As opposed to a traditional antivirus, a network antivirus does not run on the endpoints but runs in a single dedicated network appliance that can protect any device that accesses your network. An effective network antivirus solution detects and blocks malicious content that enters your network before it is executed or opened in any of your endpoints.
Metaflows appliances monitor the transmission of all notable files (.exe, .dll, .pdf, .zip, Microsoft Office formats, etc.) transmitted on your network. The digest of each file is passed to the Network Antivirus system, which consists of 55+ Antivirus solutions provided by Virus Total giving us the broadest possible base of signatures to use for Malware Detection. All files that test positive on 3 or more Antivirus solutions generate high-priority alerts. Any host involved in the transmission of such files can be safely blocked and taken off the network because it is mot likely compromised.
It does not require the installation and management of antivirus software on each of the endpoints on your network. This is becoming extremely important today because of the wide use of smart phones which cannot be reliably covered by endpoint solutions.
Intelligence updates to the antivirus system are centralized to a single location thus avoiding constant updates to large number of endpoints (which may be intermittently turned off or may be out of range).
Suspect content (like unsigned binaries, Microsoft documents, etc) unknown to the available antivirus solutions can be executed or opened in a controlled environment (sandbox) to see if it poses a security threat before it is opened by the endpoint.
The detection rate of endpoint solutions ranges from 10% to 50% (the average is 20%). A network antivirus, can significantly improve the overall detection rate because it can relay on multiple antivirus solutions at once (like the ones provided by VirusTotal). To illustrate this point, the measured antivirus performance table to the right shows the best 15 antivirus detection rates for the period 02/05/2019 12:26am to 02/12/2019 12:26am UTC.
The bar graph estimates the severity of the malware that was detected by the individual vendors in the same period. Some vendors have good detection rate, but they do not detect the really important malware; some may have low detection rates, but catch the most important malware. You can hover the bars to see the severity for each Antivirus solution.
|Antivirus Vendor||Detection Rate|
As shown in the diagram, all potentially dangerous file transmissions (.exe, .dll, .pdf, .zip, Microsoft Office formats, etc.) are logged and correlated whether or not they are actually malicious. This allows you to see what your users are uploading or downloading. In the example below, a file download event has been correlated with several other events to provide helpful context for the file transmission results. Merging file transmission records with IDS events provides an invaluable source of intelligence in detecting data exfiltrations or potentially devastating user behavior.