Critical Infrastructure Security, Security Strategy, Plan, Budget

AhnLab’s MDS: A comprehensive approach to malware management


AhnLab is no newcomer to the information security market – having been around since 1995. This offering, however, is relatively new. It is backed by a large global company with vast experience in many aspects of information security, cloud-based systems and on-premises tools. I have seen elements of this offering in many other anti-malware tools, though the hallmark of this one is that for every reason one buys individual gateways this tool has it – in one place and under a single pane of glass.

AhnLab refers to its product – MDS – as a malware defense system. I, however, think of it more as a malware management system in that it deals with malware of all types, regardless of how the malware was introduced into the enterprise, and because it provides closed loop remediation. The appliance can sit in-line or can monitor via a tap or span port. The appliance is on-premises and is in communication with a cloud system (ASD, AhnLab Smart Defense) that does heavy lifting, intelligence gathering and updating. This cloud sees about one million files per day, has more than a million sensors and 20 million anti-malware clients. Identifying zero-day threats as well as advanced persistent threats becomes much more reliable with that level of intelligence. MDS does both of those extremely well.


Product MDS (Malware Defense System) 

Company AhnLab 

Price About $50K for fully loaded MDS2000; web, email and file all-in-one appliance handling sustained throughput speeds up to 1Gb/sec.

What it does Malware management. 

What we liked This product takes all of the usually separate elements of malware management – email, files and web – and puts them all in a single appliance that communicates with a cloud system for heavy zero-day analysis and updating. 

What we didn't like There is nothing not to like about this product. It is the most comprehensive malware management tool I have seen to date.

It uses what the vendor refers to as multi-dimensional protection. This refers to the types of analysis and management that the system uses. It includes behavior, reputation, intelligence (ASD feeds), correlation, signature and URL/IP filtering. To accomplish this, the vendor has developed more than 250 proprietary algorithms. 

In addition to the gateway functionality provided by the appliance, there also is an ultra-light endpoint agent that communicates from endpoints to the appliance. From an analyst/operator perspective, MDS has one of the most comprehensive – and clean – user interfaces I've seen. 

The landing page, or dashboard, has a complete and uncluttered story for the quick status once-over. Then, drill-down gets to the details, administration and reporting. The amount of analysis of which this system is capable – even at first glance – is amazing. A quick glance at the dashboard reveals what is in the system, what type of threat it is – in detail – and how dangerous it is in the context of the enterprise. So, for example, you might see an infection on a particular host. You also will see the severity, the number of times infected and the name of the bug.

If one drills down, detailed descriptions are provided, including cryptographic hash function MD5, so users can look it up themselves on sites such as VirusTotal. Yet another drill-down and one sees the details of how the infection progresses, what the bug actually does, what it infects, how it infects and so on. Next, the MDS takes those detected behaviors and applies them on a timeline delineating the way they occurred on the enterprise network. 

This is a complete static/dynamic analysis in the context of one's enterprise, all performed automatically. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.