McAfee's Deep Defender is a very unusual antimalware product designed to protect endpoints against unknown rootkits – which are arguably the most dangerous and difficult-to-detect malware in existence.
Deep Defender leverages McAfee's DeepSafe technology, which has been designed to tackle a fundamental weakness of conventional anti-virus products: Anti-virus software typically relies on the operating system that it runs on to provide it with information and services – but if malware subverts the operating system, then the information and services the anti-virus software receives may become corrupted.
This problem is particularly acute when it comes to detecting rootkits, because they can install themselves in the kernel of an operating system and then "unlink " themselves from the file system . This allows them to become invisible to tools such as anti-virus scanners that run within the operating system.
DeepSafe Technology Explained
DeepSafe technology gets around this dependency on a healthy operating system by running beneath the operating system, directly on the processor – similar to the way in which some virtualization hypervisors run on "bare metal", with guest operating systems running on top of them.
DeepSafe technology is actually very similar to virtualization technology, and DeepSafe runs as a VMX root application, using an Intel processor mode which is intended for running hypervisors. McAfee was acquired by Intel in 2010, and DeepSafe only runs on Intel processors that feature the VTx virtualization hardware extensions. This includes all Intel Core i3, i5, and i7 processors, which are part of what Intel calls its vPro platform.
When DeepSafe is installed on a computer with a vPro processor and the system is rebooted, DeepSafe loads as the very first boot driver, before any rootkits have a chance to load. The operating system then loads on top of it. The idea is that DeepSafe can then look into the operating system from the outside to spot malware, rather than traditional anti-virus software which sits inside the operating system and may only start after a rootkit or other malware has taken control of it. DeepSafe's job is simply to monitor the loading of the operating system and block any kernel modifications a rootkit may try to carry out as it attempts to install itself.
Jason Brown, a solutions architect at McAfee, says that DeepSafe is designed to ensure that it is the first boot driver to load (before any rootkits) in a number of ways, but like any security measure it can't guarantee an endpoint won't get infected. "Can DeepSafe be subverted? Nothing is 100 percent foolproof, but we are raising the bar," he said. "It is certainly much harder to subvert than an operating system."
Deep Defender protection mechanisms
Deep Defender (and DeepSafe technology, which is bundled with it) can be installed manually using a standalone installation package, but in most organizations it will be installed from McAfee's ePolicy Orchestrator (ePO) management system. When the installation process is started, existing drivers are scanned using digital signatures and information from McAfee's Global Threat Intelligence network – a process that can take several minutes. Once this has been completed, the system reboots to enable DeepSafe technology to become active at the start of the boot process. Once the operating system has loaded, Deep Defender also loads just like any other user mode application.
Deep Defender offers four different types of protection:
- Lightweight rules (LWRs)
- Heavyweight rules (HWRs)
- Triggered rescans
- Watch scans
LWRs: These are a system of behavioral protection. As drivers begin to load when the operating system boots, these rules attempt to determine if any of the drivers' activity is suspicious (such as writing to a CPU register or writing to memory). This is the only protection available during the boot process.
HWRs: Once the system has booted and Deep Defender is up and running in user mode, its HWRs come in to play. Whereas LWRs can detect a malicious driver and block it from loading, HWRs uses behavioral techniques to discover other components of the malware that the malicious driver was a part of – and attempts to remove them all.
Triggered rescan: This is a type of traditional signature-based antivirus scan that Deep Defender uses after HWRs detect a rootkit from a known rootkit family. If the rootkit family is known to infect the memory of particular processes, HWRs can launch a triggered scan of those processes.
Watch scan: This protection scans drivers when they are written to disk or registered, and classifies them as trusted, unknown, or bad. The purpose of this is to whitelist known good drivers (for example video drivers) using signature recognition or high reputation scores from McAfee's Global Threat Intelligence network, and make this classification known to LWRs and HWRs so that the drivers are not blocked or removed if they detect behavior that they interpret as suspicions.
Upside: Configurable, Low-Impact Protection
Configurable false positive rates. Most organizations find false positives to be just as undesirable as real infections. Since LWRs and HWRs are behavioral techniques that attempt to identify malicious activity, they can never be 100 percent accurate and are therefore particularly susceptible to flagging false positives. To get around this problem, Deep Defender's behavior engine classifies detections with false positive probabilities of low, medium, or high. Administrators can use the McAfee ePolicy Orchestrator (ePO) management system to configure actions for each of these levels – either ignore, log only, block, or remove. For example, detections with a high false positive probability classification can be logged only, while others can be blocked or removed completely.
Administrators can also manually add drivers to the whitelist to ensure they do not result in false positive detections. (The whitelisting only applies to behavioral protection – so if a triggered or watch scan matches a whitelisted driver to a signature, then the whitelisting will be overruled.)
Minimal impact on end users. Since Deep Defender is configured and managed from ePO, Deep Defender does not have a user interface like conventional anti-virus products and user interaction is not required. Administrators can choose to configure a tray icon to be displayed on the client machine to show that the product is running, and can configure whether alert messages should be displayed to users or whether the product's activities should be invisible to end users. Running the product has minimal effect on performance, the company claims.
Downside: Point Product with Steep Requirements
Not integrated with McAfee Endpoint Protection. Deep Defender inevitably increases the burden on security staff – as the software has to be purchased, installed, and managed separately from McAfee's other security products such as endpoint protection.
McAfee wants to keep its security software modular, according to Brown: DeepSafe only works on systems with compatible Intel processors, and therefore Deep Defender has been kept separate from the company's Endpoint Protection product so that it can be installed on systems that support it without bloating Endpoint Protection unnecessarily for systems that can't.
Limited client operating system and hardware support. Deep Defender is limited to running on Windows 7 (32 or 64 bit) endpoints with Intel processors that feature the VTx virtualization hardware extensions (such as Core i3, i5, and i7).
Bottom Line: Unique Protection, At a Price
Is this type of "beneath-the-OS" approach to malware prevention effective? Peter Stelzhammer of AV-Comparatives, says he believes in the approach. "Most vendors' AV engines start up very late in the boot process. That means that by the time they are up and running it is already too late to detect rootkits," he said. "DeepSafe starts very early, and that means that it is probably the only sort of technology that can guard you against rootkits."
Peter Firstbrook, an analyst at Gartner, agrees that McAfee's approach is effective, but says that there are other ways to monitor system changes to detect rootkits.
"Deep Defender has value because it can monitor your system in real time and watch as the operating system loads," Firstbrook says. "But there are other methods of doing that, by comparing disk images to detect changes. McAfee's way works better, but the cost is high because you are locked in to using Intel's chips," he added.
And that, Firstbrook suggests, is the real point of DeepSafe technology. "There's no question that Intel's motivation is to sell more chips," he said. "All the vendors could write to vPro, and Intel would like them to, but the fact is that none of them do. If DeepSafe technology was so great they would all be doing it." He says that Symantec looked at exploiting vPro in the past, but decided that there were cheaper ways of offering similar protection. "That's why Intel had to buy McAfee," according to Firstbrook.
That said, Firstbrook acknowledges that Deep Defender does offer something that no other vendor can currently offer. "If you are really security conscious then by all means buy this, but otherwise my advice is to stick with your existing vendor," he concluded.
- Endpoint with Intel Core i3, i5, or i7 processor
- Windows 7 (32-bit and 64-bit)
- Intel Virtualization Technology (VT) enabled in BIOS
- 2 GB RAM (32-bit) or 4 GB RAM (64-bit)
- McAfee ePolicy Orchestrator (ePO) 4.5 or higher for management
- Available upon request from McAfee.
Paul Rubens is an award-winning technology journalist who has been covering IT security for over 20 years. He has written for leading international publications including The Economist, The Times, The Financial Times, The Guardian, the BBC, and Computing.