Does the improved web protection also apply to the free version?
Hi, yes it's included in both versions (the paid version contains an additional SecureDNS feature that can protect in a more generic way against DNS spoofing and DNS attacks). We have improved the DNS scanner and parser in Webshield component to detect/block multiple types of C2 communication via DNS traffic:
- Support for detecting C2 callbacks, data exfiltration and payload delivery through the TXT records
- Support for detecting DNS C2 tunneling through the malicious NS servers
- Scanner supports scanning of A, AAAA, PTR, NX, MX, TXT DNS records, both directions (depending on the signature)
This feature is mainly focused on post-infection stage of malware execution focused on sophisticated malware strains. For example, GuptiMiner uses DNS TXT payloads tunneled through valid SPF domains like spf.microsoft.com we weren't able to block/track in previous versions. This new feature also helps with cleaning the already infected system - the blocked process is immediately scanned by the engine/behavior shield and eventually deleted,quarantined,terminated,..
Those new detections are currently turned on only for particular malware families and they can be recognized by the dns:// prefix in block dialog, see attached screen.
Thnx, David.