Sourcefire shows cloud-based malware tracker FireAMP

Sourcefire today announced anti-malware software for Windows-based devices that combines signature and behaviour-based detection methods to identify malicious code trying to invade the enterprise network, tracking it down through cloud-based analysis.

The lightweight Windows-based software, called FireAMP, can identify malware and block it, says Alfred Huger, vice president of development at Sourcefire's cloud technology group. Once a specific threat is identified, which involves analysing it on the fly through the FireAMP cloud-based infrastructure, another step can be taken to immediately figure out if that same malware has struck other enterprise computers.

Huger acknowledges that the 7MB FireAMP agent software will detect and block a wide range of malware, but it won't recognise every threat when it first hits the enterprise network. FireAMP represents the development of the anti-malware software Sourcefire acquired in its acquisition of startup Immunet a year ago.

The basic idea behind FireAMP is that it can make the job of tracking down any infected computers fairly simple because FireAMP works by "capturing all endpoint data and putting it in the cloud," explains Huger. "We keep an image of all file behaviour in your computers in the cloud. We know when a file gets put there." Therefore, FireAMP would be able to tell when malware, in the form of a malicious file, made its way into someone's computer, and there would be a way to trace an originating point.

FireAmp's continuous tracking of file activity means that if there's an infection outbreak, once the malware specimen is identified, it's going to be possible to give security managers immediate feedback on when and how that infection spread to specific enterprise computers. "Our goal is which systems need remediation or which need to re-image," says Huger. "When there is a system compromised, this is an efficient way to address it."

"The average number of infections is 10," says Huger about how virus outbreaks typically occur, noting that staff in information technology departments find one of their biggest struggles is tracking down infected computers that fly in under the radar of traditional antivirus software.

Huger also notes that FireAMP is "not competing with antivirus vendors," but is trying to be complementary to antivirus software. FireAMP's approach is said to be closer to that of FireEye, which blocks based on behaviour, but here too, Huger compared the two approaches as somewhat complementary.

Sourcefire's FireAMP software at present is only available for Windows, but the security firm is considering something similar for Android later this year. In addition, FireAMP today works with its own management console, but in the future Sourcefire anticipates further integration into some of its other products, such as Defense Center.