SonicWall Inc. has parted the curtains on a previously secret real-time threat detection technology that’s been running for months in its Capture Cloud threat intelligence service.
Called SonicWall Capture Cloud Real-Time Deep Memory Inspection (RTDMI), the new system has quietly helped Milpitas, Calif.-based SonicWall identify hundreds of malware variants invisible to conventional sandboxing systems.
The new technology also offers protection against Meltdown, the vulnerability in Intel x86 processors and some ARM-based CPUs first exposed by Google’s Project Zero security team last month, according to SonicWall CTO John Gmuender.
“SonicWall currently expects the RTDMI technology to be effective against future exploits that are based on the Meltdown vulnerability,” Gmuender said in emailed remarks to ChannelPro.
Malware writers have developed a variety of ways to conceal malicious payloads from today’s increasingly sophisticated security defenses, including custom encryption schemes. Those techniques often expose a virus’s most dangerous weapons too briefly for most detection systems to analyze, and are smart enough in some cases to hide those weapons entirely when run inside a sandbox.
According to Gmuender, however, RTDMI’s patent-pending technology compels malware that exhibits no malicious behavior to unveil its concealed weaponry, even if that code is encrypted and visible for intervals less than 100 nanoseconds.
“RTDMI controls the execution of the malware, and forces the malware to execute the code paths that reveal its malicious nature,” he says.
The result, according to SonicWall, is proactive, real-time protection against zero-day exploits and previously unknown threats.
Gmuender contrasts RTDMI with endpoint detection and response (EDR) products from vendors like SentinelOne, of Mountain View, Calif. Those systems, he says, rely on agents running directly on protected endpoints. RTDMI, on the other hand, intercepts malware before EDR systems even have a chance to assess it.
“Potentially malicious content is executed by the RTDMI engine technology within the SonicWall Capture Cloud, and the solution blocks that content from reaching clients and servers until a verdict is rendered, thus preventing malicious payloads from reaching endpoints,” Gmuender says.
SonicWall’s entire family of firewalls, wireless network security systems, email security solutions, and other offerings draw on Capture Cloud threat intelligence, and by extension RTDMI.
The new technology was developed by researchers and engineers in SonicWall’s Capture Labs unit, who have been working on it since 2016. It is one of multiple threat detection engines utilized by Capture Cloud.
Gmuender declines to specify whether RTDMI will protect against Spectre, a second critical vulnerability exposed last month by Google researchers that affects chips from Intel, AMD, and ARM. Experts generally consider Spectre a bigger threat, and harder one to block, than Meltdown.
“SonicWall’s Capture Labs threat researchers are actively analyzing various Spectre vulnerabilities,” Gmuender says.