businesses against spam, viruses, malware and spyware, and now part of Cisco, today announced that it has enhanced the protection offered by its Web-security appliances with the addition of Exploit Filtering. Exploit Filtering utilizes IronPort's distinctive Web-reputation technology to protect users from malware delivered through compromised Web sites even when these sites are not identified through URL filtering or signature scanning. Exploit Filtering is available on the IronPort S-Series™ family of Web-security appliances.

In March 2008, IronPort launched its URL Outbreak Detection and Botsite Defense to protect users against malware distribution through Web sites controlled by botnets. Exploit Filtering zeroes in on the latest security threat: trusted Web sites that have been compromised to deliver Trojans or phishing attacks. Such attacks are carried out via techniques such as cross-site scripting exploits (a flaw within web applications that sends malicious code to the browsers of unsuspecting users), buffer overflows (sending too much data to an application's temporary storage, which can enable security breaches), SQL injections (a technique that exploits a security vulnerability occurring in the database layer of an application), and invisible iFrame redirects (sending users to malware-generating sites).

According to IronPort's Threat Operations Center, which monitors and analyzes Web traffic in real time, exploited Web sites are responsible for more than 87 percent of all Web-based threats today, and an increasing number of malware writers are targeting well-known, trusted Web sites. For example, in early July, a major Japanese video game company's Web site fell victim to an SQL injection attack, in which a piece of malicious JavaScript was embedded in parts of the site so that a pop-up message warned users that their computers were infected with malware. The pop-up then led users to a site where they could purchase so-called anti-virus software that was actually a malicious Trojan.

Traditional URL filters are not effective in identifying these threats because they rely on manual classification techniques. Infected sites can hide behind generic classifications such as shopping, finance, entertainment or news. However, IronPort's Web-reputation technology uses real-time scanning in order to find and block access to the compromised Web sites before their malware can become operational.

IronPort's Web-reputation filtering system is a solution that examines every request made by the browser, from the initial HTML request to all subsequent data requests, which may be fed from different domains. If the presence of vulnerabilities and exploits is confirmed, a Web site is assigned one of three threat levels:

• Compromised by Exploits and Actively Hosting Malware. These sites have active exploits and are serving malware or have malicious scripts injected into them. They are immediately blocked.
• Compromised by Exploits. These sites have been compromised with one or more exploits and have malicious scripts present, but the malware has not yet been activated by command-and-control servers. These sites, too, are blocked by default.
• Vulnerable to Exploits. These popular, high-traffic Web sites are put on a "high-risk watch" and actively monitored by IronPort's Threat Operations Center because they are susceptible to common exploits or have been linked to malware distributions in the past.

As the first line of malware defense, IronPort's Web-reputation filtering system analyzes more than 5 billion Web transactions daily, blocking up to 70 percent of malware at the connection level, prior to signature scanning. Using its global URL traffic data, IronPort's Web-reputation system is able to offer an industry-leading malware-catch rate: 60 percent higher than the rate of traditional signature scanners.

"With the addition of Exploit Filtering, we are offering uncompromised protection against one of the biggest invisible threats on the Web: the transparent passing of malware through legitimate Web sites," said Tom Gillis, vice president of marketing at IronPort Systems. "By automatically filtering against exploited Web sites, IronPort continues to set itself apart from the competition in the Web-security-appliance market. With this innovative approach to filtering, we can reassure our customers that their network security will not be jeopardized when browsing trusted sites, which are often targets of malicious Trojan and phishing attacks."

Exploit Filtering is currently available on the IronPort S-Series, one of the industry's fastest Web security appliance. IronPort S-Series appliances combine a high-performance security platform with IronPort's exclusive Web-reputation technology and Dynamic Vectoring and Streaming™ (DVS) engine, a scanning technology that enables accelerated signature-based malware and spyware filtering.

Exploit Filtering is available to all users of IronPort Web Reputation Filters™. 

About IronPort Systems

IronPort Systems, now part of Cisco, is a leading provider of anti-spam, anti-virus and anti-spyware appliances for organizations ranging from small businesses to the Global 2000. IronPort appliances utilize SenderBase®, one of the world's largest e-mail and Web threat detection network and database.

Information Source:    Cisco