that malware is becoming more prevalent. In the past 6 months alone the number of new unique files coming in to the DB has almost doubled. During this time we’ve had a steady stream of “regular” malware (the Rogue Security Products/Vundo/System-Posers etc), but also more targeted attacks (please see the recent blog entries for details). The key for us and other security vendors is to lock on to these as soon as possible so we can offer cleanup to infected users as well as real time protection for Prevx EDGE/Prevx2.0 users going forward.

Our range of products is constantly evolving to offer better protection, as well as making the search for malware easier for us researchers. I truly believe, with the systems we have in place, we are prepared to tackle, and react quickly to the future strains of malware.

It’s exciting times at Prevx. From an employee’s point of view it’s great to see the strides we have made over the last few years. The last 6 months in particular have been frantic and I’m sure the next 6 months will be even more so!

If you would like to hear more about our Malware Research please visit our booth at RSA Expo, booth number 2732.