Information Guide: HX Exploit Detection vs. Indicators of Compromise vs Malware Detection

Version 6

    When it comes to monitoring your endpoints for evil, Indicators of Compromise and Exploit Detection are two different approaches to protection.

     

    Exploit Detection (ExD) describes the act of monitoring for certain exploit activity within the process thread. Examples of exploit activity include, but are not limited to: shellcode, ROP, Heapspray, kernel exploit, or memory corruption. Exploit detection highlights abnormal process activity, which is why it can identify zero day exploits that have not been seen before. Exploit detection does not look for a particular exploit, but rather, signs that something may be attempting to exploit your system.

     

    Exploit Detection requires HX Agent 21.x or newer, and is supported on Windows only.

     

    Indicators of Compromise (IoCs) look for known malicious items by matching MD5s, URLs and such against a list of previously identified exploit signatures (i.e., indicators). IoCs can identify a malicious event/file/item that may perform an exploit, but not the exploit attempt or behavior.

     

    IOCs are utilized by all versions of HX and the HX Agent.

     

    FireEye uses ExD and IoCs together to ensure the highest chance of detecting an exploit. ExD can provide data around the actual Exploit activity and provide coverage without having an IOC, but it can’t alert on the file/events beforehand - the data will be there as part of the triage analysis, but it didn’t know it was malicious until it detected the Exploit process. IoCs, on the other hand, can alert on known malicious files and events, but not on things that have never been identified as malicious.

     

    Malware Detection: Malware Detection enables detection of commodity malware, including items such as viruses, torjans, worms, spyware, adware, key loggers, and other potentially unwanted programs. Malware detection focuses on items which a typical anti-virus client might catch, enabling you to replace other legacy endpoint/AV solutions with a single agent.

     

    Malware detection requires HX Agent 24.x or newer, and is currently supported on Windows only.

     

    Helpful Resources: