Locating Malware Infections

Despite having antivirus and other measures, malware finds ways to creep into the company. They arrive via

• phishing attacks
• traveling laptops
• employee VPN sessions
• employee downloads, bloatware
• P2P networks
• instant messengers
• file repositories
• USB memory-keys
• ...

Malware tend to be part of botnets, which receive commands from the black-hat organizations and are commonly used in spamming, identity theft, etc. Other potential uses of botnets and other malware can be espionage, data theft, cyber-terrorism, attack on infrastructure, etc.

A drawback of current anti-malware products is that they cannot detect malware which hides by mutation and by rapid propagation before signatures are created. Such zero-day issues can be detected by nLive. By detecting abnormal traffic such as unusual ARP, unusual connections and suspicious traffic, nLive can often point to machines infected by malware, even when existing anti-malware products failed to detect them.

nLive is designed to detect abnormal traffic from malware-related network activities. It has been the experience of several users of nLive to detect malware-infected hosts within hours of installing nLive. One or more of the 45 detectors provided with nLive triggers when various kinds of abnormal traffic originates from a host.