Search This Blog

July 19, 2012

Analysis of McAfee DeepDefender with Hypervisor

Another interesting security tool, which deals with hypervisors is McAfee Deep Defender.

Unfortunately the product is not available for free download and I can't test it, I only have some marketing docs.

I would like to discuss some issues

1. Does DeepDefender supports of load of new hypervisors on top of it (hypervisors stack, nested hypervisors)? How much does it affects performance? The test results I don't found.

According to the report Deep Defender is a driver mfeib.sys:
The McAfee Deep Defender boot driver mfeib.sys is loaded to initiate McAfee DeepSAFE technology. McAfee DeepSAFE technology low-level protection is enabled when a VMX root application is instantiated to create the trusted memory services layer (TMSL) that resides between the BIOS and the operating system.

2. How to prevent load malicious hypervisors from the MBR or BIOS / EFI?

According to the report changes in MBR can be detected during pre-boot authentication with full disk encryption:
As with the standard boot process the BIOS first looks at the Master Boot Record (MBR), which contains the boot loader. If full disk encryption is present (for example, McAfee Endpoint Encryption for PC, Microsoft BitLocker, or Symantec PGP) the modified MBR will provide a pre-boot environment. After successful pre-boot authentication, the boot loader starts to load the operating system in the normal way.

3. Interesting moment: hypervisor which loaded previously pre-boot authentication can compromise it.

4. If user hasn't full disk encryption his PC vulnerable to the MBR HVM rootkits. Really? I think there are some methods to detect them, without full disk encryption.

5. How affects the performance of the presence of full disk encryption, eg. in cases Cloud Computing or Tablet PC?

PS I wrote letter to McAfee support and I will try to get McAfee Deep Defender as possible..