Bytware Fights Advanced Security Threats with McAfee Update
October 29, 2013 Alex Woodie
Bytware has updated its IBM i malware detection software with the latest security technology from its business partner, McAfee. By adding the latest McAfee 5600 series engines to its StandGuard Anti-Virus offering, Bytware is giving IBM i shops the tools to detect the latest blended security attacks that combine multiple attack vectors, including viruses, worms, Trojans, rootkits, spyware, and other advanced persistent threats.
It’s a well-known fact that Windows viruses and other assorted pieces of malware can reside in the IFS portion of an IBM i server. While the malware can’t infect the IBM i OS directly, the IFS can serve as a central hub to infect hundreds or thousands of PCs connected to the IBM i server.
Bytware and McAfee–at the urging of IBM and the influential Large User Group–addressed this issue about a decade ago when Bytware launched StandGuard Anti-Virus. The core of the product is a native IBM i port of McAfee’s antivirus engine. The software works pretty much just as it does on a Windows PC: by continuously updating its malware engine with the latest DAT data files, by periodically scanning the entire IFS against these DAT files (or by scanning files when they’re accessed by a user), and by quarantining and eliminating infected files when they are detected.
While StandGuard Anti-Virus continues to provide a strong, commercially backed malware detection offering for IBM i shops, some holes have appeared in the protection mechanism. The problem is that the nature of malware evolves continuously.
Over the last few years, that evolution has progressed rapidly. The biggest risk now is from blended threats, in which cyber criminals use a combination of malware types (worms, rootkits, remote access Trojans) and attack vectors (mass mailing, autoruns, DDoS) to compromise a target system. What’s particularly alarming about these advanced persistent threats is the way they blend the OS-exploit techniques associated with hackers with the stealth capabilities of rootkits and backdoors.
McAfee launched its 5600 Scan Engine earlier this year specifically to address these blended and advanced persistent threats. To that end, McAfee beefed up its support for Microsoft Office and Adobe PDF files, and also improved its support for Multipurpose Internet Mail Extensions (MIME) files.
According to McAfee, the 5600 Scan Engine “contains the functionality necessary to inspect 32-bit and 64-bit program executables, Microsoft Office files, Adobe PDF and Flash, boot sectors, and other data structures that could conceal or be exploited by a piece of malicious code. Additionally, our scan engine has the ability to ‘see through’ the encryption used in compressed, archived, packed and protected files.” For more info, see McAfee’s 5600 Scan Engine brochure.
Bytware (owned by third-party IBM i software juggernaut Help/Systems) realized the potential of this growing threat earlier this year, when W32/Autorun.worm.aaeh was discovered hiding on multiple IBM i-based systems. According to Bytware, the worm was creating new files, inserting malicious code, and giving these files the same names as existing ones, which were then spread to PCs across the network. You can read more about the worm at www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456.
McAfee is ending support for older releases of its scanning engine. On Thursday, its 5400 series anti-malware engine will reach end of life (EOL), at which point the 5600 series engine will be the only supported engine. Bytware is updating its IBM i scanning engine, as well as the StandGuard Anti-Virus engines it packages and sells for AIX, Lotus Domino, and X86 Linux systems. For more information on StandGuard Anti-Virus, see www.bytware.com.