Multi-Vector Virtual Execution (MVX) Engine

At the core of the FireEye Network Security appliance is the multi-vector execution engine or MVX. We’ll now examine how the MVX engine works. The MVX engine analyzes each suspicious object in its own virtual machine. It hosts multiple VMs running concurrently and analyzes activity in the following stages. First the MVX engine selects a guest image to use for analysis based on the content. The guest image fully instruments the browser and operating system to closely recreate the system environment of the real world machine where the malware was detected. Then the MVX engine executes the suspicious code while monitoring tools inside and outside of the MVX engine check the behavior of the binary. The timeline inside the MVX engine is accelerated to analyze malware behavior long term. Any traffic generated by the MVX engine is isolated to this virtual network and monitored to create new malware callback rules to block communication with command and control servers. Such rules can be used to identify future callback events from malware in your network and data theft can be blocked. During analysis the MVX engine identifies and records all of the changes occurring on the system. And post execution analysis the MVX engine scores the event determining whether it is a threat or not.

Finally rules are automatically generated from events determined to be malicious. Sanitize analysis and rules are provided to the FireEye Dynamic Threat Intelligence ,or DTI cloud, which shares global intelligence to FireEye customers. Throughout this process all activity that occurs in the MVX engine is invisible to the attacker. The MVX engine attempts to mirror real world connection by providing a virtual network. The protocol replay engine uses a combination of web cache and other technologies to mirror the real life infection of the virtual machine.

Now that we’ve reviewed MVX analysis details, let’s look at the overall process of how Network Security processes data packets. There are three phases.

The Capture Phase: Network Security identifies traffic that should be analyzed. The fast path filter uses traditional signature detection to detect and block known threats. These threats are sent for a confirmation to get a full picture of the capabilities of the malware. The appliance supplies heuristics to prioritize and reduce duplication of analysis before it is sent for confirmation. For FireEye Network Security with IPS enabled, network traffic is also compared against IPS vulnerabilities signatures.

The Analysis Phase: If Network Security deems a traffic suspicious it sends a copy of the web traffic and or executable to the MVX engine for static and dynamic analysis. This step rules out false positives and generates alerts for detected malware.

Lastly the Rule Generation Phase. Results from this analysis are used to generate new rules. These rules are fed to the fast path filter to block subsequent attacks and because of this dynamic detection and auto generation of rules FireEye appliances do not require rule tuning. You know the process of how FireEye Network Security captures traffic, performs analysis in the MVX engine on selected objects and URLs and generates rules for blocking future attacks. So, how does this work in the real world? Let’s take a look at this example of a zero day attack. How is a typical Web attack launched? Usually happens because an unsuspecting victim on the network clicks a malicious link on a web site. When this happens that request is then routed to the FireEye Network Security as it goes through the network and requests information from a compromised web server. The web request returns HTML, images, javascript, including the exploit. Unfortunately the results of the web request are delivered to the victims machine because the site has not been confirmed as malicious yet. The system is now exploited infecting patient zero; the first person to receive the attack. FireEye Network security analyzes the web traffic and sends the download file to the MVX engine for dynamic analysis. In the MVX engine, a web cache is used to provide the same downloaded information that was received in the real world. Next the MVX engine analyzes the behavior of the malware to observe and record the actions taken in the MVX engine including file, process, and network activity. The analysis takes about five minutes. When analysis is complete the MVX engine determines it to be malicious. The MVX engine now creates rules based on the malware’s behaviors and if any users on the same network as patient zero attempt to visit the same URL, this time the site will be blocked and the network will be protected. Also Network Security rules block callback communication to prevent data theft from patient zero or any other infected machine to minimize damage. Patient Zero will still require remediation but the attack could have been extremely damaging had it not been detected so quickly and stopped in its tracks by the FireEye Network Security.

Scroll to Top