The first wave of attacks from the WannaCry virus has affected more than 320,000 computers around the world, and disrupted work at global companies such as Telefónica, KPMG, FedEx, Renault, hospitals in the UK, and many others. The original viral strain is now being replaced by new modified viruses that account for user measures that combat the first-wave WannaCry infection. For now, the number of newly infected computers is not decreasing.
Do you know the specific features of the propagation of the WannaCry virus (or similar viruses) in order to create an effective defense?
Infection and infiltration happen in stages, not instantaneously, and the virus is interactive. In other words, it spreads when specific conditions are satisfied, and a control center has not blocked its spread. This involves generating new traffic on the client’s network ports, and a small delay between activation and propagation, which can be exploited to apply protective measures.
Simply installing signature-based antivirus software on the client device is insufficient. If the virus is new or modified, it may not be in the signature database. And, if only the user’s computer or VM is protected, there isn’t enough time to respond.
In order to effectively combat this type of attack, modern IT security tools must be comprehensive, with multiple layers of protection. They must be fast -- faster than hackers expect them to be. These tools must also analyze network traffic and client behavior.
5nine Cloud Security is a data security tool for a virtualized Windows Server environment. It integrates with the Windows Server 2012/2016 virtual switch and includes an agentless antivirus, a virtual firewall, and an intrusion detection system in one centrally managed software product.
How can 5nine Cloud Security help keep you safe from attacks like WannaCry?
- The firewall isolates infrastructure segments and prevents the virus from spreading over the virtual network.
- WannaCry attempts to spread over a network using a vulnerability in the SMBv1 protocol by scanning IP addresses through port 445. The Intrusion Detection System (IDS) analyzes network traffic and warns users about unusual activity on network ports. IDS lets you determine the source of the attack and block the threat.
- 5nine Network Traffic Scanner scans all HTTP traffic for viruses, both within the virtual environment as well as in the transition to physical networks. This makes it possible to identify threats before virtual machines (VMs) are infected.
- If malware reaches the VM’s memory, it is deleted and quarantined by Active Protection or agentless antivirus scanning. 5nine technology works 70x faster than other vendors’ solutions thanks to incremental scanning, which is based on an analysis of write operations on virtual disks. A virus has no time to intrude and activate. It is detected and neutralized by antivirus engines from leading vendors: Bitdefender, ThreatTrack or Kaspersky Lab.
- Integration with Windows Server at the hypervisor level reduces server load up to 30% during antivirus scanning. This helps your systems function even in the face of a massive malware attack.