Below OS Security - Overcoming Historical Challenges 

DeepSAFE 1.0 technology, jointly developed by McAfee and Intel, allowed McAfee to develop hardware-assisted security products that take advantage of a “deeper” security footprint than previously available.


DeepSAFE 1.0 technology platform, using Intel® VT capabilities on Intel® Core™ i3, i5, and i7 processors, executes in a privileged mode to fight against stealthy software attacks. McAfee DeepSAFE uses processor features to monitor system behavior, including memory and CPU state changes. Memory events detected by DeepSAFE 1.0 technology instantly raise runtime integrity violations when they occur and thus give anti-malware tools the critical ability to mitigate stealthy rootkit and malware attacks in real time.


DeepSAFE 1.0 protected anti-malware engines and provides them with visibility to observe and audit changes to key processes and the operating system kernel. DeepSAFE 1.0 technology utilizes CPU-derived events to detect integrity violations and notifies verified security agents of these violations, even in the face of never-before-seen, zero-day malware attacks.

There are two capabilities in anti-malware software needed for runtime integrity monitoring of a large TCB and dynamic environment like today’s operating systems. DeepSAFE 1.0 provides both of these key capabilities and enhances them via Intel silicon. The first is execution protection (and availability) for security agents.


DeepSAFE 1.0 used hardware virtualization and the VMX root privileged mode to operate beyond the operating system and provide runtime protection for anti-malware engines against malware attacks. Security agents are thereby isolated from malware executing at the same level. The second key capability is trusted system visibility.


DeepSAFE 1.0 used a direct and scalable approach to continuously monitor system and process memory, allowing security agents to apply behavioral policies. Such behavioral policies complement McAfee whitelisting techniques to protect not only the anti-malware assets in memory, but also key operating system kernel assets targeted by rootkits. Runtime protection of the user’s operating system is important to defend against the stealthy malware and blended attacks increasingly used in advanced persistent threats.


DeepSAFE 1.0 technology is a powerful platform that enables real-time and proactive behavioral

anti-malware capabilities at the kernel level. DeepSAFE 1.0 overlays whitelisting and blacklisting capabilities with behavioral policies to mitigate zero-day attacks when they attempt to install a rootkit and malware within the OS kernel.

In summary, APTs use a number of techniques to infect and hook themselves into the OS where they mask themselves from detection. Today’s anti-malware solutions running as applications above the operating system are no match for the stealth techniques used by today’s malware developers. DeepSAFE 1.0 delivers hardware-assisted security products which take advantage of a “deeper” security footprint.  DeepSAFE 1.0 sits below the operating system (and close to the silicon), allowing security products to have an additional vantage point to better protect computing systems.