"Push Forward" emulation
"Push Forward" technology detects highly evasive and zero-day exploits in Adobe Flash objects (also known as SWF files).
This technology is a part of Threat Emulation Engine Update 48.990000056 released on 09 Jan 2017.
Why is Adobe Flash dangerous?
In recent years, we have witnessed a huge surge of web attacks exploiting vulnerabilities in Adobe Flash. Flash vulnerabilities are constantly being found, fueling this trend.
Exploit kits focus on rapidly weaponizing new Flash vulnerabilities as they are discovered, and on delivering attacks to users before patches are available. Exploit kits are often used in malvertising attacks, infecting users who unsuspectingly browse legitimate sites.
Why is Flash emulation difficult?
Detonating a malicious SWF requires precise simulation of the user's web context. This is practically impossible for a traditional sandbox. As a result, sandbox solutions tend to heavily rely on signature detection and on static analysis of Flash objects. They perform very poorly when confronted with obfuscated SWF files, or zero-day Flash exploits.
How is "Push Forward" technology different?
Push Forward is a unique patent-pending sandbox technology, combining two main elements:
- Proactive Flash Execution Engine: Dynamically drives SWF execution in order to trigger concealed exploitation attempts.
- Flash Exploit Detector: Detects the exact point of exploitation. This robust and evasion resistant detection method is similar to CPU Level technology exploit detection for documents.
The combination of these two elements awards Push Forward technology the ability to detect and block highly evasive and zero-day Flash attacks, which would evade other sandbox solutions.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.