ZombieZERO Inspector V4.0 is security solution software that detects malware coming in from an external source using pattern-based and behavioral analysis techniques and blocks or isolates it. It also blocks access by internal users using unauthorized IP/URL (e.g. malware sender).
ZombieZERO Inspector V4.0 is comprised of ZombieZERO Detector V4.2.71 (hereinafter referred to as “ZombieZERO Detector”), Analyzer Agent V4.0.0 (hereinafter referred to as “Analyzer Agent”) and ZombieZERO Detector V.4.0.227 (hereinafter referred to as “ZombieZERO Agent”).
- Collection & Storage of Files
From the traffic entering the internal network via the Internet, files coming in via HTTP/1.1, FTP, POP3, IMAP and SMTP protocols and executable files (EXE files) sent from ZombieZERO Agent are collected and stored.
- Information Analysis
The collected files are analyzed as follows to check for malware
- Pattern analysis
The files collected via network protocols and the files requested for analysis by ZombieZERO Agent are analyzed based on signature patterns and detection rules to detect the presence of malware.
- Behavioral analysis
The file behavior information gathered by Analyzer Agent is compared with the detection rules to detect the presence of malware.
- The information on the file where malware has been detected and the security policy are sent to ZombieZERO Agent.
- Blocking of Information Flow
- The information flow is blocked when packets are sent to the known IP/URL (e.g. malware sender) from the internal user’s computer.
- Security Control
- The administrator webpage (graphical user interface, GUI) provides security control features such as setting up a security policy, looking up audit records and managing patterns.
※ Other features include security audits, identification and authentication, password support, TSF protection and TOE access control.
- Collection of Behavioral Information
The file suspected of containing malware that has been sent from ZombieZERO Detector is run to collect information on the file, process, registry, network and memory behaviors, and the information is then sent to ZombieZERO Detector.
A file containing malware that has been detected according to the security policy sent from ZombieZERO Detector is either blocked or isolated from the internal user’s computer as follows
- Blocking the malware
The execution of the file containing malware is stopped according to the security policy sent from ZombieZERO
- Isolating the malware
The execution of the file containing malware is stopped according to the security policy sent from ZombieZERO and it is moved to an isolated location
※ Other features include password support and TSF protection.