Variant File Prevention

Note

This feature is available from version 23.1.8x and higher.

The Cybereason platform includes Variant File Prevention (VFP), a pre-execution prevention engine which uses advanced fuzzy hashing techniques to scan files and quickly identify indicative similarities and patterns of known malware families.

VFP is supported on Windows machines. For details, see Endpoint machine prevention features.

In this topic:

How does VFP work?
Detection and prevention of files

How does VFP work?

Traditional execution prevention solutions, which rely on cryptographic hashes such as MD5, SHA-1, or SHA-256 alone, are easy to bypass. Attackers are aware that any change to the malicious file will completely change its file hash value.

To address this challenge, VFP compares each file with fuzzy fingerprints that are resistant to changes. Each fingerprint covers many variants of a high-value threat. If a file is found to match the fingerprint, VFP detects it as a MalOp.

See this example of a MalOp detected by VFP:

Detection and prevention of files

You can instruct the Cybereason platform to detect, prevent and/or quarantine files discovered by VFP.

When a MalOp is created due to a VFP detection, the MalOp description includes the fingerprint detected (e.g. BOF Payload, Conti_Ransomware)

You can add exclusions for specific fingerprints for the VFP feature.

See Set the Anti-Malware Modes for details on how to manage the VFP settings.