386SX wrote:It'd be nice to hear an opinion from a professional network administrator about those softwares.
I'm a network engineer, so more on the hardware side, but since I regularly deal with security appliances and those manufacturers are also getting into endpoint protection.. it's ... kind of my bailiwick. IMO, products like Palo Alto's Traps are changing the game for security products. It's a relatively recent acquisition (I was loosely involved in a deployment of Palo's first release after purchasing the IP) but they're getting it more and more polished with every release. Client software isn't their strong point, so the client interface is still a little... ehhhh... but it works, and the theory of operation is awesome.
For those not already aware, it's basically an exploit technique-aware product. It doesn't really deal with AV signatures in the traditional sense, although it can connect to Wildfire for executable signature (and thus benign / malicious verdict) validation. Instead, it watches for common techniques used by malware to gain access and escalate privileges. Stuff like spraying memory with executable code, messing with the registry, certain syscalls, so on. So there's really not much relevance to the concept of "0-day" code. It's either doing something shady, or not. On top of that, Wildfire copies executable code to a cloud sandbox, runs it, pokes and prods it to try and get it to "detonate," then records everything it does and creates a report so you know what to look for and how to clean it up if it has infected something else. It also gets hashed so anyone else in the world with a Wildfire subscription will get updated within a few minutes and know it's malicious.
Pretty freakin cool technology, and makes the old reactive process of traditional AV software pretty much obsolete. Unfortunately, AFAIK, this kind of stuff only really exists in the enterprise market. Same for next-gen firewalls (filtering on OSI layers >4 -- that is, not just IP / protocol / port, but also application -- not just what the packet says it is, but the actual identifiable payload within the packet.)
There are even products emerging now that are based on AI -- watching user behavior and sounding alarms when something anomalous happens -- like accessing shares or sending traffic that they wouldn't ordinarily. It requires a training period, but in the sea of noise that is enterprise network activity, this kind of thing is really the only way you would know when you have either an insider threat, or an infected host.