Variant Payload Prevention

Note

Variant payload prevention is supported on Windows 10 RS2 and later versions. From version 23.2.10x, it is also in EA (Early Availability) stage for Linux machines.

Cybereason Variant payload prevention performs real-time analysis of the memory executions, which detects every fracture of malicious code.

How does VPP work?

Today’s sophisticated attackers use a number of methods to obfuscate their attacks to bypass security tools. These methods include using fileless malware that cannot be traced on the disk, in-memory decryption of payloads, and sophisticated modification of malware, which creates a unique variant for each attack. Since writing a new malware program can be expensive and time consuming, taking an existing malware and creating a new variant is relatively easy and highly effective for attackers.

To help fight this attacker advantage, Cybereason Variant payload prevention performs real-time analysis of the memory executions, which detects every fracture of malicious code. Variant payload prevention does not require parsing, and performs in-memory scans to reveal the malware. Variant payload prevention identifies previously unknown malware based on its “genetic” similarities to existing malware, creating a powerful fingerprint, which is immune to subtle code modifications.

These fingerprints are effective for detecting highly elusive attack tools, which are usually undetected by any other NGAV engines due to their evasive nature.

Detection and prevention

You can use Variant payload prevention as a powerful protection layer on top of Behavioral execution prevention, or independently, even when Behavioral execution prevention is disabled.

For information on how to configure this feature, see Set the Variant payload prevention mode.

Variant payload prevention currently detects and prevents the following threats:

  • Cobalt strike

  • Emotet

  • Lockbit3.0

  • Qbot

  • BlackBasta

  • Donut

  • Dridex

  • Zloader

  • MSF Shellcodes

  • System BC

  • Meterpreter

  • Hancitor

  • BazarLoader

  • sRDI Shellcodes

  • Conti

  • Mimikatz

  • IceID

  • Gozi

  • Reflective DLL Shellcodes

and more.