Protection Capabilities

Virsec System Integrity provides both provenance and integrity of the authorized files, scripts and libraries associated with software bill of materials (SBOM). This delivers zero trust execution and extends existing security controls for proactive server workload protection to ensure that it cannot be compromised. The key capabilities of the VSP Probe are:

Executable Allowlisting

Virsec’s Executable Allowlisting defines all the processes and associated libraries allowed to execute.

• Trustworthiness is established by verifying the pristineness based on trusted publishers  and reputation based on our as well as reputed third party's reputation database
• Establish and enforce system-wide allow-listing for processes, libraries and scripts based on trustworthiness
• Monitor deviations during run-time and mitigate any instances of executables that have been added or modified

Application Control Policy

Executable Allow Listing capability of VSP ensures that only the processes and libraries that are trusted and safe can execute on the server workloads.  Application Control Policies (ACP) ensure that malicious actors cannot leverage advanced defense evasion techniques to compromise a workload.

 Typical use cases for Application Control Policies are:

• Script-based attack prevention
• Living-off-the-land attack prevention
• Protection against defense evasion techniques
• Critical data collection
• Lateral movement prevention
• Protection against persistence
• Remote-code execution

 Application Control Policies allow the user to:

•  Enforce dynamic execution control on allow-listed processes to stop living-off-the-land attacks
• Block malicious activities from the otherwise trusted operating system-related processes
• Enforce parent-child process controls to stop RCE and lateral movement
• Add additional runtime controls to allow/disallow binary applications to spawn child processes within the scope of the binary application
• Enforce additional access controls on binaries via allow or deny list for processes so that either a specific set of users are allowed to run a defined set of applications or a specific set of users are always denied running a defined set of applications
• During the execution  of a defined  set of binaries:
  • Enforce specific command-line arguments and flags are allowed 
  • Some risky command-line arguments and flags are denied 
•  Block binary applications from running under all circumstances, even if they are generally trusted

Runtime Monitoring and Protection

Virsec Runtime Monitoring and Protection enforces the provenance and integrity of Virsec Map and software bill of materials (SBOM) of the authorized files, scripts and libraries to ensure that they cannot be compromised and perform their intended functions in an unimpaired manner, free from unauthorized manipulation of the system, its applications and code, whether intentional or accidental.

Memory Exploit Protection

Virsec Memory Exploit Protection stops attempts to inject and run malicious code from memory by targeting trusted processes

• Stops process injection techniques including, but not limited to Code Injection, Process Hollowing and Process Doppelgänging
• Stop dumping OS credentials from the memory of key processes like LSASS (Local   Security Authority Subsystem Service)
• Stops privilege escalation attacks and in-memory attacks
• Exploit techniques are detected and stopped  in real time without the need for any signature, learning or customization 

Memory Exploit Protection provides protection against the below exploits or vulnerabilities:

 For Windows:

• Reflective DLL (Dynamic Link Library) Injection (Reported as Process Injection Incident)
• Process Hollowing
• PE (Portable Executable) Injection (Reported as Process Injection Incident)
• Process Doppelgänging
• PowerShell Exploit (Reported as Process Injection Incident)
• Atom Bombing
• Thread Local Storage (Reported as Process Hollowing Incident)
• Thread Execution Hijack
• Credential API (Application Programming Interface) Hooking
• OS Credentials Dumping on Windows using LSASS
• EWI - Extra Window Injection

 For Linux:

• DirtyCoW (Copy on Write)
• tmp-fs exploit
• DirtyPipe
• ptrace Sudo Token Privilege Escalation

Buffer Overflow Protection

Virsec Buffer Overflow Protection ensures application control flow integrity by uniquely distinguishing trusted execution flow, control data and user data from malicious events during runtime without dependencies on access to source code.

• Detect memory-based attacks such as buffer   overflows, return-oriented programming and other blind attack schemes on program flow, memory stack and return addresses
• Protects  runtime execution  of pre-compiled applications by automatically extracting the control  flow for every executable and enforce any deviation during runtime

Web Protection

Virsec Web Protection monitors user provided inputs, the execution of inputs and the application response with complex HTTP filtering, interpreter syntax mapping and strict runtime controls to detect and prevent  attacker-provided inputs to a web application.

• Web Application & API Protection for attacks coming via http/https channel
• Detects OWASP Top 10 Attacks on protected web applications using deep instrumentation of applications frameworks and/or web servers
• Blocks Web-based attacks by examining the HTTP payloads and resulting transactions