upnorth

Level 25
Content Creator
Verified
Joined
Jul 27, 2015
Messages
1,449
#1
How DeepGuard work
When DeepGuard detects a program attempting to make potentially harmful changes to the system, it allows the program to run in a safe-zone, unless you have specifically allowed or blocked the program.

In the safe-zone, the program cannot harm your computer. DeepGuard analyzes what changes the program tried to make, and based on this, decides how likely the program is to be malware .

DeepGuard automatically either allows or blocks the program, or asks you whether to allow or block the program, depending on:

  • how likely the program is to be malware , and
  • which action you have told DeepGuard to take when it detects a potentially harmful attempt to change the system.
This whitepaper was last time updated 13 June 2016.

Full source : http://bit.do/f-secure-deepguard-whitepaper

Quote : " This whitepaper explains the trends and developments in computing that have made host-based behavioral analysis and exploit interception necessary elements of computer security and provides an overview of the technology and methodology used by DeepGuard, the Host-based Intrusion Prevention System (HIPS) of F-Secure’s security products. DeepGuard offers dynamic proactive behavioral analysis technology that efficiently identifies and intercepts malicious behavior. When used in tandem with other components of a multi-layered security approach, DeepGuard provides lightweight and comprehensive endpoint protection with minimal impact to the user experience. "

" The purpose of this document is to help customers better understand how F-Secure products function, and the benefits F-Secure DeepGuard provides. This document is not designed to be a legally binding agreement that defines the content of products and services provided by F-Secure Corporation. y F-Secure DeepGuard, as with any of our other products and services, is a constantly evolving set of software, systems and processes. "

" Ideally, protection should begin even before the machine environment is reached "



" Whenever a file arrives on a machine, is installed or modified, it is first scanned using a file scanning engine to determine if it is a known threat. File scanning engines use custom, family, generic and heuristic detections, which respectively identify specific malware, families of malware with similar features, and broad ranges of malicious physical features and behavior patterns. If the file’s characteristics match those of previously seen malware, it is blocked. Though often overlooked in favor of more sophisticated technology, file scanning engines are still an effective method of identifying and blocking the vast majority of malware seen to date, protecting users against lingering threats such as Downadup[3] or Sality[4], which debuted and peaked years ago but are still present in the wild, where they continue to infect new victims. If the file isn’t identified as a known threat, a query is sent to F-Secure’s cloud infrastructure to gather the latest metadata available for the file. Analysis is subsequently handled by DeepGuard, which collectively handles all the behavioral analysis, process monitoring and exploit interception of suspect files, both at the point of application launch and during execution. "

" Given the short-lived nature of most malware variants, the detections created for file scanning approaches tend to lose effectiveness rather quickly. In contrast, behavioral detections can effectively identify malware over a much longer time period, as malware behavior is much less mutable. DeepGuard observes an application’s behavior and prevents any potentially harmful action from successfully completing. The apparently simple nature of this task belies its importance however, as this proactive, on-thefly monitoring and interception serves as the final and most critical line of defense against new threats, even those targeting previously unknown vulnerabilities. Behavior-based analysis addresses the Achilles’ heel of file scanning approaches: the need for analysts to have an actual sample of the malware in order to create the signature to identify it. Given the huge numbers of malware constantly being created and distributed, new samples must be acquired and analyzed prior to detections being created. Prevalence logic increases effectiveness against rare files Enhanced protection against exploit-based attacks Performance and precision improvements Behavior-based detections cover that crucial gap between the first appearance of new malware and a detection being issued for the threat. By moving the focus from structural to functional characteristics of a sample, DeepGuard can identify and block programs performing harmful actions, even before an actual sample has been acquired and examined. For example, in April 2016, DeepGuard detected and blocked files that attempted to encrypt stored files. Subsequently, signature databases were updated to flag these files (chart above) as Locky ransomware, but for users facing new threats, DeepGuard’s proactive analysis provided immediate protection against infection. In 2011, an entirely rewritten DeepGuard engine was introduced that included (among numerous other improvements) a switch from using hard-coded scanning logic to an updateable detections database. F-Secure Labs analysts constantly monitor the threat landscape and analyze the latest threats to determine the best way to identify malicious behavior. Being able to update the engine with the results of this research keeps DeepGuard consistently effective against the latest threats. "

" Also in 2011, DeepGuard was updated to use prevalence rate checks in its detection logic [6]. This feature was a logical corollary of the fact that legitimate software are usually found installed by a large percentage of our customer base - that is, they are highly prevalent. These files also change relatively infrequently, making them easy to whitelist and track in a ‘clean file’ database. In contrast, files that have low prevalence quite often turn out to be malware. According to statistics generated from F-Secure’s internal systems monitoring known threats, in a random sample of malicious programs found in the first four months of 2013, 99.7% of the threats were rarely seen in our user base. DeepGuard’s prevalence rate check helps filter out known clean files from suspicious unknown ones, improving both performance and accuracy. DeepGuard’s updateable detection logic is especially useful in countering attacks that exploit vulnerabilities in installed programs in order to run malware on a machine. In such cases, the dropped malware itself can be spotted and blocked by file scanning engines. To halt the attack at an even earlier stage however - that is, at the point of exploitation - F-Secure Labs analysts examine the exploit mechanism for tell-tale actions or behavior patterns, and then incorporate the research results into DeepGuard’s scanning engine. It is then able to pinpoint and block suspicious actions that bear the hallmarks of a vulnerability exploit attempt, preventing malware from being dropped on the machine at all. "

How DeepGuard Works

"
DeepGuard’s behavioral analysis is activated by two events. When a program is launched for the first time, DeepGuard analyses it to determine if it is safe to run. Subsequently, DeepGuard continues to monitor the program while running. 1. Pre-launch analysis When a program is first executed, regardless of how it is launched (the user clicks the file icon, an e-mail attachment or program initiates it, etc.), DeepGuard temporarily delays it from executing in order to perform the following checks: 1.1 File reputation check If an Internet connection is available, DeepGuard sends a query to the Security Cloud (below) to check for the latest information on the program’s reputation in the clean file database, which contains the latest security evaluations for a vast catalog of commonly used applications. This database is maintained and constantly updated by F-Secure Labs analysts. Programs that have been rated as clean in the database are allowed to bypass additional checks and launch immediately, whereas known malicious files are blocked at once. For the user, the clean file cloud lookup functionality offers a number of advantages. Being able to use the security verdict for a known file from the clean file database not only removes the burden of identifying unknown or unfamiliar programs as legitimate or malicious from the user, it also means unnecessary security checks on clean files can be avoided. At the same time, by reducing to a manageable level the volume of software that needs to be individually evaluated, the ability to still white- or black-list selected programs becomes more meaningful. "



" DeepGuard includes a module that focuses on a file’s prevalence rate. Clean files typically have thousands or millions of users, making them highly prevalent. In contrast, malware samples are comparatively rare. Rare or new files are automatically considered more suspect and subjected to greater scrutiny during the subsequent process monitoring stage. Judgement on execution Based on the file’s reputation and behavior during emulation, DeepGuard makes one of four possible judgements: A. The file is malicious and blocked B. The user is given the option to allow or deny the launch C. The file is clean and allowed to execute D. The file’s status as clean or malicious is still unknown If the file is blocked from launching, a notification message is displayed (right) providing additional details and an option to whitelist the program, if so desired. If the status of the file is still unknown, DeepGuard allows the file to execute but continues to monitor it during the subsequent process monitoring stage.

Even after a program has successfully passed pre-launch analysis and is executed, DeepGuard continues to monitor its behavior as a precaution against delayed malicious routines, a common tactic used by malware to circumvent runtime checks. This form of quiet vigilance also allows DeepGuard to provide constant protection for the user without visibly intruding on their experience by displaying excessive prompts. "

" By evaluating the metadata sent, together with information drawn from the in-house databases and various other sources, the Security Cloud’s automated analysis systems (which make up to 8 million decisions per day) can provide a fully-informed, up-to-date risk assessment for the object during DeepGuard’s pre-launch security evaluation stage, immediately blocking a threat that has been previously seen by any other machine connected to the Security Cloud. This also removes the need to perform further analysis of the object on the client, reducing impact on the user’s experience. The Security Cloud also allows F-Secure Labs analysts to provide critical human intelligence and judgment to complement the automated systems and on-host scanning technology. In addition to creating and maintaining the rules that underpin the databases and automated analysis systems, analysts actively monitor the threat landscape and research malware characteristics and behavior patterns to find the most effective ways to identify truly malicious programs. Once a threat has been confirmed (or a known file’s reputation is modified), the updated details take 60 seconds to replicate across all products connected to the Security Cloud, ensuring up-to-date protection. "

" 2.1 Process monitoring Applications are monitored for a number of suspicious actions, including (but not limited to): y Modifying the Windows registry y Editing files in certain critical system directories y Injecting code in another process’s space y Attempting to hide processes or replicate themselves As legitimate programs will also perform such actions from time to time, DeepGuard does not red-flag a program on the basis of a single action but instead watches for multiple suspicious operations. Once a critical threshold of suspect actions is reached, DeepGuard will block the process from continuing. If available, file reputation and prevalence rating information from the Security Cloud is taken into account to determine this critical threshold. For example, DeepGuard treats files with a low-prevalence rating more aggressively by lowering the critical threshold of suspicious actions that can be performed before the file is blocked "

" Starting in 2013, DeepGuard also employs two exploit interception methods that extend the dynamic protection of on-host behavioral analysis by focusing specifically on monitoring the processes of programs that are commonly targeted for exploitation and on document file types commonly used to deliver exploits. 1. Monitoring exploit-prone programs The first method focuses on frequently exploited programs such as Adobe Flash Player, Microsoft Office, web browsers and so on. These programs are kept under especially close watch and are blocked more aggressively if malicious behavior is detected. Of course, which programs become favored targets is unlikely to stay fixed. For example, it was only in the last couple years that Adobe’s Flash Player superseded Oracle’s Java Runtime Environment (JRE) as the most targeted software; in the future, another program may assume that unenviable distinction. The specific programs chosen by DeepGuard for closer attention can be updated by F-Secure Labs analysts when necessary, a responsive approach that allows DeepGuard to adapt to changes in the threat landscape.

2. Monitoring for document exploits Some document types, such as Microsoft Word or Adobe PDF, are commonly used to deliver exploits. Thus, any software used to open these types of documents is also subject to greater attention by the second exploit interception method, which scrutinizes these programs closely for suspicious behavior caused by malicious document files. This exploit interception module addresses the most common form of targeted attack, which involves sending carefully crafted, exploit-loaded documents to the intended victim or organization. This was the type of attack carried out by the threat actors behind such campaigns as the 2013 ‘Red October’ campaign [7] and the 2014 attacks against Ukrainian targets reported in our ‘BlackEnergy & Quedagh’ whitepaper [8]. This type of attack is particularly effective if the exploits used target a zero-day vulnerability. In a more recent example, in 2015 the cyber espionage group known variously as Sofacy, Pawn Storm or APT28 used exploits targeting zero-day flaws in Microsoft Office (CVE-2015- 2424) and Java (CVE-2015-2590) in order to install a dropper on the affected machine [9]. In all these cases, booby-trapped document files were used to exploit either known or new vulnerabilities in installed programs. By focusing on detecting malicious actions originating from document files however, Deepguard’s exploit interception module is able to provide significant breadth of coverage against document-based exploits, regardless of the file’s physical features or the specific vulnerability being targeted. "

" using DeepGuard in tandem with the other components in a multi-layered security strategy, F-Secure products can share critical details so that all clients are protected against even the latest threats."

 
Last edited:

Lord Ami

Level 17
AV-Tester
Verified
Joined
Sep 14, 2014
Messages
815
Antivirus
F-Secure
#2
This PDF is now updated :)
Interesting read!
https://www.f-secure.com/documents/996508/1030745/deepguard_whitepaper.pdf

Interesting picks:
Separately, a beta detection monitoring module notifies the Security Cloud if any experimental detections would have been triggered by the suspect file’s code or actions. This gives crucial feedback to F-Secure’s Labs on the detections’ effectiveness, so that analysts can fine-tune their logic to avoid false positives.
If available, file reputation and prevalence rating information from the Security Cloud is taken into account to determine this threshold. For example, DeepGuard treats a file with low prevalence more aggressively by lowering the threshold of actions it can perform before the file is blocked.
 
Last edited:
Joined
Mar 30, 2018
Messages
45
OS
Windows 10
Antivirus
F-Secure
#3
Last edited:

Faybert

Level 22
AV-Tester
Verified
Joined
Jan 8, 2017
Messages
1,147
OS
Windows 10
Antivirus
G Data
#4
That's what I call a good read, they explained in detail how DeepGuard works, I loved it. F-Secure has behavior blocker since 2006, and has company in full 2018 that neither has BB. F-Secure seems to me to be a security company with state-of-the-art technology :emoji_ok_hand:
It is one of the few antivirus that is still worth installing, protection, privacy and one of the best if not the best performance, it is very light.
 

upnorth

Level 25
Content Creator
Verified
Joined
Jul 27, 2015
Messages
1,449
#5
This PDF is now updated :)
Interesting read!
Great share and thanks for the update!(y) Here's a few extra pointers well worth mention.

Quote : " When used in tandem with other components of a multi-layered security approach, DeepGuard provides lightweight and comprehensive endpoint protection with minimal impact to the user experience.

How DeepGuard Works
DeepGuard is activated by two events: when a program is launched for the first time, and while a program is running (that is, during its runtime). During each event, DeepGuard performs either file reputation analysis or behavioral analysis. When a program is first launched, regardless of how it is done (the user clicks the file icon, an email attachment or program initiates it, etc.), DeepGuard temporarily delays it from executing and performs the following checks:

File reputation check.
DeepGuard sends a query to the Security Cloud to retrieve the suspect file’s reputation details. The query is sent using the strongly encrypted Object Reputation Service Protocol (ORSP), is completely anonymized and the IP address is not stored, to maintain the client’s privacy. If the file has been previously seen and reported by other products connected to the Security Cloud, the automated analysis systems will have performed and saved a security assessment of it that indicates if the file should be considered trustworthy or harmful. If DeepGuard’s query to the Security Cloud about the file it is analysing returns the verdict that it is a threat, DeepGuard immediately blocks it from launching.

Prevalence rate check.
DeepGuard also queries the Security Cloud for the file’s prevalence rate. Rare or new files are automatically considered more suspect and subjected to greater scrutiny during the subsequent process monitoring stage.

Judgement on execution.
At this stage, based on the file’s reputation, DeepGuard makes one of the following choices:
  • A. The file is clean and allowed to execute normally
  • B. The file is harmful and blocked from executing
  • C. The file’s status as clean or harmful is still unknown
If the file is blocked from launching, a notification message is displayed providing additional details and an option to whitelist the program, if desired.

If the status of the file is still unknown, DeepGuard allows the file to execute but continues to monitor it during the subsequent process monitoring stage.

If a program passes the file reputation analysis and is executed, DeepGuard begins to monitor its behavior as a precaution against delayed harmful routines, a common tactic used by malware to circumvent pre-launch checks. This quiet vigilance allows DeepGuard to provide constant protection without disrupting the user’s experience with constant prompts. Processmonitoring A program’s processes are blocked from continuing if DeepGuard sees it performing a number of suspicious actions, which may include (but are not limited to):
  • Modifying the Windows registry
  • Editing files in certain critical system directories
  • Injecting code in another process’s space
  • Attempting to hide processes or replicate themselves

DeepGuard In Action
The most common delivery vehicle for exploits remains document files, which are usually crafted to appear authentic. If an unsuspecting user were to open the file, harmful code embedded in the file is run, which can result in the system being compromised.

A suspicious email message was received with an attached Microsoft Word file named, ‘Form-9566073483336.doc‘. When the file was launched in the Word program, it displayed a notice prompting the user to click the ‘Enable content’ button on the security warning notification message. Doing so would allow macros, or a script of commands embedded in the file, to run. In this case, the file contained a macro with instructions that DeepGuard recognized as harmful exploit code, with the detection Exploit:W32/CmdStager.A!DeepGuard. The application’s processes were immediately intercepted and blocked, preventing the exploit from succeeding. Subsequent analysis found that if the exploit had been successful, it would have installed the Emotet trojan, which can steal sensitive information from the user’s computer, as well as download and install other malware.


Intercepting ‘File-Less’ Attacks
There are various methods attackers use to carry out a ‘file-less’ attack; a particularly popular way involves abusing PowerShell with a script-based approach. PowerShell is a legitimate command-line tool in the Windows operating system that can be used by system administrators to automate various tasks for managing the computer. A key feature is its ability to load and run a script directly in memory. This feature makes PowerShell a popular target for attackers, as they can abuse it to run harmful code directly in memory, rather than embedding the code in an executable file that must be saved on the disk, where it is vulnerable to detection by security products.

The script above was received as part of a customer case and shows one method that attackers try to abuse PowerShell. This script includes the command -executionpolicy bypass, which makes a configuration change to bypass the execution policy that stops PowerShell from remotely executing commands. This would allow an external attacker to later remotely instruct PowerShell to perform further harmful actions. The script also includes a command to connect to a remote website, either to receive additional commands or to download other harmful files. Because DeepGuard is monitoring PowerShell’s actions however, its bypass of the execution policy and subsequent attempt to connect to a harmful site triggered the behavioral detection Exploit:W32/ PowerShellstager.B!DeepGuard, which caused the product to immediately block any further actions and close PowerShell to prevent any further potential harm. "
 
Last edited:

Lord Ami

Level 17
AV-Tester
Verified
Joined
Sep 14, 2014
Messages
815
Antivirus
F-Secure
#6
@cruelsister

I want this guy opinion , he tested f-secure and can say objective if it-s good or not because all big names in test are so perfect and when you test them against a ransomware those failed first.
Khmm, guy :)?
Anyhow, it is no silver bullet. Just nice read about technologies used to stop badware.:emoji_innocent:
 
Joined
Mar 30, 2018
Messages
45
OS
Windows 10
Antivirus
F-Secure
#8
@cruelsister

I want this guy opinion , he tested f-secure and can say objective if it-s good or not because all big names in test are so perfect and when you test them against a ransomware those failed first.
@Faybert and @Lord Ami have already responded about the product being good or not, they are AV-Tester, namely, they know what they are talking about, so why the opinion of a third person? :rolleyes:
 

Eddie Morra

Level 8
Content Creator
Joined
Aug 28, 2018
Messages
374
#9
"How F-Secure Behavior Blocker works" internally for monitoring.

1. Probably Kernel-Mode callbacks
2. User-Mode API hooks (I can guarantee this one)
3. Probably AMSI for script-scanning assistance

#1 and #3 are guesses which would of course make it more valuable.

No PDF marketing of 1000 walls of text needs to be read to explain to you how it works without actually telling you how it works. I don't get what that is all about but anyway...

You're welcome.

That being said, F-Secure are one of the good vendors in my books and I like them. I prefer them to a lot of vendors out there at-least... and the researchers they have do a smashing job.

Tbh I am a fan of their VPN service but sadly it is limited in usage depending on location...
 

Lord Ami

Level 17
AV-Tester
Verified
Joined
Sep 14, 2014
Messages
815
Antivirus
F-Secure
#10
@Faybert and @Lord Ami have already responded about the product being good or not, they are AV-Tester, namely, they know what they are talking about, so why the opinion of a third person? :rolleyes:
Our testing is somewhat limited and does not reflect real world scenario (to some extent).
And @cruelsister has more 0-days stuff and specific samples she could test it against. By all means: do it :)

@Vendula Kubová you are correct. But nevertheless it is nice read for people like me. I tend to dig these texts, even though I know it's also marketing oriented, not ABC for programmers and those who know this stuff works in code level.
 

Eddie Morra

Level 8
Content Creator
Joined
Aug 28, 2018
Messages
374
#11
Oh, I didn't mean to sound hostile.

My guess is that it was for marketing and technical users (but not technical technical as you said).

Either way, other vendors do marketing things all the time and F-Secure are still a great vendor.

Nonetheless it was a useful contribution for the PDF to be shared here and I do know of people who use F-Secure/like them who have found it helpful to them. :)
 

Lord Ami

Level 17
AV-Tester
Verified
Joined
Sep 14, 2014
Messages
815
Antivirus
F-Secure
#12
Oh, I didn't mean to sound hostile.

My guess is that it was for marketing and technical users (but not technical technical as you said).

Either way, other vendors do marketing things all the time and F-Secure are still a great vendor.

Nonetheless it was a useful contribution for the PDF to be shared here and I do know of people who use F-Secure/like them who have found it helpful to them. :)
No hard feelings (not at all, sorry if I sounded otherwise). I did not read it being close minded :emoji_v:. I totally got what you were trying to say :)!
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#13
3. Probably AMSI for script-scanning assistance
You and I talked about this. Microsoft = no documentation. The vendor attempts to integrate it, but is faced with nothing but a mess to sort out. And they don't get it right. That's the reason default Windows Security with AMSI outperforms the F Secure, Bitdefender or Kaspersky AMSI integration in lab test after lab test.

I just reported to DrWeb that their AMSI PoSh and SH integration isn't working correctly. The reply "Yep... AMSI is BS to make Windows Defender look good." Looks like DrWeb - or at least that particular head developer - has no love for Microsoft.

No kidding... hit that nail right on the head. Very cryptic (by omission) MS documentation with 99 % of the most important stuff left out. Gee I wonder why that is ? And for knuckleheads that don't know what that translates to... wow, you can't figure it out, geniuses ? - it translates to money. Cha-ching for every second and minute that a developer is sitting there figuring it out. And looking at how all the vendors have wrestled with AMSI (not to mention something that should be trivial like security center integration, but isn't, because Microsoft is either willfully or carelessly under-documents stuff).

The infos the security soft vendors need for what they do, Microsoft isn't putting out there on GitHub, in the SDK notes, or anywhere else in MS DOC-land. @Vendula Kubová knows precisely what I'm talking about.

Considering the amount of money that Microsoft collects from and makes off of the efforts of 3rd party publishers, the MS documentation should be much more detailed.

Wankers... or is it tickletacklers ?
 
Last edited:

Eddie Morra

Level 8
Content Creator
Joined
Aug 28, 2018
Messages
374
#14
I had the same conversation with an engineer at R&D of another AV vendor a few weeks ago... and they basically said that they thought AMSI was Microsoft's weapon for Windows Defender and implied that there was pretty much no useful documentation on how to really operate it to its full potential (which is why they started researching it through RE).
 

Eddie Morra

Level 8
Content Creator
Joined
Aug 28, 2018
Messages
374
#15
UPDATE:
After reboot, I downloaded the package again just to verify if DeepGuard would have blocked the files (In Dynamic part: 3 files were able to run after I restarted VM).
Interesting conclusion:
As I thought, DeepGuard acts differently when it sees the whole picture (link - download - extraction - execution). As we can see, it successfully blocked all of those 3 files
Source: https://malwaretips.com/threads/22-10-2018-15.87538/post-772238 (@Lord Ami)

I think I actually recall hearing something of the sort from F-Secure themselves a few years ago... and it was to do with detection differences depending on where the sample came from (e.g. downloaded from a web-browser and then ran or from removable storage/unknown, etc.). I may have mixed up with a different vendor though, but I am pretty sure it was F-Secure.