Jump to content

Multi-Vector Virtual Execution (MVX) engine


The core of the FireEye platform is the patented Multi-Vector Virtual Execution (MVX) engine, which provides dynamic, real-time analysis of advanced malware. The MVX engine captures and confirms zero-day and targeted advanced persistent threat (APT) attacks by detonating suspicious files, Web objects, and email attachments within instrumented virtual machine environments.

FireEye Virtualized Detection Model

New Model Threat Protection

Today's advanced cyber attacks are dynamic, stealthy, targeted, and well-funded. These multi-vector and multi-stage attacks are able to easily evade traditional defenses such as next-generation firewalls (NGFW), intrusion prevention systems (IPS), secure gateways, and anti-virus (AV), as proven by the plethora of attacks sustained by enterprises, some of them making headlines, despite billions of dollars invested in security. A new and more sophisticated approach towards threat prevention is needed to thwart today's attacks.

The MVX engine performs multi-flow analysis to understand the full context of a cyber attack. Stateful attack analysis is critical to trigger analysis of the entire attack life cycle, from initial exploit to data exfiltration. This is why point products that focus on single objects (e.g., malware executable (EXE), dynamic linked library (DLL), or portable document format (PDF) file types) will miss the vast majority of attacks as they are blind to the full attack life cycle.

The FireEye MVX engine approaches threat prevention from a perspective of efficacy and timeliness of response. The core of MVX begins with the FireEye hardened hypervisor, a purpose-built hypervisor designed for threat analysis with built-in countermeasures against malware. This hardened hypervisor supports numerous parallel execution environments or virtual machines with a combination of operating systems, service packs, and applications. Each of these virtual machines performs multi-flow analysis in a contained environment to identify malware and its key behavioral characteristics. Newly discovered malware is installed and executed until completion within the MVX engine so that malware file locations, new registry keys, processes, etc. are all tracked in addition to outbound callback destinations. Now, analysis of polymorphic malware can be reliably automated to create dynamic blocking of inbound zero-day attacks and their outbound transmissions. This FireEye-pioneered and patented signature-less approach to malware analysis and detection enables the FireEye platform to protect against stealthy, zero-day, and targeted threats.

Local malware intelligence generated by each MVX engine provides real-time malware forensics used to protect the local network. This analysis may be shared locally with other FireEye and partner products in the enterprise (Dynamic Threat Intelligence enterprise) to allow for timely protection across various vectors. This analysis may be shared globally through the Dynamic Threat Intelligence (DTI) cloud to enable proactive security via shared intelligence.

FireEye Dynamic Threat Intelligence

FireEye MVX engine core

The MVX engine couples speed and accuracy with scale. The FireEye hypervisor is designed for threat analysis and allows several virtual machines to be run on a single machine, while also leveraging parallel micro-tasks within a virtual machine to speed up execution. Complementing the scale of the core MVX, the FireEye multi-stage analysis is designed to further scale the platform to handle real-world high-speed traffic streams and yet stand up to scrutiny.

MVX Multi-Stage Analysis

FireEye MVX engine


  • Actively analyzes unknown code and suspicious Web objects – Objects are executed against a range of browsers, plug-ins, applications, and operating environments. The signature-less MVX engine identifies the use of zero-day exploits, confirms a Web attack is underway, and blocks callbacks and subsequent malware downloads over multiple protocols.
  • Detonates all email attachments within virtual environments – All attachments can be safely and accurately analyzed to identify zero-day exploits. Beyond signature- and reputation-based systems, the MVX engine can detect if previously legitimate files have been weaponized and sent via spear-phishing emails to penetrate enterprise defenses.
  • Analyzes for weaponized files on network file shares – The MVX engine can be used to scan CIFS-compatible file shares to detect and stop advanced targeted attacks embedded within weaponized Microsoft Office files, images, PDFs, Flash, or ZIP/RAR/TNEF archives.
  • Patented virtualization technology – The FireEye hardened hypervisor is designed for threat analysis and built with an evolving set of countermeasures to guard against malware.
  • Multi-stage inspection and blocking engine – Stops unknown and zero-day attacks while simultaneously eliminating false positives. The multi-stage inspection uses intelligent technologies to scale while accurately blocking advanced malware that is used to penetrate networks and steal resources and sensitive data.