Isolation

The EVE agent has a module written at the kernel level that prevents network communications of any kind to any unapproved element, i.e., it allows communications to the EVE Platform itself, as well as to third parties necessary for risk management and blocks everything else at a low level.

In the Platform it is possible to allow IP addresses for third party solutions such as EDR, SIEM, collectors, or any other security product., to which communication is allowed and all other traffic is blocked, so that when an advanced threat is triggered, any lateral movement is completely blocked. To configure these IP addresses, see section View Details and Make Changes to ISOLATION.

The Isolation process is available only for IPv4. If the endpoint uses IPv6 it will be required to be disabled on the endpoint.

The isolation process is independent of the Main EVE process, this ensures that even if security products or malware terminate EVE, the endpoint maintain the isolation state.

Safe and Isolated Environment

Eve ensures that emulations are performed in a secure environment considering the following:

1. Type of Emulation and Scenario There are three types of emulations: Network, Network + Endpoint, and Network + Endpoint + Execution. The first two emulations do not execute the samples; they simply evaluate if the vectors could stop the samples. The third type of emulation does execute the samples. Emulations should preferably be done in virtual environments to avoid touching productive EndPoints. Therefore, the first two types of emulations can be carried out without execution and still be evaluated pragmatically.

2. Isolation Process A processor in a computer running Windows has two different modes: user mode and kernel mode. The processor switches between the two modes depending on the type of code being executed. Applications run in user mode, and core components of the operating system run in kernel mode. The isolation process of EVE software is executed through a kernel-mode library. Here, what is known as kernel hooking is performed. A hook in the kernel covers a variety of techniques used to alter or augment the behavior of the operating system by intercepting function calls, messages, and events that pass between different software components. The code that intercepts these calls is what we know as a hook. The EVE software will use these features to analyze network traffic just before it becomes a packet. Unless an IP address has been explicitly whitelisted, the EVE software will block any communication. In other words, at the kernel level, all communications that are not explicitly enabled are blocked.

3. Network Spread The spread of samples in a network is a very specific and difficult procedure for common samples to achieve. As we know, attackers generally use manual methods to carry out these tasks or exploit critical vulnerabilities. For this, lateral movement is required, which involves, among other phases, scanning the network from the compromised EndPoint and looking for vulnerable application services. As mentioned in point 2, the EVE process will block any attempt at unauthorized communication, so it will not even be able to scan the network, and the exploitation and lateral movement phases will not take place.

4. Persistence Our software and the isolation process have been carefully designed to cover different scenarios. If malware has the capability to stop the isolation process, persistence will force the isolation process to restart.

5. Independence: Bothe EVE processes are separated E.V.E.Agent and Isolation. This means that if a security product, malware or script should terminate the main process the isolaton will always remain independent and active.