1. Summary

AhnLab MDS (Malware Defense System) is a complete APT protection solution for the detection, analysis, remediation and prevention of advanced attacks. It delivers comprehensive protection against known and unknown malware, zero-day exploits, and ransomware through the complete defense process of “Detect-Analyze-Respond-Prevent".

2. Contents

1) Collect Threats

MDS monitors incoming network traffic and extracts and collects files. Malware can infect systems via networks, including websites, email and instant messaging, USB flash drives, and shared folders.

2) Malware Detection and Analysis

AhnLab MDS employs multi-engines that provide signature-based detection, reputation-feed based detection, and signature-less detection, thereby accurately identifying traditional threats as well as unknown threats and variants.

- Dynamic behavior analysis engine based virtual machine analyzes file, process, registry and network in real time, and minimizes false-positives by analyzing behavior, reputation of all related files.

- With its exclusive Dynamic Intelligent Content Analysis (DICA) engine, MDS accurately detects new and unknown non-PE (non executable) malware that exploits vulnerabilities found in MS Office, PDF and Hancom Office. In particular, MDS can detect malware that exploits various vulnerabilities such as buffer overflow, ROP, and heap spray.

- MDS analyzes unknown sophisticated malware-based threats through its hybrid analysis technology, combining static and dynamic malware analysis technology and knowhow. With its unique 'exploit detection technology based on memory analysis', MDS prevents zero-day attacks and detects malware accurately regardless of the type of malicious activity or behavior by analyzing malware that evade sandbox analysis.

3) Threat Visibility via Classification

MDS classifies threats into 3 categories of 'Malicious', 'Monitor' and 'Normal'. 'Malicious' is classified again into 3 levels according to the severity.  It contributes to effective threat response by providing a total of 10 levels of classification including safe files.

4) Malware Response

- MDS blocks abnormal traffic that attempts to connect to C&C servers and access malicious websites that distribute malware. This is a default feature provided regardless of whether MDS agent is installed or not.

- With its strong but lightweight agent, MDS isolates a host system that downloads malware in order to prevent internal proliferation, and automatically or manually deletes the malware. MDS also provides the Execution Holding feature to prevent an unidentified file from running via its agent, thereby protecting even the initial victim’s computer.

- MDS detects malware in the email attachments through VM-based dynamic analysis. Also, it conducts multi-dimensional analysis based on blacklists, whitelists, and reputation information for suspicious URLs and scripts contained in email body. In order to prevent email-based attacks, MDS provides Mail Transfer Agent (MTA) mode that automatically detects and quarantines malicious or suspicious emails. Quarantined emails can be released by administrator.

- MDS provides “shared folder scanning” to conduct dynamic analysis for unknown and suspicious files that are introduced via shared folders in the network. When the analysis is completed, files are sent to Clean Folder or Quarantine Folder.