CPU hardware anti-rootkit protection was mentioned by me some years ago as I always felt that root level kernel protection (hardware layer) would be the significant protection layer for deeper analysis, detection and remediation of any given system. Intel’s acquisition of McAfee last year (check out “Patmos”) indicated to me that it wouldn’t be long before they developed this deeper level of anti-rootkit protection for the Intel VTx technology platform. It has duly arrived, which leaves today’s AV software feeling just a little outdated and possibly threatened by this development.
McAfee/Intel announced this week (September 13th) that they will be incorporating McAfee DeepSAFE technology close to the Intel chipset and out of reach of the operating system. Unlike anything before it, DeepSAFE will provide a direct view of the system memory and processor activity, allowing McAfee security products to monitor the PC stack to better detect and remediate rootkits in real-time. As all of us know, rootkits embed themselves beyond the operating system, so it’s no surprise to see McAfee is feeling rather happy to announce this new technology.
The ability to block advanced persistent threats (APTs) and stealthy rootkits (i.e. TDSS/TDL-4, SpyEye, Stuxnet, NTRootkit to name a few) in real-time and in kernel mode by using the CPU to monitor event monitoring is a major technology advance.
Safe surfing folks!