McAfee Deep Defender

McAfee Deep Defender Overview:

Stealthy malware has become a cybercrime tool of choice, with more and more new and unknown malware using cloaking techniques such as rootkits. Criminals rely on this low-level code to evade operating system (OS)-based protections. McAfee Deep Defender™ helps you fight back with a new generation of hardware-assisted security enabled by McAfee DeepSAFE™ technology. This behavioral monitoring of real-time kernel operations reveals and removes advanced, invisible attacks. Integrated with McAfee ePolicy Orchestrator® (McAfee ePO™) software and McAfee Global Threat Intelligence™ (McAfee GTI™), McAfee Deep Defender makes it easy to extend system security beyond the operating system (OS) to preempt covert zero-day threats.

Description:

McAfee Deep Defender is a next generation of hardware-assisted endpoint security, enabled by McAfee DeepSAFE technology, operating beyond the operating system, designed to detect, block and remediate advanced, hidden attacks. McAfee Deep Defender is reinventing the industry approach to security and is the first product built on the McAfee DeepSAFE Technology co-developed with Intel.

Operates beyond the operating system — First-of-its-kind integration with Intel resides between the memory and OS to perform real-time memory and CPU monitoring.

Kernel mode protection — Real-time, kernel-level behavioral monitoring exposes and removes unknown threats, including kernel-mode rootkits, to preempt zero-day malware.

Faster-time-to-protection — Stop low-level stealth attacks as they occur before they cause any damage or steal data.

Benefits and Features:

• Stop unknown stealth attacks
  Prevent stealth attacks from compromising your endpoints and stealing confidential data with real-time kernel memory protection operating beyond the operating system.
  
  
• Utilize real-time memory and CPU monitoring
  Leverage McAfee DeepSAFE technology, a memory software layer executing in VMX-root mode, to provide real-time kernel memory and CPU event protection with minimal performance impact.
  
  
• Get true zero-day protection
  Identify malicious behavior and provide true zero-day protection. McAfee Deep Defender requires no prior knowledge of the rootkit to detect its existence.
  
  
• Deploy quickly and manage easily
  Use McAfee ePolicy Orchestrator (ePO) software to remotely deploy and manage McAfee Deep Defender alongside your existing McAfee endpoint security solutions, lowering management overhead and costs.

Solutions:

Security beyond the OS to expose and eliminate covert threats

Enterprise endpoints are easy prey for stealthy malware that can maneuver around antivirus and other operating system-based defenses. Criminals design this low-level malware to exploit the inherent security weaknesses of the OS, hiding its presence so that the system appears normal as it

The invisible malware is free to spread infection, deactivate countermeasures, and steal network credentials or confidential information. Restoration for compromised endpoints requires full re-imaging, which takes IT and end-users away from productive tasks for hours per event.

Beyond the operating system
McAfee and Intel have teamed up to defeat these attacks with hardware-enabled protection that operates between the CPU and the OS, protecting components that reside in physical memory. McAfee Deep Defender gains a trusted view of the drivers and other software as they operate and can detect and clean threats that load before, during, and after the OS.

Real-time memory and CPU monitoring
McAfee Deep Defender utilizes McAfee DeepSAFE® technology, a memory software layer executing in VMX-root mode, to provide real-time kernel memory and CPU event protection with minimal performance impact.

This low-level visibility allows McAfee Deep Defender to recognize evasive techniques employed by stealthy malware and gives administrators a real-time view of memory processes, enabling configurable block or deny actions. If a rootkit or stealth malware is active, McAfee DeepSAFE will catch the attempt to modify the kernel.

True zero-day protection
McAfee Deep Defender requires no prior knowledge of the rootkit to detect its existence. Instead, McAfee Deep Defender identifies its malicious behavior, providing true zero-day protection.

McAfee Deep Defender protects before a rootkit has a chance to conceal malware. Its kernel and memory protection includes:

• Preventing and logging write attempts to the system's interrupt descriptor table (IDT) and the system service dispatch table (SSDT)
• Stopping changes to the processor system transitioning table
• Preventing modifications to the direct kernel object manipulation (DKOM) list and threads
• Eliminating malicious attachments to kernel mode drivers
• Prohibiting malicious inline hooking to kernel code sections along with key device drivers
• Stopping malicious modifications to drivers' import address table (IAT) hooking
• Preventing malicious modifications to kernel export address table (EAT)
• Stopping malicious I/O calls from device drivers
• Detecting malicious changes to drivers' dispatch routines

Detects and deletes known and unknown threats, leveraging McAfee GTI
McAfee Deep Defender will report, block, quarantine, and remove known and unknown malware in the kernel. Your existing McAfee VirusScan® Enterprise anti-malware leverages the uncloaking capabilities of McAfee Deep Defender to cleanse the affected user-mode components completely.

For suspected or unknown malware, McAfee Deep Defender sends a fingerprint of the code to the McAfee GTI network to report and confirm its identity. The fingerprint of confirmed malware joins the McAfee GTI database to extend immediate protection to other McAfee GTI-enabled endpoints, including other endpoints at your site.

Centrally managed with McAfee ePO
McAfee Deep Defender lets you strengthen your existing protections without adding management or administration overhead. PCs and laptops running McAfee endpoint software today can deploy McAfee Deep Defender enterprise-wide on supported systems using existing McAfee ePO agents and management infrastructure.

The familiar McAfee ePO console makes it simple to develop policies for McAfee Deep Defender real-time memory actions. Once you have installed McAfee Deep Defender, your McAfee ePO dashboards and reports provide visibility into hidden threats.

Figure 1. McAfee Deep Defender gains a new vantage point on threats by
utilizing the McAfee DeepSAFE technology that resides between the CPU and OS.

Start decloaking stealthy malware today
Defenses that only operate within the OS cannot detect or expose the advanced evasion techniques at the disposal of today's sophisticated cyber criminals. McAfee Deep Defender complements traditional endpoint security with vital, incremental protection against these threats.

Adoption is easy, since McAfee Deep Defender takes advantage of the centralized and convenient McAfee ePO management environment and enhances the protection offered by the McAfee VirusScan anti-malware engine and McAfee GTI network.

System Requirements:

These are minimum system requirements only. Actual requirements will vary depending on the nature of your environment.

• Supports Intel® Core™ i3, i5, and i7 processors
• Supports Windows 7 (32-bit and 64-bit)
• 2 GB RAM (32-bit) or 4 GB RAM (64-bit)
• Managed by McAfee ePolicy Orchestrator (ePO) 4.5 or higher
• Intel Virtualization Technology (VT) enabled in BIOS
• Internationalized and localized for deployment worldwide
• Tested for compatibility with the following McAfee products:
  • VirusScan Enterprise 8.7 or higher
  • Application Control 5.0
  • Endpoint Encryption for PC 5, 5.2.6, 5.2.9, and 6.1
  • Host Data Loss Prevention 9.0 or higher
  • Host Intrusion Prevention for Server 8.0 or higher
  • Network Access Control 3.2

Documentation:

Download the McAfee Deep Defender Datasheet (PDF).