회사소개

제품

안내

고객지원

Company

Product

Information

Support

Thông tin về công ty

Sản phẩm

Thông tin

Hỗ trợ chung

ZombieZERO EDR for APT

APT & Ransomware detection / block / treatment solution on Endpoint

ZombieZERO EDR for APT

ZombieZERO EDR for APT Introduction

EDR (EndPoint Detection & Response)is a system that detects / responds to new / variant malware based on behavior on endpoint.

ZombieZERO EDR for APT is a solution that detects/blocks/treats unknown and new malwares including Zero-Day attacks and respond to threats bypassing and infiltrating network in real time without pattern, applying behavior based engine to endpoints.

Identifies and compares behaviors at various attack steps (initial attack → malware activity → endpoint manipulation) to detect multistep and mixed attacks. ZombieZERO Manager enables centralized management.

※ ‘EDR for APT’ can be operated with ‘ZombieZERO Network Inspector. (HW or Cloud type)

npcore

Key Features

> Behavior-based malware detection

  • Detects potential and unknown malware that an existing Anti-virus engine cannot detect.
  • Detects malware based on behavior, not signatures, so blocks even unknown malware and responds to Zero-Day threats and malware bypassing network.
  • Blocks illegal behavior (DDoS attacks, information exfiltration, etc.) through the behavior-based engine of endpoint.
  • Unlike other products that can be blocked only through interworking with network equipment, independent operation is possible due to behavior based engine with patented technology.

> Information exfiltration detection and block

  • Separates behavior of user and process to detect information exfiltration and illegal traffic occurrence of malware, not user.
  • Detects reverse session to block hacker commands to zombie PC.
  • Detects PC behavior monitoring that monitors the user’s PC screen in real time via network.
  • Detects file trasnfer via web mail or messenger.

> System stability and interworking

  • Installed on I/O driver level to prevent conflicts with other programs, so stable and minimizes PC’s resource usage.
  • Supports interworking with other network equipment existing to increase security and reduce installation cost.
  • Responds to malware’s attacks exploiting vulnerabilities in major programs such as document editing programs (MS Office, Adobe Reader), web browsers (IE, Firefox, Chrome), and various media players, and messengers, etc.

> Execution Holding

  • Files sent by encrypted communication and SSL are transmitted to Inspector and analyzed due to the holding function.
  • Analyzes all downloaded files and executes only safe files.
  • Users can view analysis/block status of held files through the holding function.

> Whitelist

  • Whitelist policy-based file execution control
  • Optimized policies for your organization
  • Detects abnormal behavior such as process hiding / memory tampering / peeking / reverse access / abnormal traffic / user behavior / file transfer.

> Inefficient existing security tools with large security faults

  • Traditional security tools based on signatures, such as IPS, firewalls and gateways, do not provide proper cyber security.
  • Depends on binary signatures and decades-old approach based on a reputation that distinguishes from friend and enemy. Newer malware developers create unique binaries, constantly change IP addresses, and damage legitimate URL to infiltrate traditional security tools.
  • 70-90% of malwares are unknown and new attacks.
  • Inefficient operations that increase operating cost : Traditional tools send thousands of alerts without enough context and prioritize and scope the alerts. Organizations waste more time and money tracking trivial warnings and false positives.
  • Restricted and disconnected tools that cannot detect complex attacks : Traditional security tools do not integrate properly. Mixed attacks using multiple methods cannot be detected, even if the tools work as planned.
  • An attacker will always find faults of the next step in defense technology. Defense technology should evolve as well to maintain security.

> List of major malware (APT) detected by behavior-based technology

  • Backdoor : Opening a port so that a hacker can access the PC anytime.
  • Ransomware : Encrypts all images and document files on a PC and restricts access and requires money in exchange for decryption.
  • Downloader : Downloading and executing a file without user knowing when accessing a website or opening a document
  • Keylogger : Hooking and storing all keyboard events by user’s typing and sending them to the hacker server
  • Bootkit : Disrupting the disk by damaging MBR (Master Boot Record) area of PC to disable OS booting
  • Exploit : Executing malicious program using vulnerability of software(IE, MS-Office, PDF Viewer, etc.)
  • System modulation : Modulating sensitive files such as PC’s Registry or Host files for malicious purpose

> Difference with Anti-Virus software and ZombieZERO Series

  • Anti-Virus software : Detects/analyzes/treats by pattern, responds after unknown malware’s attack and damage (Zero-Day) (Unable to detect/block unknown malware)
  • Zombie ZERO : Real-time detection/analysis/treatment of unknown malware’s attacks based on pattern and behavior

ZombieZERO EDR for APT system block diagram

npcore

ZombieZERO EDR for APT Specifications

Supported OS Windows XP ~ 10 ( 32 / 64 Bit )