Trusted Application Protection

With the release of Avecto Defendpoint v5.0, we have not only made implementation faster and easier with our Quick Start policy but also increased the security of our customer's endpoints as well. This security boost comes in the form of Trusted Application Protection (TAP), a new feature designed to neuter the common attack techniques that plague organisations today.

Organisations are increasingly being attacked by cyber threats targeting their corporate installed & trusted applications. Our research has shown that the most common malware delivery mechanisms are malicious documents and links sent in phishing emails. The recent McAfee Labs report reflects this, showing how attackers are turning to script based malware in Office documents and PowerShell to conduct file-less attacks and evade detection.

To understand how TAP works, it is important to understand common attack patterns. The Avecto labs have analyzed the behavior of thousands of malware samples and identified the common attack patterns across hundreds of malware variants. These patterns generally involve a trusted application either executing malware directly as a new child process or executing a script using built-in tools such as PowerShell.

Common attack chain - Malicious content is sent via phishing email to exploit a trusted application, malware is downloaded and launched as a new child process.

Another finding from our research was that regardless of the initial vector, malware will introduce a binary payload (exe or DLL) as part of the infection, as confirmed by McAfee in their latest report. This means that, by controlling the child processes and DLLs that can be loaded by a trusted application, we can prevent the common malware attack chains and protect the endpoint.

Avecto Defendpoint v5.0 with TAP provides an out of the box config to protect trusted applications such as Word, PowerPoint, Excel, Adobe Reader and the common web browsers by controlling their child processes and DLLs. This prevents these high-risk applications from being used to launch malware payloads, load malicious DLLs or exploit commonly abused native applications such as PowerShell.

This means that when a user is tricked into opening a malicious document the ransomware payload or script is automatically blocked from launching. While this may seem obvious or even too simple, it has proven to be highly effective. Recent attacks including the yet-to-be-patched Office DDE exploits seen in the wild have all been prevented by the out of the box policy and protections.

Although this feature can protect against common attack vectors it is not designed to replace your AV solution but augment it with a proactive layer of defense that reduces your exposure to risk. As any security professional will tell you the earlier on in the attack chain you can stop an attack the less risk you are exposed to. By blocking common attack vectors before they execute TAP greatly reduces your risk of a breach.

Defendpoint v5.0 with its powerful combination Privilege Management and Application Control further raises the bar with reduced deployment time and increased security. To learn more about the benefits of Avecto Defendpoint v5.0 register for a demo today.