Threats can be tricky and dangerous, executing in multiple stages with multiple payloads, changing behavior on the fly, launching automatically, and spreading quickly. To keep up, your protections must be intelligent, automated, and just as dangerous to attack components.

Our signatures are created based on the content of traffic and files, engineered to focus on how each threat operates, and automatically updated when new threats are identified. By delivering protections designed to look at the nuts and bolts of each threat, we can accurately identify them and prevent a broader number, to effectively defend customer organizations.

Payload-Based Signatures

Signatures based on hash match on a file’s fixed encoding. Because a file hash is very easily changed, hash-based signatures aren’t effective at detecting polymorphic malware or variants of the same file. Using hash-based signatures is like determining whether the contents of a box have spoiled based only on the box design, instead of looking at what’s inside.

Malware signatures based instead on payload can detect patterns in the body of the file, including payload characteristics, which act as reference points; so, if a malware file has been modified resulting in a new hash, our signature is still able to identify the payload and block the file.

Vulnerability-based Signatures

Exploits are traffic specially crafted to take advantage of vulnerabilities, or weaknesses, within software. There are multiple ways to exploit a single vulnerability, and, once a zero-day exploit is discovered, it’s not long before variations of that new exploit start to show up in the wild.

By designing our IPS signatures to focus on the targeted vulnerability, we’re able to identify both the application and the type of vulnerability targeted, and prevent multiple exploits with a single signature, blocking the exploitive traffic before it’s able to take advantage of your network.  

Communication-based Signatures

Command and control (CnC) channels primarily leverage HTTP and DNS to establish a communication link with attackers, through which they can control the host’s actions or exfiltrate data. Blocking these channels involves more than simply analyzing the reputation of the target IP address or domain.

Our CnC protections identify the reputation, type, and behavior of the communication channel to accurately determine its purpose and block those connections that are used to propagate threats. Because it’s relatively easy for attackers to establish new CnC channels, we constantly update these protections through WildFire.

Highly Effective Protection

Because they hone in on the payload, our malware signatures are capable of preventing multiple malware variations and exploits, including variations that haven’t yet been seen in the wild. Our malware protection is so effective that we’ve seen a single signature block more than 300,000 malware variations!

What this also means is that our customers require fewer signatures to prevent a greater amount of malware and exploits, decreasing the latency inherent in other stream-based prevention products.