Symantec ‘Disarms’ Files To Block Targeted Attacks

Robert Lemos,
gun disarm neutralise © Micha Klootwijk Shutterstock

The new ‘Disarm’ feature in Symantec’s messaging security software is a new tactic for dealing with highly targeted attacks that use infected files

Antivirus software does quite well against opportunistic attacks sent out to a massive number of people in hopes of getting some small fraction to click on a link or open a file. But attacks targeting just a few people, or even a single person, are much harder to detect.

Security firm Symantec aims to tackle this problem, announcing last week it will add a new feature to its messaging security software that will create clean versions of any file sent to a company’s employees.

File sanitisation

In addition to attempting to detect malicious files, the company’s email gateway software will clone any Microsoft Office or Adobe PDF file – two formats commonly used by attackers to deliver malicious code – creating a copy that has been cleansed of any potential scripts and malware. The approach, which the company calls Disarm, will sanitise the files, rather than attempt to detect whether they will do something bad, said Kevin Haley, director of Symantec’s security response group.

Security © m00osfoto Shutterstock 2012“We don’t have to sit there and decide whether is it a targeted attack or not, is there an exploit in there or not,” Haley said. “We are just going to make sure that every document has been cleaned, so there is no chance of one of these things getting through.”

Targeted attacks, also known as advanced persistent threats (APTs), typically use email messages specifically crafted to persuade the target to click on the malicious link or open the attachment.

Because the messages appear to come from a recogniseable contact or colleague, targeted employees are more likely to fall for the fraud. Known as spearphishing, the technique has led to the compromise of many major companies, including security firm RSA, the New York Times, and numerous other companies, government agencies and nonprofit organisations.

Tailored attacks

Since attackers have access to the types of antivirus software used by their victims, they can tailor attacks to evade the defenses. Sanitising the files allows Symantec to make the files safe. To test the approach, Symantec processed every targeted attack that the company recovered in the past year and found that 98 percent were blocked by Disarm.

“These are attacks that were entirely unknown and would therefore have likely evaded all traditional scanners, heuristics, emulators and even Virtual Execution (VX) solutions,” Symantec said in a blog post about the new technology.

Sanitising files is not necessarily a new approach. A variety of scripts exist on the Internet to pull out personal information from documents, a simplified version of what Symantec has done. And companies have had the ability in the past to create a policy to block all scripts from running in Office documents.

Yet, the technique is promising as a way to prevent malicious software from running on corporate systems.

“It is a simple solution, but a very powerful one,” Haley said.

Are you a security pro? Try our quiz!

Originally published on eWeek.