A Wide Eyed View of Real Time Malware Detection and Remediation

The last several weeks have been full of opportunities to show the Triumfant product to prospects in a variety of markets. When we do a deep technical dive, our CTO and founder Dave Hooks often comes along to do the demonstrations during which I get the opportunity to watch the people at the table to see what gets their attention. Lately I have been seeing some interesting body language: eyes get larger, blink rates increase, people lean across the table open mouthed. Permit me to tell you what prompts these behaviors.

For background, Dave runs two virtual images on his machine – one for the victim endpoint machine and one for the Triumfant server. He starts on the victim machine and executes a piece of malware (or a “critter” as he likes to call them) he collects directly from the Web. Dave will walk the audience through the steps of how Triumfant does its job from the agent recognizing suspicious behavior on the endpoint machine, through the analysis of the detected changes on the Triumfant server, to the creation of the remediation and ultimately the remediation on the endpoint machine – all without human intervention. The audience can see how Triumfant goes through the stages of the detection, analysis and remediation, and actually view each of the granular level changes that it detected. Within minutes the administrator console shows the full analysis of the problem and the synthesized remediation, which can be executed through the click of a button. Dave will start the remediation and return to the endpoint image so the audience can visually see the machine remediated without the user’s intervention, without restarting and without the need to re-image.

In the first part of the demo, Dave uses malware that Triumfant has never seen to show the ability of the product to see malicious attacks for which there is no signature. The audience gets hooked early as Triumfant immediately detects the attack and their interest ratchets up quickly when he shows the depths of the analysis returned by Triumfant and its ability to see the entire breadth of the attack on the endpoint machine. The visuals of seeing the analysis makes the connection that Triumfant is uniquely capable of building a remediation on the fly because if it sees all of the changes, it can fix those changes. Once he shows the created remediation, the wheels really start to turn, and the more experienced folks are clearly connecting the practical dots of what they are seeing and how it can plug myriad gaps in their endpoint protection.

In the second part of the demo, Dave executes a rootkit which quickly burrows into his machine and, as rootkits will do, promptly cloaks itself. Triumfant sees the changes made to the system, begins the analysis and sends the results to the console, noting all of the registry keys that were changed, the files that were installed, and the executable itself. Triumfant builds the required remediation and because it divides the entire remediation into subgroups, Dave takes the opportunity to show off a bit. Instead of killing the entire rootkit and all of the collateral damage at once, Dave executes the part of the remediation that uncloaks the rootkit. Dave switches back to the victim machine so the audience can actually see the rootkit appear in Task Manager in real time as Triumfant uncloaks it. That is when I know to look at the audience, because that is when the eyes get the largest.

With a product like Triumfant that really is quite different from any other product on the market, things like Word, PowerPoint, and Web pages do not do it justice. The demo is really where you can fully grasp the depth of what it is doing and how it can detect and remediate an attack in three minutes. Dave’s “Three Minute Malware Challenge” demo he did at RSA has been captured on video and is available on YouTube so I invite you to see for yourself. Of course, you can always contact me at Triumfant and I will be happy to set up your own demonstration so you can get some of that wide eyed feeling for yourself.