heise Security UK: So that's where you are right now. What's in the pipeline?
Alex Eckelberry: Let me tell you about this, this is cool, this is something I get really excited about. So we built this DT technology, now of course this is all CPU emulation so, sure we can pick up stuff when it goes on the CPU level, but at some point the program says "okay where's windows, I want to do something". So the next step is to build windows virtualisation on top of this. Now this was really hard work. We've built windows in about 400k of ram; we've built a windows emulator, we've got the file system, we've got the registry, we've got USB drives and we've got internet connection.
hS: Is this a hardware VT?
AE: No it's not, it runs on top of our emulator. It's a virtual machine, to answer your question directly. So that application now runs, now it says "I want to write, I want to go out to some IP address, I want to pull down bad.exe", so we say "ok, no problem, here's your internet connection", the guy gets the internet connection "oh good here I am, ok, I want that bad.exe", we say "ok, here it is", but it's just a fake file. The application gets the bad.exe, and says "cool, I want to put this in the windows32 directory" so it goes to the filesystem, puts it in the windows32 directory, we say "no problem, here's your windows32 directory". We create everything as application needs it.
hS: Is that an image of a clean system as emulated, or is it based on the installed copy of windows?
AE: It's a created copy of Windows, complete with BIOS, even the bugs are created, I'm not kidding we actually had to create the bugs, but it's highly optimised and it sits in about 400k of ram. A basic registry emulator, a basic file system, all the basic APIs. We're not running Windows, we're just running what's needed, bare components, because otherwise your performance goes to hell.
hS: My first reaction is "that's another thing for the malware to detect"
AE: Yes, it is. There's only so much we can do. This advance is as far as the state-of-the-art is capable of going right now. You're absolutely right, somebody could detect us and we have people detecting us right now, we have people looking for, not necessarily our emulator, but we have another product called the CW Sandbox, which we actually license to everybody. We have people writing stuff to detect it and when we see it, we have to modify the sandbox. The technology is called MX virtualisation or MX-V. I've written some more about MX-V in my blog.
hS: Is CW sandbox related to this virtual machine?
AE: CW Sandbox is totally separate. It is a real copy of windows, where this is all created from scratch. And CW Sandbox has an infrastructure built around it for extremely high-quality analysis of massive amounts of malware – ties to a back-end SQL database, etc. It's really a tool designed for professional malware analysis by banks, security teams, other security vendors. With MX-V, we can use it to analyse malware and we have a malware analysis tool.
hS: How does this compare with Norman's virtualisation?
AE: Norman's is a sandboxing technology – they sell to other companies for malware analysis. It does not use Dynamic Translation, so it is not at a performance level for real-time use in a scanner.
hS: When are we going to see this in the field.
AE: Feb 15 to the 20th. People will just notice a a 50-60MB definition update come down, it'll happen automatically. It'll be a big one, but it's all the new DLLs, everything for all this new technology, so that, that's one thing, but this DT is only part of VIPRE, we do all the other stuff that the other guys do, we do signature analysis, heuristics, pattern and DNA type of matching stuff, where we look for patterns of function calls inside the application.
I don't buy those companies that are doing all new things, "oh we're doing it all, we're doing malware profiling", I don't see the detections, they don't get a broad enough range of detections. You need to have the classic AV technology as your baseline, you really do, you don't want to throw the baby out with the bathwater.
hS: You don't fill in the moat because you've got boiling oil to tip from the ramparts.
AE: Right. You still should keep the moat in place, and so I think we don't completely. We're not disdainful of the old AV technology, because actually some of the stuff is extremely good, but we take that and we add additional things to it. We just took an approach that everything was from scratch, I mean every single line of code in VIPRE is brand new, it's brand new code, it's new, within the last year and a half to two years, there's nothing old in this thing.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
