McAfee Taps Intel Technology To Gear Up For Rootkit Battle

to re-think how security functions

McAfee's new Deep Defender product uses hardware-assisted security to detect nearly all types of kernel malware, including rootkits, McAfee co-president Todd Gebhart said in a keynote at the opening of McAfee Focus in Las Vegas. This is important because attackers have become quite good at covering their tracks when it comes to getting malware on unsuspecting users' machines."The bad guys are getting smarter at hiding malware," Gebhart told Focus attendees.

Deep Defender can detect interactions between kernel level malware and the command-and-control mechanisms used by malware authors, and this allows McAfee to block an entire range of stealthy threats, according to Gebhart.

Deep Defender is the first product release since the Intel acquired McAfee for $7.68 billion in August 2010 and said it intended to develop hardware-assisted security products.

The idea behind DeepSafe is to create an architectural layer between the silicon and the software stack that provides a direct view of the system resources that malware attacks. The advantages of this approach is that DeepSafe can see the entire system in a way that hasn’t been possible in the past, Gebhart said.

Security applications have been located above the operating system since the beginning of the industry, but threats are evolving and cybercriminals are working harder to find ways of getting malware underneath the OS. Advanced Persistent Threats are one example of malware that tries many different routes into the OS, Gebhart said.

The hardware assisted approach might be new to security but it's not new to Intel, which has done the same thing in virtualization, noted Gebhart. "We see security following the same path as virtualization, first dropping below the OS and leveraging hardware assisted features to accelerate the entire process," he said.

McAfee also unveiled ePO Deep Command, which combines the vendor's ePolicy Orchestrator management tool with Intel's Active Management Technology (AMT). AMT is built into Intel's Core i5 vPro and Intel Core i7 vPro processors, and ePO Deep Command allows administrators to remotely access machines even when they're powered off.

"You can reach out to any endpoint, regardless of its power state, and patch, update and scan it," Gebhart said. "It allows you to power down systems as required and provide customers with significant energy savings, and it's a new way to manage security and manage recovery at the endpoint."

McAfee plans to launch Deep Defender in the first quarter of next year, and ePO Deep Command will be available in the fourth quarter. McAfee isn't yet talking about what either product will cost.