FireEye - Part 4. Drawbacks of FireEye (current!)

Currently, there are 2 drawbacks that I can think of:

  • HTTP and SMTP only. FireEye only does the malware code detection on HTTP and SMTP today.  Malware that used SSL for the exploit and callbacks would only potentially be caught by C&C traffic signatures.
  • Malware authors may fool FireEye: As FireEye gets more popular, there is a chance malware writers will begin to modify their malware to detect and fool the FireEye similar to the way malware authors try to detect and fool VMWare Honeynets today

I might add, these drawbacks existed when Vontu (Symantec DLP) evolved and they (as well as WebSense) crossed SSL hurdle.

As for the second drawback, this remains to be seen as it is true statement even for a large company such as Symantec AntiVirus today (See NYTimes story on how Symantec could / could not stop chinese hackers)

Previous posts:

Part 1: Why FireEye? How it works?

Part 2: FireEye deployment practice

Part 3: Collection of articles on how FireEye brought (or attempted to bring) down botnets

Leave a Reply

You must be logged in to post a comment.