Security cluster of the future 2009 - . . .

Discussion in 'other anti-malware software' started by Kees1958, Jan 1, 2009.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Dear Members,

    Last Year I posted a thread on what main strategical directions the security industry was heading. Could we as bystanders figure out the contours of this future by looking at some industry inovators. Are there some general patterns of clusters of companies providing us hints for the future.

    So let's recap my most important posts
    1. Direction https://www.wilderssecurity.com/showpost.php?p=1156260&postcount=1
    2. Players https://www.wilderssecurity.com/showpost.php?p=1156681&postcount=3

    In my januari 2008 pos I used the word prediction, apologise for my Dunglish (Dutch English), it should have been mentioned as round up (because it is based on parts of news, it is not an prediction, just a big picture of where it is going to).

    What was very nice in last year's post was that some vendors stepped in. I really enjoyed contributions of OA, MBAM, PrevX, etc. For me their arguments helped to understand their basic philosophy and release path to implementation. This is really helpfull, bause it adds insight to their product development.

    So let's recap january's post:

    In terms of risk control there are some basic strategies:

    1. Stay out of risky situations, you won't need a defense when you are not attacked (e.g. site advisor)

    2. Reduce the vulnarable spot/attack surface (e.g. UAC and Policy sandbox)
    This is why a lot of old fortresses are build in the loop of a river/hill top with only one or two access roads.

    3. Control the attack vectors (traditional HIPS monitoring hooks/SDT), so you won't get hit. Normally a talkative and more user intervention required solution. Prevention is better than to cure will all software FireWall fans and classic HIPS fans argue.

    4. Limit the damage/damage containment. In this category are Antivirus (although AV's providing Network and HTTP scanning are really ahead of things), Policy Sandboxes (because they remember the untrusted status of a downloaded file), virtualisation and yes Behavior Blockers.


    These general principles are still applicable IMO, so let's continue to the clusters (2008 post recap)

    This will be the clusters based on this four principles

    1 (the easy observation of 2008 ) Firewalls and HIPS will integrate: Main reason is because they both focus on the attack vectors, they need each other for synergy and want to know whether an application is trustworthy or not. examples are the leaders in their class like Comodo, Online Armor, Agnitum Outpost Pro and look and stop (early innovator, now losing ground).

    2 Threat gate mitigation
    I think browser specific policy management/virtualisation (reducing the attack surface) will be combined with staying out of trouble (site advisor), Vista's already offfers Phising and Protected mode, other early innovators are Linkscanner Pro and Haute Secure. Google has bought Greenborder, may be this search engine will provide all (search engine, site advisor like site security rating and visualisation). Who will tell? There are enough good solutions available. I do not think the Haute Secure guys would have stepped out of MicorSoft when MS had plans to develop it for itself. AVG has bought Linkscanner, so things are moving. Zone Alarm the friendly FW is also experimenting with this direction ZA Forrcefield.

    3 Anti virus will extend non intrusive heuristics to behavior blocking
    Blacklisting is a low user knowledge security option. Heuristics and behavior Blocking are different techniques to trap a malware. Behavior blocking and Antivirus both have the deal with the same challenge "deal with false positives". It is therefore logical these two simular security models (heuristics and behavior) will align and join forces.

    A way of improving heuristics and behavior blocking is by applying virtualisation. Example: A programs violates a heuristics/behavior trigger, next the AV would go into virtual mode for that single process. When this suspect is breaking some more laws it starts to get more and more suspisciuous. The virtualisation would make it easy to delay the STOP-danger decision. A postponed decision (based on more facts) will reduce the amount of False Positives. While virtualisation will still make it possible to roll back (clear) the virtual data pocket. When the potential malware did not do anything wrong the virtual data could be committed to the real world data.


    AD 1 Integration HIPS/FW
    Comodo and OA are still the leaders in the field, with Comodo rounding it up with an AV-product also. OA paid has an extra option to "not be warned, when an unknown program executes" (disable the classical Anti Executable function), in stead you choose to run this unknown program in a limited user environment (policy containment with RUN SAFER).

    My recent tests with PCTools Firewall will put PCTFWv5 in the seat of runner up, pushing Outpost Pro (the life time lisence is a worry) from its third position. Look and Stop (early innovator) is equalled by freeware like Netchina-S3 and shows how difficult it is to port applications to new Operating Systems (or show that the investment is just to high to make it profitable with a small market size.

    AD 2 ThreatGate mitigation
    Well Google's Chrome is a fact (browser with sandbox) by now and besides Zone Alarm, and I thought Norton is also experimenting with a browser shield both for staying out of risky places and containment. AVG has incorporated Linkscanner into its product. Both GeSWall and DefenseWall policy sandboxes have announced to provide outbound protection (or some firewall functionality), so this will certainly be a development cluster for the next few years. HauteSecure on the other hand seems to be unable to bring their product into final production status.

    Ad 3 AV's with advanced heuristics and behavioral blocking.
    Off course the innovation leader ThreatFire (with VirusBuster AV engine) and the runner up A2 Malware V4 with Ikarus engine (AV), own AS/AT engine, web protection and behavioral protection (IDS is sold as seperate product Mamuto also). ThreatFire uses already registry and file change tracking, to postpone the STOP decision (and reduce False Positives), but now they new PrevX Edge also provides simular functionality. For PrevX/Edge I stand corrected. It used to be a mixed bag of all sorts of intrusion detection, but the latest Edge is definitely a promising product. PrevX has to do a bit of marketing adoption (explaining their automated research, and explaining first victim community protection) and has some very Spyberus features planned in their release calender. When PrevX is able to provide this functionality they will jump to the leaders position of this cluster. Another promising application is DriveSentry which started as file and registry 'fire wall', but added community, heuristics analysis and a blacklist to their protection arsenal. So as othe rmembers already signalled (e.g. Diver) this is a steady cluster for the future.

    Ad 4 limit damage/risk containment
    As said traditional members of this category will be planning threatgate mitigation also, OA has extended its features to this arena, as will Edge in future. Spyberus also seems to reach production steady state, so besides the early innovator SBIE (which is still a proud cluster leader) we will see more cross-obers in the future, possibly leading to vanishing of this cluster. Not because the technology is not developed, but it will be marketed differently to access larger target markets.
     
    Last edited: Jan 1, 2009
  2. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Very interesting and relevant article there,I struggle to write my name correctly on New Year's day so much respect.
     
  3. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    I'm always been contrary to the HIPS/FW integration. I believe that a real multi-layered defense must to be based on different softwares, produced by different Software Houses. If all defense is unified in an only one program/producer, it is more easy to neutralize the security system of a pc. But if the pc has fw/av, HIPS, eventually BB, developed by different producers, the chances of pass all them are low. It's my opinion.
     
  4. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    "AV's with advanced heuristics and behavioral blocking"
    Kees, you completely forgot about KIS2009 that already has both of the features. But it's total effectiveness is about 85-90%, not higher. Sandboxes has much higher defense rates.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    So let's have a look at the innovation leaders.

    My assessment is based on the following principles

    Market Pull: User acceptance issue, the non technological point of view
    From an innovation point of view, early innovators often will be stuck in the middle, due to lacking user acceptation. To check whether the general public will adopt new technology a few questions have to be answered (all this talk is just knowledge from other people, e.g the questions below are based on Everet M. Rogers - diffusion of innovation, because this is just a personal brain fart, combining fact with fiction, I am not using any references to authors).

    Questions which help to get the early majority moving (you know innovators, early adopters, early majority, late majority, laggards, blah blah):

    1. Are the benefits clear or is the threat clear to which it protects?
    2. Can these usage advantages be communicated in an elevator ride (in 10 to 20 seconds)?
    3. Is it simple to use/install (complexity of use, needed knowledge involved)
    4. Is it there a new consumption/usage behavior involved (yes means a big usage threshold)
    5. What is the try out consequences/risk in terms of money and social acceptance (a low try out risk is a medicine against the fears of a new consumption pattern/behavior when the other questions are answered clearly).

    Martket Push: Lasting long enough to survive the hockey-stick of innovation (making cost before making any money), basically there are two strategies: access to resources (rich mother company) or venture capital, or a lean and mean operation (often single man band companies) to keep costs as low as possible during product development and market adoption.

    Show me the money; access to resources or venture capital
    It is always important to determin who is actually earning money or has a clear earning money scheme (so investors will provide the money to finance research and development). Because The AV industry is the oldest industry and the one making most money. At a fair distance the FW companies arrive. While all the latest innovations are fighting to earn a decent living (HIPS like companies). For the new guys on the block lack of growth (earning money) really is a time bomb under product innovation, so for ease of understanding lets divide them in

    a) New guys on the block
    b) Hips/IDS like background
    c) FW background
    d) AV/AS/AT background

    Before going into detail a new competitor arrives: Microsoft. So an Operating System based background. Windows 7 will provide a configurable HIPS, like Norton's UAC tool is providing now already for Vista. Also the Patchguard in Vista64 and Windows7 will provide OS-build in HIPS. When the good Vista FW will also be available as a outbound firewall, the competition will have a tough time, because MickeySoft already provides IDS/AS with WindowsDefender (not the best, but still comes for free with OS) and Windows Care (AV) will be provided for free also. Windows 7 has to move users to 64 bits platform with a clear scheme to seduce Vista users to upgrade to Windows 7 (performance, flexibility, security). Also IE8 wil have some extra security features (like cross scripting protection etc). So I think Microsoft will enter the security Arena by providing it for free, and with an easy installation process so System Administrators will see no need to use non-MicroSoft setup settings. This will prepare home users for Windows7 adoption (you are working with already at office). The credit crunch is also a major reason why Vista will not make it to the corporate market. Companies will postpone investments adding no significant benefits. When credit crunch is over Windows 7 will be ready. So MicroSoft will try to 'eliminate' Vista as platform for which human capital and workforce will be needed to maintain it.

    AD A: New Guys on the block
    Well Viper is a serious new guy on the block in the AV market. Sunbelt also fixed up their latest FW to a solid working one and has recruited a AV veteran, to ensure the release calender is realised. I had expected Sunbelt to blow competitors of their sockets with their first release. You can see the hand of Inspector Cluseau an AV expert now responsible for Viper. He holds his horses (marketing wise) until the new product philosophy really delivers competitive advantage (the story makes sense marketing wise of Viper, but the product does not deliver the promise yet).

    Only new contender is MalwareDefender, a beautifull one man band product. Being a lean operation and operating from China possibly will provide enough stemina to survice the start up time. Another helping fact for MD is the fact that most traditional HIPS have gone downhill, so this niche market is facing a shake out which could be benificial for a new product in a small market (I think HIPS users are loyal to their beliefs in respect to security, so the need for HIPS will stay for some time, it is only a very small makrket).

    AD B: HIPS/IDS like background
    All players of this segment will not be able to reach the mass market when they stay in this segment. Number one reason is Windows7 (offering free HIPS like protection and challenging existing players to re-invest in their product to port it to 64 bits platform).
    A few years ago we have seen OA making the cross over from HIPS to FW company. This year we have seen DriveSentry making the cross over from 'fire wall for your data' to a AV type of program (the blacklist data base which they market). Besides this strategical important jump, DS also has a clear 'show me the money' scheme, smart market approach (assiging a help desk employee to Wilders) to help this community actively develop DS. So for me DS will be an innovation leader. Another smart thing is that they concetrate on the user mode threats. When Windows7 will provice a strong Limited User environment (and an AV), the only protection you will need is at HKU registry and other user mode area's. So for me DriveSentry is an innovation leader. Gartner always rates companies on two axles: ability to perform and ability to implement. DriveSentry's ability to perform was not spectecular, but their ability to implement is impressive. Because their strategy and marketing is top notch: I think they will show substantial growth.

    Threatfire made the move from AV add-on to AV replacement. I think it is a great product, but their development team who stood at the basis of innovation are still in control of current product development. With product innovation it is a golden rule to start innovation from inside out and provide outside in feedback. After having settled this development does not has to be driven by innovation, but by market research/customer need feedback. The nearly rediculous discussion of the development team of TF to refuse an deny option (only quarantaine or allow) shows clearly that PC Tools do not realise that the momentum has changed from innovation drive to marketing drive (hey PC tools guys TF is release FOUR, so you might call that a mature product). Also the inability to combine competences (good AS product, now a good FireWall and a good behavior blocker) into a killer application, was the reason they needed guidance, Symantec was the company who recognised the rough diamond human capital and problably bought it cheaply.

    Normally those deals are funded partly with strange equity. The new owner does not integrate thi snew label into its own brand. Reason for doing so, is that 9 out of 10 times the company which is taken over has to pay back the lended money with interest to the strange equity providers. When they have made the deal with fluctating interest rates, the current credit crunch (and drop in interest rates), could be very benificial to PCtools.

    Another HIPS like company PrevX has made some technical stunning improvements. As said last year, their marketing also sucks, so while Drive Sentry has mediocrate ability to perform (technical) and a very high ability to implement (marketing), I fear for Edge they have the opposite profile: very high ability to perform, but a mediocrate ability to implement. Compared to ThreatFire (PC tools), that was not really bad, because PC Tools has the same profile, but now PC tools is taken over by Symantec, those TF/AS/FW features will find their way to Norton's main stream products. This might give this promising product hard times, because a peer competitor with lousy marketing capabilities, now has teh luxury of access to a mainstream AV customer base. So although I stand corrected on PrevX technical capabilities, I hope they will improve their marketing, because the product Edge deserves this.


    AD C: FW background
    Same as last year Comodo and OA. OA had a clear usability advantage on Comodo, but the guys from Comodo are spending a lot of money to equal this. Melih and his gang have also noticed that their AV was a failure: when entering an mature market, you should have clear advantages over the existing competitors.

    As usual large company's suck when it comes to sharpness in product development and marketing (stay in the herd), so when offering a below average product, you are bound to fail in a mature market. For me as an old IT-guy and sales efficiency/interim manager with a marketing/branding background It is simply unbelievable: it is an iron rule that market leaders in one segment always (e.g. Comodo FW) always ignore the golden rules of market innovation (entering the AV market), because they think they are accepted as a market leader in the new market segment also (which obviously is hardly ever the case). Look at Apple: as the market leader in media PC's (all graphic design studios use Apple;s), they used their trendy imago to enter the mobile entertainment market (iPod), made a lot of money out of selling streaming media. When they were accepted as the mobile media company also (stretching their PC imago), they introduced the iPhone combining mobile media with connectivity and ease of use of their PC's. So it is possible, but you have to stretch your competencies to provide credit and trust under your new product.

    Finally Comodo has come their senses and they decided to povide the AV as an extention on their FW/HIPS. All their resources are put in CIS, so they force existing Firewall users to adopt CIS. So now they can stretch their market leadership in the FW market to enter the AV market.

    AD D: AV/AS/AT background
    We have a clear winner: A2 Malware V4 made two strategical wise decisions
    a) jump out of the shrinking AntiSpyware/Anti Trojan market by offering an AV also (Ikarus with decent detection levels)
    b) integrate their behavioral blocker into this product. It is always easier to skim down than to skim up. IDS/HIPS was initionally positioned as an add-on to exsiting AV and FW. From a main market is easier to enter a releated niche market than vice versa. So good marketing and vision!.
    c) Their surf protection (staying out o risky places), needs some tinkering as are the elimination of Ikarus FP's.

    For me Emsisoft has the ability to perform and implement. Their only drawback is that they are asking premium niche market prices and that their origing is not the US (and having a smaller customer base as AV market leaders).

    The other winner will be Avira. Their new advanced heuristics are another break through. This combined with their low price and support Auerbach fundation, large loyal customer base and outstanding performance in AV comparatives, will make them the traditional WINNER of the existing AV companies.

    Last year I also added Kapersky (with HIPS module for nearly two years now) and Norton suites as well established companies with enough product quality and installed base to stay ahead. I gave Kapersky the innovation edge and Norton the marketing edge. Norton's recent study projects (Norton UAC Tool, Browser protection) and take over of PC Tools means that Kapersky will get a tougher competitor which might take the performance advantage away by implementing PC Tools SpywareDoctor and Firewall. Because the behavioral blockker (ThreatFire) was integrated in the SpywareDoctor, they only need to add Norton's AV and use their knowledge to integrate different solutions into one suite. So for me Symantec/Norton is a market leader which just secured innovation. I will follow with interest how fast integration of these two product families will be available.

    Existing AS niche market leaders as SAS and MBAM have nice products, I am unsure how they will manage. Problably they will survice the shake out and surpirse us with innovation (SAS release 4 already had a different blacklist engine). Main reason is that freeware products as AVG and AVAST also provide AS/AT protection.

    AVG has taken over Ewido and their integrated product scored less than the combined protection of the old products. So I have my doubts on AVG, but they are US based, and have the largest freeware customer base, so they wil manage. Avast will provide better heuristics (currently only limited passive heuristics implemented). For a company with such an feature backlog it is surprising how Avast can keep up with other AV's (in detection rates). Avast's cross system knowledge will clearly provide them a headstart for Windows7. Also Avast has announced active heuristics/basic behavior blocking in 2009, so we will wait and see how they will do.

    In the traditional AV/AS/AT market traditional cluster members with a feature recognition will problably do well within their subsegment (Eset/Nod = low hardware requirements, low FP, good heuristics - , DrWeb = highest cure rate, etc). Some products like Norman have a feature profile (active sandbox) which does not match AV tests (results), so when competition increases, they will face hard times or back up the competitive feature with results in retroperspective tests or in the wild/zero day tests.


    Cheers Kees
     
    Last edited: Jan 1, 2009
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Nope, had not forgotten that, my son came rolling out of his bed at two, my wife at three o'clock. This old guy had only slept from 7.30 in the morning to 12.30 this afternoon, had to provide family with breakfast and vitamines, went to rugby team to celibrate new year, came back and just finished second mail.

    Apologise for the delay.


    For DefenseWall and GesWall they have to market heavily on no knowledge required protection, given the fact that microsoft will be providing so much for free with Windows 7. So you have to step out of the HIPS market and enter the threatgate mitigation market. I will give you a marketing slogan for free

    HIPS complex, policy management difficult, techwitt features are BORING

    DefenseWall puts all malware under lock and key by providing Limited user protection for all programs and files without the limitation and hassle

    Advantages od DefenseWall
    - With Vista you can run UAC in quiet mode, because DW protects against all intrusions, no UAC nag screen anymore
    - UAC or running limited user is limited to programs, DW provides the same to files, so downloaded hidden malware is put under lock and key (by marking it untrusted)
    - no configuration required just install, no pop-ups
     
    Last edited: Jan 1, 2009
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes you have the theoretical advantage of different software with different intrusion opportunities (which you outlined) of different development teams making different mistakes, so the chance that all security goes down with one intrusion is very very low.

    On the other hand an integrated package has the theoretical advantage of a reduced attack surface, mudules which can be reused and a guaranteed seamless match of interfaces and protection territory (when applying a multi level defense, there has to be overlap to ensure seamless match of interfaces and protection territory, so suites could provide a performance advantage)
     
  8. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen

    That's right, and moreover two or more different and complex security softwares can create conflicts, especially self installing at low level and hooking and checking the same API's. I believe that the terms of the question and of the choice are how to balance and to resolve these alternative: security advantage vs performance and stability advantage. I 'm always looking for the best combination.:)
     
  9. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    Kees1958, about DS: I like it, and it has emprouved his stability in the system and his ability to work with other security softwares. I agree that it can grow. But I see that his developping times are long, and not so foreseeable and scheduling. The new fw version had to be released, it seemed, at the end of November, for exemple.... Most important thing for me, I believe and I expect a strong emprouvement in the HIPS features i.e.: the ability to create singular rules about allow/block low level disk access, phisic memory access...a complete monitoring of the system and of his levels and processes... If it will add this kind of features I think it really can become a great sofwtare
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    As I look at the security landscape, I don't see much change. Oh for sure, the malware writers have become more sophisticated in what their malware can do, how it can hide itself once installed, making removal more difficult, etc. But how does that influence your strategy of prevention?

    It seems to me that before risk control, should come risk assessment. What hasn't changed are the ways malware writers deliver their payload, and this is what should be the basis of a security strategy/security solutions.

    These delivery methods are:

    1. Sneaking in without any user action

    2. Installing by user action

    Sneaking in without any user action

    Risk Assessment: we can start with malware delivered through ports on the internet. The most notorious examples are MSBlaster (Port 135) and Sasser (Port 445)

    • Risk control (prevention): We now know that by either closing the ports with tweaks within the Operating System, or by inbound filtering with a firewall, router, this type of threat is pretty much a non-issue today.
    Risk Assessment: Surfing the internet_1. All browser exploits (drive-by downloads) in the wild target IE. Many vulnerabilities have been noted for Opera and Firefox, but these are quickly patched/updated.

    • Risk control (prevention): Understand how to configure IE for maximum security; use a different browser
    Risk Assessment: Surfing the internet_2. There are exploits on the web for applications such as Adobe Reader, Quicktime, Flash, which are not browser specific. All of the exploits in the wild for both browser and other applications have as their payload a trojan executable.

    • Risk control (prevention): Any White List solution which intercepts unauthorized executables from downloading/installing.
    With one simple solution you have effectively closed the door on this attack method. I use "solution" rather than "product" because Software Restriction Policies (SRP), which does the job, is not a separate product to install.

    Installing by user action

    In this situation, the user is confronted with a decision to make: to install or not to install.

    Risk Assessment-1: Phishing scams, popups warning that your computer is infected (Winantivirus2009), tricks to provide your login information (recent IM spam scam), tricks to get you to watch a video (update_flash.exe exploits), and many others

    • Risk control (prevention): Pretty obvious, for example, having firm policies/procedures in place, such as "If you didn't go looking for it, don't install it" (Brian Krebs). You can think of many others.
    Risk Assessment-2: Installing new programs

    • Risk control (prevention): There are two choices:

      1. You trust your judgment, confidence in the source

      2. You trust a scanner
    _____________________________________________________________________________​

    This is a start. For most of the home situations I've been involved in, this takes care of everything. Others will consider a network, P2P, etc., in which case a further risk assessment may lead to additional solutions required.

    I submit that a careful risk assessment will result in very few security products needed to bolster one's security strategy. Otherwise, without assessing your own risks and understanding what exactly you are protecting against, discussions of security become a mumble-jumble of technobabble, much beyond the comprehension of many people.

    This often leads to piling on of security products without really understanding what is going on.


    ----
    rich
     
  11. Miyasashi

    Miyasashi Registered Member

    Joined:
    Dec 10, 2008
    Posts:
    62
    Nice thread :)

    There's too many different kinds of security software around at the moment... but what combinations would be a killer-setup?

    Example:

    Realtime:
    - Avira Antivir Free
    - Sandboxed Browsing with Sandboxie
    - Addons for Firefox (Noscript / Adblock)

    On-Demand:
    - Spywareblaster
    - SuperAntiSpyware

    That's what I have at the moment and it works, but there could be lighter combinations available.

    Maybe you could help me or others with choosing even if it's simple examples.

    I can read read and read but some software don't work together well and some don't work properly on Vista like Defensewall's GUI crashing on me ... heard it will be fixed in the future though.

    and maybe a way to test your setup? unless you're doing it all virtualized ofcourse :p
     
  12. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    I use XP, NAV09, and Windows/my hardware Firewall ...

    As for Windows 7, I have Norton installed successfully. Not much for Symantec to do ...

    And yes, the PCTools and Symantec merger will be extremely interesting. Norton has had a established history of low false positives; PCTools, especially ThreatFire, tend to be liberal when it comes to heuristics.

     
    Last edited: Jan 1, 2009
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    True, except Google Chrome is a spectecular move and Microsoft's effort to deliver Windows7 real fast.

    Rich,

    I do not want to be a smart ass, but risk assessment is against intrusion scenario's, which you called deliver methods. So according management theory it is on a tactical level, hence comes after you have selected the appropriate solutions one selects. With scenario's you will choose against which real life (known) risks you want to be protected against. This will help you in chosing the products/solutions in place.

    [/QUOTE]

    Rmus, these are one of the scenario's, other scenario's/delivery methods could be

    - Social engineering (sneaking in with user action)
    - Execution with embedded code (distributed processing comes with code hidden in normal data files think off OLE, DCOM, J2EE, XML, etc, so normal data files can have code hidden in it)

    - Execution via error in host system object, called EXPLOITS, such as the browser, the operating system, the data base etc. (


    Rich, would you provide same basic policies/solutions to deal with as you did with sneaking in without user action and execution by user? thanks!

    Cheers

    Kees
     
  14. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Emerging security risks include VirusTotal and various other free, public, web-based online file scanners, such as ThreatExpert.

    Such tools are invaluable when it comes to determining if a file is malicious/safe; however it is a double edged sword; malware, specifically adware writers can also use those sites to test their programs and determine how evade AV's generic detection, heuristics, and various other tools used to detect adware. Adware is very controversial by definition and has no absolute definition.

    Thus, should those sites be closed to the General Public and be availble only to reputable AV companies alone?

    I have a vision of every AV company using such sites to test collected samples; this collective intelligence will reduce the number of FPs overall in the AV industry and increase detection by every singe AV; not just a second opinion, but opinions by over 30 some AVs. All of the time, I find out that the majority, is indeed, correct on VirusTotal. Look at Panda. I often use their ActiveScan 2.0 service, which often times roots out malware that slipped past my defense system.

    And to further drive the point home, adware writers, such as the ones who wrote AntiVirus 2009, will be left in the dark; they have no way of knowing how their malicious program will fare against a sizable amount of AVs ... increasing detection further.

    Bottom line is that VT and TE aid adware writers. If closed to the public, they can help AV companies unify and increase detection as a whole.

    http://community.norton.com/norton/...dback&message.id=23218&query.id=763346#M23218

    Read Orla_Cox's post.
     
    Last edited: Jan 2, 2009
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    [re-written to add and clarify examples]

    Hello, Kees,

    I'm not sure what you are referring to. Can you explain more what you mean about "management theory?"

    Sure.

    - Social engineering (sneaking in with user action)

    Im going to guess that you refer to choosing to open a file on the web which then turns out to remotely execute code to download malware. I suppose media files are a common example. Take the Windows Media File (WMF) exploit a while back. A mal-formed WMF file made use of a buffer overflow vulnerability to download malware. Here is a description of the the code which triggered the download:

    You can read the full analysis here:

    http://blog.threatfire.com/2007/12/shellcode-analysis-download-n-exec.html

    Whie the file is run with user action, since the payload executable is executed remotely, I put it with the remote code execution exploits and suggested a White List solution to block the payload. It doesn't really matter how you categorize - whatever helps to analyze the various types of exploits.

    At that time I wasn't in contact with the person with SRP configured who has done much testing for me of these exploits, but I did test with a White List product, Anti-Executable. The malicious file was wmf_exp.wmf and the payload was ioo.exe:

    [​IMG]

    Other examples which would be similarly blocked:

    PDF

    http://vil.nai.com/vil/content/v_139103.htm
    SWF

    Malicious swf files?
    http://isc.sans.org/diary.html?storyid=4468
    Quicktime

    Symantec has found active exploit code in the wild for an unpatched Apple QuickTime vulnerability.
    http://www.builderau.com.au/news/so...loit-in-the-wild/0,339028227,339284259,00.htm
    - Execution with embedded code (distributed processing comes with code hidden in normal data files think off OLE, DCOM, J2EE, XML, etc, so normal data files can have code hidden in it)

    The OLE (Object Linking and Embedding) structure of MSWord documents has been exploited in targeted attacks. Here is a description:

    The full analysis is here: http://www.securityfocus.com/infocus/1874

    An analysis from a previous Word exploit included this:
    http://www.eweek.com/c/a/Security/Alert-Raised-for-MS-Word-ZeroDay-Attack/
    Because company personnel use MSWord daily, this attack, while not widespread, has been successful where targeted. Unfortunately, as I've confirmed with a number of Systems Administrators, locking down the workstations with White List solutions is not considered practical. Therefore, they depend on AntiVirus solutions, which, as in this case, often suffer from lack of a signature to identify the malware.

    To test, someone found a document that attempted to extract malicious DLL file, and as an executable payload, it is easily blocked, hence, I put this type of attack in the remote code execution category with appropriate prevention:

    [​IMG]

    - Execution via error in host system object, called EXPLOITS, such as the browser, the operating system, the data base etc.

    These are easy to find and are probably the most common type of exploit. Here is an IE browser exploit blocked by a system with Software Restriction Policies:

    [​IMG]

    Here is the same exploit blocked by Comodo:

    comodo.jpg

    My own preference is for a Default-Deny solution, such as SRP or Anti-Executable, so that in these remote code execution exploits, there is no option to "Allow." No decision to make. An important consideration, IMO, for many home situations.

    There are many ways of categorizing exploits into delivery methods. Lumping everything into two is just easier for me to keep track of things. Helps me keep it simple!


    ----
    rich
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Rich,

    Thanks for explaining and taking the trouble to illustrate these with some samples. It are those exploits which made me choose DefenseWall as easy LUA containment of both files and programs for my Mom of 75.

    I hope that these examples also illustrate file virtualisation addicts (e.g. SBIE or SafeSpace) that when you move a file (with embedded code targetting an exploit) out of the sandbox, you can be screwed also. So it is not just programs which are a potential threat source.

    Note (management theory):
    - When you apply some security from a static/general point of view ((which is always applicable in any situation) it is more startegical level
    - When you assess delivery methods of malware, you into scenario's or more a tactical level, scenario's help to select the correct set of application programs, like you illustrated (are they effective in a specific malware delivery scenario).
    - Actual setup testing with PoC's samples is operational fine tuning.

    Cheers & thx

    Kees
     
  17. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    667
    Actually, I get too many pop-ups to give DW to my parents or my wife. Many times DW freezes/asks repeatedly during these pop-ups.
     
  18. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    DW is perfect when you use programs that are "pre-treated" from Ilya. There is an initialization file with many such presets, with registry entries allowed by default, etc. In these cases, DW won't give a single pop up.

    Different is the story, if you happen to run some application that isn't quite "normal" and isn't in the presets. Then you will see pop ups or a myriad of log entries (that make you hard to spot actually suspicious entries). I had such issues with emule (still in pre-2.46 generates tons of log entries), utorrent (i use an unusual download folder that wanted me to make adjustments, Rocketdock (tons of log entries in 2.45, i think fixed in pre2.46).

    In such cases you must report to Ilya the specific application and wait for a fix, if there is no way you can fix it through defense excludes etc.

    But for most ordinary users, like Kees' mother, DW won't ever show anything.
     
    Last edited: Jan 3, 2009
  19. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    DefenseWall is a excellent app and in my viewpoint would go hand and hand with Sandboxie for simplicity and security. It is a lot easier for a expert,:cautious: like me to use compared to Geswall.
     
  20. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Go to the DW forums and download the latest version. V2.46.
    It's a skinless version with some other improvements.
    Might make a difference for you.
    Hugger
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    What pop-ups are you getting, because this is very rare. Ever contacted Ilya aboout it? Believe me, I get zero pop-ups.
     
  22. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    There is shouldn't be like that. It's not normal. What cause it?
     
  23. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    The freezes are from the buggy skin. Try the pre-2.46 version (available at gladiator forum). It's skinless and so these kind of bugs should cease to exist.

    The pop ups must come from a "weird" application. Or you have messed up with settings. If you inform Ilya sending a log, he will fix it.
     
  24. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I'm using uTorrent too and have no problems with it. What kind of entries do you have there? Have you finished all the P2P downloads before applying DefenseWall? If you didn't, you just need add its download folder into the "Defense Excludes" list. Also, logs are only technical information, nothing more.

    Yes, I don't think it's a problem. Usually, I fix everything up quite quickly.
     
  25. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I am not running DW right now, that was back in 2.45. In deed, i had to put the download folder into defense excludes. I tried briefly the first pre2.46 , Emule was working fine, but i had multiple log entries complaining about it. I don't remember the details of what the entries were unfortunately.

    Yes, i can confirm this. I mailed you many times and got response in minutes! :thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.