Researchers Bake Malware Protection Directly Into SSDs

Discussion in 'hardware' started by Minimalist, Sep 9, 2021.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,415
    Location:
    Slovenia
    https://www.tomshardware.com/uk/news/researchers-bake-malware-protection-directly-into-ssds
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,985
    Location:
    Mexico
    I don't like such idea. Guess it can't be disable at will. I don't want to impact performance for sake of security. I got my own measures in place to defend from ransomware.
     
  3. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,836
    Location:
    Nebraska, USA
    I don't believe anyone will notice 8% lower throughput because much of that is done in the background anyway. But 17% latency might be noticeable.

    So it will really depend on how the computer is being used. For simple office work, no big deal.

    I can see how this would be advantageous for government and organizational computers - and those are, for sure, the biggest targets for ransomware because they have deeper pockets than us individuals.

    Home users (especially gamers) are likely the ones to complain most, but are not the primary targets.

    Also, I suspect, and would expect the next generation of this feature will have less impact on performance.

    That said, this does not affect hard drive users. And for any users migrating from a hard drive directly to one of those baked-in ransomware protected SSDs, they will surely still be amazed at how much faster that SSD is compared to their old hard drive.
     
  4. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,155
    Location:
    Brooklyn, NY
    As someone who paid a premium price for- and got a major reduction in write speeds three weeks later, I do not want anything extra "baked" into any SSD of mine.

    If this technology will eventually "walk alongside" other SSD tech without discernible performance reduction, that's great. But consumers should be able to distinguish which product has the baked stuff and which doesn't. I would imagine you'd be paying more for this, right? No thanks. I'll manage. :cautious:
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,629
    Location:
    The Netherlands
    The thing is, it's not clear to me how this will do a better job than software based solutions, so at the moment I'm a bit skeptical.
     
  6. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,836
    Location:
    Nebraska, USA
    Software has to be loaded and running. If the security is at the hardware level, the malware can be blocked long before any software is loaded and run.

    Its a great idea. But it cannot noticeably impact performance if it is to be generally accepted.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,629
    Location:
    The Netherlands
    I understand this but I would like to get a bit more details. I don't see how this would perform better than HMPA and Appcheck who both monitor for suspicious file modification and can even rollback the changes.
     
  8. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,836
    Location:
    Nebraska, USA
    If you don't see how, then it is clear you don't understand protection at the hardware/firmware level - protection that takes effect long before programs like Appcheck can even be loaded into memory.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,629
    Location:
    The Netherlands
    Yes but ransomware will normally only work when the OS has already been loaded including security tools. So I just don't see it, I really need some more in depth information. Also, in the past I have often read about similar stuff, but somehow this "hardware based security" never really took off. An example is hardware based rootkit dectors, sounded very cool back in 2008, but never heard anything about it anymore.
     
  10. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,836
    Location:
    Nebraska, USA
    Huh? You are not following.
    You've been given more in this thread but you either are not reading what people are saying, not following what is being said, or choosing to ignore it. :(

    So I recommend you either drop it and move on. Or Google it and learn.

    Rootkit detectors is a different beast from rootkit blockers - just as malware detectors/scanners are different beast from malware protection built into SSDs.
     
  11. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    9,587
    Location:
    Lloegyr
    It all sounds a bit half-baked to me.
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,985
    Location:
    Mexico
    I only hope manufacturers release firmware updates periodically to fix any issue.
     
  13. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,836
    Location:
    Nebraska, USA
    I'm sure they will - or risk major backlash from consumers.

    Beyond that, I hope they do extensive and thorough testing before releasing to market so their aren't any issues to fix! I know. I'm dreaming.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,629
    Location:
    The Netherlands
    The thing is, I haven't seen the developer mention that it provides better protection than purely software based solutions.

    Like I said, just about all malware don't start at boot time and even the developer self said that the reason why he decided to develop this is because many people don't install dedicated anti-ransomware tools, who do the exact same, namely trying to stop suspicious file modifications.

    I also suspect that many people would mind the performance hit. So I don't think this will become big. And why I mentioned the rootkit tools, is because in practice it probably didn't work as expected. Same with Bromium's micro virtualization, technically impressive but it's overkill and drains computer resources.
     
  15. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,836
    Location:
    Nebraska, USA
    That was incorrect before and is still incorrect. And sorry you still just are not following, or simply refuse to accept the logic behind it.

    I am sorry you don't understand how hardware level protection has advantages over OS level. That does NOT mean hardware level protection is the panacea for all malware woes, however.

    "Just about all?". :( Lots, if not most malware does indeed start during the boot process - this is exactly why security programs are designed to start working as early into the boot process as possible. You can keep saying otherwise, but that does not make it so. The trick for that malware is it has to sneak its way into and onto our systems without being noticed, then remain dormant and undetected until it can be activated next time the system boots.

    As far as this not becoming big - I suspect you are right, but not for the reasons you suggest. I don't believe it will become widespread simply because (1) UEFI (a hardware level protection method, BTW), is very effective at preventing many malicious threats. (2) Windows itself it much more secure and remains so AS LONG AS users keep it current. And (3) today's anti-malware programs (IF kept current) are much MUCH better at detecting malicious activity and blocking malicious code as it tries to sneak in, before it can become activated.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,629
    Location:
    The Netherlands
    No you are misunderstanding, but I should have been more clear, so my bad. Once malware is up and running, then yes it's going to try to achieve persistence and then they WILL start at boot time. But that's not what I'm talking about. If you can already block malware from running or doing damage, then hardware level protection has no real use. So if malware is blocked or contained, they will never get the chance to start at boot-time.

    Like I said, the developer said it himself, he doesn't claim it offers better protection than software based solutions, but it would protect users out of the box, without the need for dedicated anti-ransomware software. And besides, AV's have already become quite good into blocking ransomware, so I doubt people would accept any noticable performance hit.
     
  17. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,836
    Location:
    Nebraska, USA
    NO!!!!

    Double NO!!!! NO!!!! NO!!!!! NO!!!!!

    I just don't understand why you are not getting this! o_O Forget EVERYTHING you think you know right now and start over.

    "IF" the malware is already "up and running", your entire security solution has already failed!!! Game over!

    Your router failed, your hardware based security failed, your software based security failed, your browser security failed, and YOU, the user and ALWAYS weakest link in security, failed!!! You all failed to do your jobs.

    You say "If you can already block malware from running... ." Right there, you have missed the whole point! Malware cannot run on your system, if your system (the hardware) blocks it from getting onto your system in the first place, even before your anti-malware program is running, then that's a good thing.

    Most malware does not enter our systems already running and doing malicious deeds. It comes in as an individual file, or integrated into a another program or file. Or as a macro, or some other executable. These bit of code are then typically saved to and/or "installed" on a disk until triggered by some event to run.

    Once again, NOBODY - not the author, not me, or anyone else, is suggesting this baked-in solution is a panacea for all malware woes, or that it negates the need for a decent anti-malware software program. It is just meant to be another layer of defense that can help protect our systems during those times our primary software solution is not running, or otherwise cannot defend against this threat.

     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,629
    Location:
    The Netherlands
    Seems like I still wasn't clear enough so let's back up a bit. Remember how this conversation started, it's because you said:

    And then I said, this stuff is hardly relevant, because why would security software not be running? A ransomware attack doesn't start at boot-time, it starts when the OS and security tools are already fully loaded.

    Yes exactly, it would be nice to have if it didn't degrade SSD performance.
     
  19. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,836
    Location:
    Nebraska, USA
    All you are doing is repeating your same incorrect statements - clearly demonstrating you just don't get it. I don't know how to explain it different, or how to get through to you.

    What I said in all 4 of my comments above that you quoted, was, and is still accurate and totally relevant.

    I see no point in discussing this further so am moving on.
     
  20. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,609
    Location:
    USA
    I think this is the misunderstanding. It certainly could be triggered by something that runs at boot time, or at least beat your security software. There are many things that start before security tools are launched. They may even stop it from running at all. I've seen malicious programs that try to insert themselves into the boot process and then force a machine restart. Fortunately it was a VM and was reset with a couple of clicks.
     
  21. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,836
    Location:
    Nebraska, USA
    Many don't even try to "force" a restart as that action might attract unwanted attention. Instead, the malicious code may simply wait patiently until the user restarts the machine on his own volition.
     
  22. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,155
    Location:
    Brooklyn, NY
    Would Secure Boot help mitigate those kinds of threats? Wiper malware comes to mind.
     
  23. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,836
    Location:
    Nebraska, USA
    Should but the bad guys are pretty clever so they are always looking for ways to get around that, or vulnerabilities that might not yet be known or patched.
     
  24. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,609
    Location:
    USA
    Only to a point. If they can create a Scheduled Task it can launch and run at full admin without elevation or messing with the boot process.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,629
    Location:
    The Netherlands
    There's nothing wrong with my statement. So you guys are either misunderstanding, or simply don't get it.

    According to Bill Bright, it's a huge advantage that it offers protection way before security tools can even run. I'm saying that this isn't relevant, since normally, ransomware gets delivered via exploit or social engineering, and then I'm talking home user PC's. After that it will have to bypass AV.

    So this stuff might indeed be handy in case AV gets bypassed, but not so much because it's able to act more early, but because it's simply an extra layer, that's all I'm saying. Besides, corporations are using EDR systems like Win Def ATP to monitor stuff in case AV gets bypassed.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.