Tutorial Modern Anti-Virus Software : Features and Functions

BoraMurdar

Super Moderator
MalwareTips Staff
Verified
Joined
Aug 30, 2012
Messages
6,069
OS
Windows 10
Antivirus
Emsisoft
#1
Part I: Anti-virus and firewall engine

Anti-virus Engine


Also called: Real Time Malware Protection, Real Time Protection, File Monitoring, Anti-Malware, Anti-virus Guard, Real Time Guard

Anti-virus Engine is a basic component included in most of the security suites on the market. Its role is to scan data storage and data flows inside the computer in order to detect and remove malware. Malicious code can be stored in files on hard disks, removable storage, network drives, computer memory, disk boot sector, or come as a part of the network traffic.

Detection Methods
Anti-virus engine uses variety of strategies to reveal malware. Anti-virus software maintains a database of signatures (or patterns) of malware that it looks for during the scanning. Each signature can either identify a specific malware code or it can be more general and able to describe a whole family of malware. A common aspect of the signature-based detection is that it can detect known malicious samples and samples that were derived from them, but it may fail to detect new malware that does not match any known pattern.

The heuristic-based detection attempts to detect malicious samples for which there are no specific signatures in the anti-virus database yet. There are many different heuristics that anti-virus engines implement. The general principle is to identify pieces of code or data that are unlikely to be present in legitimate programs. This approach is inaccurate, however, and it may cause false positive alerts. A good heuristics is well balanced and so the number of false positives is kept low while a high number of malware samples is detected. The sensitivity of the heuristics can be configurable.

Virtualization and sandboxing are more advanced methods of detection. For a limited time the samples are executed in a virtual machine or another secured environment that the scanned sample can not escape from and from which the sample can not harm the real system. The behavior of the sample inside the sandbox is monitored and analyzed. This method becomes handy in case of malware that is packed with unknown algorithm (which is a common method used by malware to avoid detection) that the anti-virus engine can not unpack using other methods. Inside the virtual environment such a malware unpacks itself as it would have done on the real system and so the anti-virus engine is able to scan its unpacked code and data.

One of the newest approaches implemented in anti-virus engines is scanning in the cloud. This method is based on the fact that desktop machines are limited in their resources while anti-virus vendors have no problems to build large systems with great performance. Computing power is required for running complex heuristics, or analyzes using virtual machines. Vendors' servers can also work with much larger databases of signatures and other data than desktop machine can process in the real time. In case of cloud scanning, the only requirement on the client's desktop system is to have a fast and reliable Internet connection. When the client's system is about to scan a file it simply sends it to the vendor's cloud over the network and waits for the answer. In the meanwhile, the client's system can also perform its own scan.

Scan Types and Settings
From the user's point of view, there exist several types of anti-virus scans depending on the events that trigger the scanning process:

  • On access scan is a scan that occurs when a resource is accessed. For example, when a file is copied to the hard drive, or when an executable is launched (the scan triggered by this particular event is sometimes called On execution scan). Only the resource being accessed and objects closely related to it are checked during this scan.
  • On demand scan is initiated by the user – for example, when the user clicks the appropriate context menu item in the Windows Explorer. This scan is also called Manual scan. The selected folders or drivers are scanned during this operation.
  • Scheduled scan is usually a repeated task that should ensure regular check of the system for malware. The user is able to set up the scanning time and the frequency of the scan. This scan is usually intended to scan the whole system.
  • Startup scan is initiated by the anti-virus software after the computer was started. This scan is fast and may check startup locations, running processes, system memory, system services, and/or boot sector.
Most products allow its users to configure settings of each type of scan separately. Here are some of the most common settings that are related to anti-virus scans:

  • Files extensions to scan – whether to scan all files or just those having specific extensions, such as executable extensions (.exe, .dll, .vbs, .cmd etc.).
  • File size limit – files larger than the limit are not scanned.
  • Scan files within archives – whether or not to scan files within file archives, such as .zip, .rar, .7z etc.
  • Using heuristics – whether or not to use heuristics and possibly set up their sensitivity.
  • Which types of programs to alert about – there exist many programs that can not be clearly classified as malicious. Some vendors use terms such as Potentially unwanted programs,Riskware, or Low risk items.
  • Types of drives to scan – whether or not to scan files on network drives or removal storage.
  • Action to take when an infection is found – this can be set to attempt to disinfect (cure) the sample if possible, if not possible then to delete the sample, put it into a quarantine (a special folder to store infected files from which programs can not be run but they can be examined further or sent to the vendor's server for analysis), block access to it, or to ask the user for a decision.
Many of these options can change the scanning speed. A set of automatic rules for a quick but still effective scan is sometimes called as Smart scan or Quick scan. The opposite is called Full scan (or Deep Scan). We can also see Removable media scan intended to check files on optical disks, floppy disks, USB memory sticks, flash cards, and similar devices. Custom scan can also be available which stands for a fully customizable scan.

Specialized Scans
Rootkit scan (or Anti-rootkit component) is a feature that some anti-virus vendors introduced in their products after rootkits become popular during the last decade. A rootkit is a special type of malware that implements tricky methods to become invisible to users and common methods of detection. It exploits internal mechanisms of operating system to hide itself. Fighting rootkits requires security researchers to develop special detection techniques. Rootkit scan attempts to find discrepancies in the system behavior that might prove the presence of a rootkit. Some implementations of anti-rootkit features rely on a permanent monitoring of the system while other implementations can be run on demand.

Microsoft Office scan (or Macro-virus scan) is a feature that protects users against malicious code inside Office documents. The internal principles of the scan are similar to common scanning methods, they are just specialized on detecting malicious code inside macros. This scanning feature may be implemented as a Microsoft Office plug-in.

Additional Related Features
The anti-virus engine is usually closely linked to other components of the security suite. Some of the products present additional features as an integral part of the anti-virus engine, other display them separately. The Web Control feature is a typical representative of this group. We will discuss these features separately.


Firewall

Also called: Personal Firewall, Network Control, Advanced Firewall, Two-way Firewall

The main role of the Firewall component is to control access from outside networks to the computer over available network interfaces, also known as the inbound traffic, and vice-versa – from the inside out, also known as the outbound traffic.

Filtering of the network traffic can happen on several levels (see layers in the TCP/IP model on Wikipedia). Most of firewalls in desktop security suites define rules on at least two layers – the low level Internet layer controlled by IP rules and the high level Application layer for which the product maintains a list of rules that allow or deny particular application to access the network. The terms such as Network Rules, Expert Rules, or IP Rule Setting are used for the rules on the lower level. On the higher level we can see terms such as Program Control or Application Rules.

Networks
Many modern products allows users to configure a level of trust for all networks their computer is connected to. Even if there is only one physical network interface a computer can be logically connected to more than one network – a common case is that the computer is connected to a local area network (LAN) which allows the user to access the Internet through a gateway. The security product will manage separately the traffic that goes to other computers in LAN and the Internet traffic. Each of the detected networks can either be trusted or untrusted and various system services, such as file or printer sharing, can be allowed or disallowed. Only the computers from trusted networks can access the protected computer by default. Connections established from machines fromuntrusted networks are blocked unless a specific rule permits the access. This is why the Internet connection is usually marked as untrusted. Some products, however, do not distinguish between networks on a single network interface and trusted or untrusted profiles can be set for each interface only. The term Network Zone or just Zone is sometimes used instead of a logical network.

For untrusted networks it may be possible to set up the machine into the stealth mode. This means to change the behavior of the system to act as if its address is unavailable in the network which may mislead attackers that try to find live computers on the network before they attempt to attack them. The default behavior of the system is to respond properly to all messages even if they are send to ports that are closed. The stealth mode (also known as the stealth ports feature) prevents revealing the machine is alive when scanned.

Intrusion Detection/Prevention
Also called: Attack Detection, Intrusion Detection System, IP Blocking, Malware ports

Although not all the mentioned terms are equivalent, they refer to a set of features that are all responsible to prevent or detect special kinds of attacks from remote computers. They include features such as detection of port scanning, detection of IP address spoofing, blocking access to well-known malware ports used by RATs, trojan horses, or botnet clients; some include mechanisms to protect against ARP Spoofing attacks (this particular feature can be called ARP protection, ARP Spoofing Defense, ARP Cache protection etc.). A common ability of this kind of protection is automatic blocking of the attacker's machine. This can be directly connected with the following feature.

IP Blacklist
Also called: IP Blocklist

Using this simple feature, the product maintains a list of network addresses of machines that are forbidden to communicate with the protected computer. This list can either be filled in manually by the user, as a reaction to a detected malicious behavior (see the Intrusion Detection/Prevention feature), or by security vendors that maintain worldwide lists of computer systems and networks misused for malicious attacks.

Block All Traffic
In case of a sudden malware infection of the system, some products offer to pull the emergency brake – to block all network traffic in both directions. This option may be available through a big red button as well as a part of firewall policy settings or through the product's taskbar icon. It is assumed that this feature is used when the user recognizes the computer is infected and want to avoid misusing the machine by malware, stealing personal information, and downloading more malware from the Internet. The block of the network traffic can be combined with termination of all unknown processes in the system. This feature, if available, should be used with caution.

Program Control
Also called: Application Control, Application Inspector

Filtering network traffic on the application layer allows security products to separately control network access of each program on the computer. The product maintains a database of application rules that control which application can access the network and which can not. These rules distinguish between client programs that initiate connections from the local computer to remote servers (the outbound direction) and server programs that can listen on a network port and accept connections from remote computers (the inbound direction). Modern products allow the user to define complex rules for each application.

The overall behavior of the Program Control feature is determined by the Firewall Policy settings that offer following modes of operation:
  • Silent mode (Automatic mode) works without any interaction with the user. All decisions to be made are made automatically using the database of rules the product maintains. If there is no explicit rule for a program that wants to access the network it can either be always allowed (which is also known as Allow All mode or Allow Most mode), or always blocked (known asBlock All mode or Block Most mode) or special heuristics can be run to determine whether or not the program should be allowed to access the network. The decision algorithm may be very complex and depend on additional features, such as a community network whose members share their product settings. Some products, however, use terms Allow All mode andBlock All mode for settings that ignore the existing database rules completely and just simple allow or block network access of any application in the system.
  • Advanced mode (Custom mode, Interactive mode) is intended for advanced and expert users who want to have everything under their own control. In this mode the product handles automatically only those situations for which there are explicit rules in the rules database. In case of all other actions the user is asked to make a decision. Some products offer to set what policy should be applied when the conditions do not allow to ask the user – for example, this can happen when the computer is starting or being shutdown and the graphic interface of the product is not running, or when the system is operating under a special condition, such as a full screen game is running and the user does not want to be interrupted (this is sometimes called the Gaming mode). Usually two options are available for such conditions – Allow All (Allow Most) or Block All (Block Most) – in which all actions without defined rules are allowed or blocked respectively.
  • Normal mode (Safe mode) allows the product to handle most of the situation itself. Even if there is no explicit rule in the rules database an action of a program can be allowed if the product considers the program to be safe. Similarly to the Silent mode, the decision can rely on various heuristics. In case the product is not able to decide whether the application is safe, it alerts the user just as in the Advanced mode.
  • Learning mode (Training mode, Installation mode) is commonly used just after the product's installation or in case the user installs new software on the computer. In this mode the product is told to allow all actions for which there are no rules in its rules database and to add new rules that would allow such actions in the future after the policy mode is changed. Using the Learning mode can thus significantly reduce the number of alerts the user sees after the new software is installed.
Program Control usually contains settings that help the product to decide unclear situations regardless the mode it operates in. This is sometimes known as Automatic rule creation. A typical setting in this context is an option to allow all actions of digitally signed applications of trusted vendors even if there is no corresponding rule in the rules database. This can be extended by an option that allows all known and trusted applications even if they are not digitally signed but they are recognized by the product.

The Program Control feature is usually very closely related to other features that we will cover later – especially to the Behavior Control feature.

Part II: Proactive Protection

The second part of the Features of Modern Security Suites series is devoted to Behavior Control features. Application behavior and its monitoring and controlling is a topic that is very close to us as it is also the primary focus of our public research as well as our commercial work for security software vendors. In this article we describe basic functionality of Behavior Control features and we enumerate common categories of application behavior that are being controlled by modern security suites.

Behavior Control

Also called: Proactive Protection, Active Virus Control, Intrusion Guard, Proactive Defense, Host-based Intrusion Prevention System (HIPS), Behavioral Shield

The Behavior Control component monitors actions of all applications in the system and blocks actions that threaten the security of the system or its users. It maintains a database of rules that determine which actions should be allowed or blocked for each application. The protection system takes control and stops the execution of the application when it is about to execute a potentially dangerous action. If there is a rule that determines the particular situation, it is used and the action is either blocked, in which case the execution flow is modified so that the action is not performed at all or its parameters is altered to ensure it is safe to execute it; or allowed, which means that the action is executed as if there was no protection. It may happen that there is no appropriate rule in the database of rules. In such cases, depending on the configuration of the behavior control component, either a user can be asked to make a decision, or the action can be automatically allowed or blocked, or a heuristic-based algorithm can be used to decide whether it is safe to allow the execution of the action in question.

Behavior Control does not scan the application files before they are executed and hence it is unable to detect malicious programs before they are stared. However, it can effectively block dangerous behavior and thus prevent damage and protect the system from both known and unknown malware.

It is the Behavior Control feature that our Proactive Security Challenge 64 (PSC64) focuses on. In this project we try to examine the quality and the level of security of the product's Behavior Control component. Other components such as Anti-virus Engine may be strongly connected to Behavior Control and may be necessary for its correct behavior, but the primary focus of our project is on the behavior blocking – the ability of the product to recognize and block malicious behavior even if the offending program is not known and can not be recognized prior its execution. We have created a set of tests called Security Software Testing Suite 64 (SSTS64). Each test within this suite implements different technique that can be misused by malware. The goal of the security product tested in PSC64 is to block the attacking techniques of the SSTS64 tests.

Operation Modes
Similarly to Firewall Policy which determines how decisions are made by the Program Control component, the Behavior Control feature can operate in several different modes. Most products do not provide separated configuration here and use Firewall Policy to define how the rules are applied by both the Firewall component and the Behavior Control module. Some products do allow the users to configure this feature separately but in general, the available operation modes work on exactly same principles as in case of Firewall Policy – in the Learning mode, the Behavior Control component will automatically allow the actions and create new rules for them; in the Interactive mode, the situations that can not be decided using the current rule set will alert the users and ask for their decisions; in the Silent mode, everything will be decided automatically etc.

Some products allow to set the protection level of Behavior Control. This setting defines which actions of the applications are considered as potentially dangerous. On lower protection levels applications are allowed to freely perform almost everything they want except for the most dangerous actions. On high protection levels the protection is very tight and the applications are monitored so closely that it may happen that even some of their legitimate actions are sometimes blocked.

Sometimes it is possible to set particular reactions to each of the potentially dangerous actions that can occur. Allow, Block or Prompt are the common options here meaning the action will be automatically allowed or blocked or that the user is to be asked when the corresponding event occurs.

The default configuration of many products prefers more automation, less user interaction, while the security is said to be optimal. This usually means that more advanced methods of behavior control are disabled and so only the most common malicious techniques are being watched. If this is the case and the user wants to be fully protected against the most sophisticated types of attacks it is necessary to enable the appropriate setting. Its name varies, for example, it can be called Advanced events monitoring, Anti-leak, but often a unique trademarked name is used for the technology.

Sandbox

When running under one of the automatic modes the security product may allow a malicious action to be executed (in case of Allow All/Allow Most modes), or block some of actions of legitimate programs (in case of Block All/Block Most modes). This situation is not ideal but using the Interactive mode requires users to make various decisions and so this mode assumes that the users are qualified to do so. Also the number of questions in the Interactive mode might be annoying for the users. An alternative approach that helps solving these problems is using a sandbox.

A product that implements a sandbox treats all unknown or suspicious programs in a special way that ensures they can not cause any damage to the system. It creates a special environment, the sandbox, that looks like the real system to the application that runs inside. The application can freely manipulate objects that it could not in the real system. For example, it can modify important registry entries. The sandbox makes sure that no such modification actually happens to the real system but it tries to simulate a behavior of the system so that the sandboxed application can not recognize it. In the example with the changed registry entry, when the application tries to read its value after the change the sandbox can return the modified value instead the one from the real registry that was not changed. There are several reasons why it is not possible to create perfectly authentic sandbox and this is why some of the most critical operations are always blocked in the sandboxed environment. The better the sandbox is the harder it is for the application to recognize that it is sandboxed.

Trusted programs always run outside the sandbox so that they are fully able to do their job without any limitations. When a new or an unknown application is installed by the user and the sandbox environment prohibits it to operate correctly, the user can exclude the particular application from the sandbox.

Some security suites implement the sandbox as a separate feature of the Behavior Control component. These products let users switch the sandbox off and still control the behavior of the applications. Others have it as an integral part of the Behavior Control component. There are products that allow to configure which actions are blocked automatically in the sandbox and which should be decided using the current policy and rules.



Potentially Dangerous Actions and Techniques

Potentially dangerous actions that security suites monitor can be divided into several categories or groups. We will describe the most common types of techniques that security suites control.

    • DDE communication – Dynamic Data Exchange (DDE) is a method of communication between two applications (so called inter-process communication). The DDE server application can accept messages from client applications and respond to them. Some applications such as Internet Explorer allow other applications to control them using DDE commands. This feature can be misused by malware to perform monitored actions in the context of trusted applications. In SSTS64, this technique is covered by DDEtest.
    • COM Access Control, OLE Automation Control – OLE Automation technology supersedes DDE. It is a more advanced mechanism of inter-process communication based on Component Object Model (COM). Many important system services provide interfaces for applications through COM/OLE mechanisms. When an interface is misused by malware it seems that it is the trusted service, not the malware process, that performs the dangerous action. In SSTS64, this technique is covered by Flank, BITStest, Schedtest etc.
    • DNS/RPC Client Services, DNS API Request – Some system services, such as DNS Client, are accessible through technologies called Remote Procedure Call (RPC), Local Procedure Call (LPC), or Advanced LPC (ALPC) that are used for inter-process communication. Similarly to aforementioned DDE communication and COM Access Control, some of these system services can be misused by malware. Monitoring the related communication can thus prevent misusing these services. In SSTS64, these techniques are covered by DNStester, WFPblock etc.
    • Application Window Control, Windows Messages – Windows Messages is yet another mechanism of inter-process communication. This one is used mostly to control graphical user interfaces (GUIs) of applications and this is exactly what can be misused. Using Windows Messages, it is possible to simulate common users actions, such as a mouse button click. As long as an application has a GUI based on technology that relies on Windows Messages, it can be attacked by malware using this technique. In SSTS64, this technique is covered by Breakout1, Kill3e, and Kill3f.
    • Code Injection, Process Memory Injection, Interprocess Memory Accesses – An injection of a code to another process running in the system is an easy method of executing malicious code in the context of a trusted process. Malware can be aware of the behavioral protection that limits its functionality and so in order to bypass the protection, it can inject its own code into a trusted process that is likely to be allowed to perform the critical malicious actions. This is why protecting trusted processes against code injection is fundamental for behavioral protection in security suites. In SSTS64, this technique is covered by AWFT4, CopyCat, Kill8 etc.
    • DLL Injection, Binary Planting – DLL Injection is very similar to Code Injection. The result of a successful attack is the same – an execution of a malicious code in the context of a privileged application. One of the differences is that in case of DLL Injection, a whole executable module is loaded into the target process, while Code Injection usually injects only a small piece of code. DLL Injection is easier to implement for the author of malware but also easier to detect for security products. In SSTS64, this technique is covered by Inject1, Inject2, FireHole2 etc.
    • Network-enabled Application Launch, Process Launching, Parent Process Control – On Windows systems, a parent process can control its child processes either by specifying their command line arguments or using special methods that are related to the internal functionality of the process launching itself. For malware applications, this feature presents just another way how to take advantage of trusted applications. Security suites react by monitoring the parent process chain either of all processes running in the system or just of the trusted processes. In SSTS64, this technique is covered by Tooleaky, VBStest, NewClass etc.
    • Process Termination – Process Termination and similar attacks (like Thread Termination, attempts to crash processes/threads) are intended to partially corrupt or even fully disable the protection of security software. The targets of these attacks are processes of the security suite. The actual result of a successful attack highly depends on the implementation of the damaged security suite. It can cause system instability, freezes, crashes, or it can cause some of the protection components to be disabled. Some security suites are able to recognize a corrupted state of their components and lock the computer in order to prevent malware exploiting their current weakness. In SSTS64, this technique is covered by Kill* tests and Crash* tests.
    • Low-level Network Access, Direct Network Access – Most of the security suites are able to control common network traffic, such as web traffic or email communication, very well but there might be a problem when less common or special purpose protocols are used. It is not rare that a security product allows communication with web sites (i.e. using Hypertext Transfer Protocol – HTTP – protocol) only to trusted programs while requests to send data to a network server using Internet Control Message Protocol (ICMP) are passed automatically without a notice. Malware that uses alternative ways to send or receive network data can be harder to detect for some security software. In SSTS64, this technique is covered by SockSnif, ECHOtest, and ECHOtest2.
    • Direct Disk Access – A common way to access data on hard disks is through system functions that work with files and directories. Older Windows systems allowed applications to access the disk device and its data directly. Such a way to access on disk data bypasses the common file and directory protection mechanisms. On Windows Vista and later systems, this technique is limited and thus less usable for most types of malware attacks and hence it is not covered by the current version of SSTS64.
    • Physical Memory Access, Direct Memory Access – Each running process in the system has its own private memory that is inaccessible to other applications by default. In case an access to a remote process memory is required, the system provides special functions that make this possible but at the same time it allows security software to control this kind of access. The operating system kernel also has its own private memory that is not accessible to applications. However, on older Windows systems, it was possible to get access to a special object that mapped the whole physical memory including the system kernel memory. This allowed malware to bypass the common mechanisms of accessing the memory. On Windows Vista and later systems, this technique is forbidden and hence it is not covered by SSTS64.
    • Device Driver Installation, Driver Load – Applications running on Windows are limited in what they can do, especially with system hardware resources, such as memory, disk, input and output devices etc. When an application wants to use such a resource it has to ask the system kernel which can either allow such a request and perform the action or deny it – this occurs, for example, when the application is run by the user that is not privileged to work with the resource. This mechanism works well for all application code that runs in so called user mode. The system kernel code runs in so called kernel mode, which allows it to directly access any resource without being limited. A code running in the kernel mode can also bypass all types of protection implemented either by system or third party software. A user mode application can load a device driver, the code of which runs in the kernel mode. It is thus necessary to control driver loading and do not allow malicious drivers to get executed. On 64-bit Windows systems, however, this technique is not easily exploitable by malware due to a requirement of a valid digital signature of every kernel driver and hence it is not covered by SSTS64.
    • Service Installation – System services on Windows are special programs that can run even when no user is logged on. They are usually more privileged than common applications, do not require direct communication with users, and can be started automatically during the system startup. Some of the services do not have their own process and are hosted with other similar services inside special hosting processes. For malware purposes, services are very easy way how to persist in the system. Security products usually also implement one or more services and without control of access to installation of system services the malware could disable important components of security suites. Moreover, the same interface that is used for installation and configuration of system services can be used for installation of kernel mode drivers. In SSTS64, this technique is covered by SvcKill.
    • HOSTS File Access – The HOSTS file is a special file that maps network names to IP addresses. Most commonly the network names are domains and the mapping between a domain and IP address is obtained using Domain Name System (DNS) protocol. However, it is the HOSTS file that is used first to translate network names, including domains, to IP addresses. It is thus possible to redirect a domain to arbitrary IP address using the HOSTS file. A common malware technique is to redirect anti-virus software update servers to invalid addresses which effectively disables the possibility to update the anti-virus. Other technique is used for phishing – a redirection of domains of various Internet banking and Internet payment systems to malicious servers that look exactly like the original web sites in order to steal the user's credentials. In SSTS64, this technique is covered by HostsBlock.
    • Active Desktop Changes – On older Windows systems, Active Desktop feature allowed users to insert active content (such as an HTML code) into the desktop. This feature made it possible to create highly customized desktops. Active Desktop could be misused by malware for executing actions in context of the trusted Windows Explorer application. Windows Vista and later systems do not implement the Active Desktop feature and hence it is not covered by SSTS64.
    • Autoruns, Autostart Locations – There exist many ways how an application can install itself or its own module into the system so that it is started or loaded again after a reboot. Some of these methods make it possible to infect various system processes with a custom DLL – i.e. perform DLL Injection. Common malware programs exploit one or more autorun locations in order to persist in the system. In SSTS64, these techniques are covered by Autorun* tests.
    • Keylogging, Keyboard Logging – Spying on users activity is another popular activity of malware. Keylogging techniques allow programs to get information about input the users typed into other applications in the system. Using these techniques, it is possible to steal passwords typed into a browser, an email client, or an instant messaging client. Some of the keylogging techniques rely on other techniques, such as Windows Hooking or DLL Injection. In SSTS64, these techniques are covered by Keylog* tests.
    • Screen and Clipboard Logging – Similarly to Keylogging, Screen and Clipboard Logging is used by malware to steal sensitive information. Taking screenshots can be used, for example, to steal credit card information typed into an otherwise secured web page in a browser. Clipboard Logging is based on stealing data from copy and paste operations that users do very often on Windows systems. Many users do transfer sensitive information, such as passwords, in the clipboard. This happens commonly when non-trivial passwords are required by web applications. One the one hand, using non-trivial passwords is needed so that they can not be cracked easily, but on the other hand a user that works with many of such applications might not be able to memorize all the passwords and uses a password storage software or text file and just copy-and-pastes the password from the storage to the form through the clipboard. In SSTS64, this technique is covered by Screenlog and Cliplog.
    • Window Hooking, Windows and WinEvent Hooks – Hooking Windows messages and so called WinEvents are mechanisms that operating system offers through specialized API functions to applications that want to monitor sending Windows messages in the system or receive generated notification events. These functions, however, can also be used by malware to implement various dangerous techniques like Keylogging or DLL Injection. In SSTS64, this technique is covered by CPILSuite2, FireHole, Keylog3 etc.

Component Control

Also called: Known Components

Every application uses one or more executable modules, sometimes called components. The main module is usually a .EXE file that requires several dynamic-linked libraries (DLLs) to be loaded into the same address space. Common applications rely on core system modules, such as Kernel32.dll, KernelBase.dll, ntdll.dll, Advapi32.dll, user32.dll etc. Many applications also rely on their custom libraries that are installed to the system with the main application module. One of the basic characteristics of DLLs is that they can be loaded during the initialization of the application's process as well as to be loaded later, just before their functionality is required.

Every application thus has more or less fixed set of DLLs that it loads and depends on. The Component Control feature recognizes these dependencies and controls loading of modules into applications' processes. When a malicious program wants to inject its DLL into another process the component control can recognize a new module being loaded to the target process and it can deny the action.

The component control is also responsible to guarantee the integrity of the trusted modules. Any attempts to modify the on-disk files of the known modules can be recognized and denied. This applies for both the main executable modules as well as for DLLs.

System Guard

Some security products implement different level of protection for the third party applications and the operating system and its components. System Guard is the part of the behavior control protection that is responsible for protecting the operating system itself from being infected by malware, for preserving the integrity of the operating system's parts. Important system files, critical registry keys (including autorun locations), and other system resources, such as COM interfaces, that can be attacked or misused are watched by the system guard. Any attempt to change the system or infect it is denied.

Removable Media Protection

The basic functionality of a security suite when dealing with removable media is to disable AutoRun and AutoPlay features. When a removable medium is inserted and its root directory contains Autorun.inf file, it is possible that a custom program is automatically started by the system. This can lead to a silent infection of the computer.

Many security suites also define a special set of rules for all programs stored on removable media. It is assumed that files stored on removable media may come from other computers that are not protected sufficiently and may be infected. This is why removable media programs are untrusted by default and their actions are usually highly restricted. Some suites can recognize programs that are digitally signed by trusted certificates and do not limit such applications even if they are stored on removable media.

Self-protection

One of the most critical features that the behavior control engine is responsible for is the product's self-protection. Any security protection the product implements becomes useless if malware can disable it. Modern security suites protect all their components so that they can not be switched off or damaged by malware. Self-protection requires protection of the product's processes and threads, files and directories, registry keys and values, installed system services and drivers, COM interfaces, and other resources created by the product that could be accessed by other processes running in the system.

It is vital for the security suite to prevent its own most trusted processes to be infected with malicious code or terminated. Many security suites also rely on regular updates of their databases. The update mechanisms must be designed securely so that malware can not subvert fake update files or block downloading or installing the updates.

Self-protection can be implemented naturally using common behavior control rules that prohibit manipulation of the product's resources; or it can be implemented separately from the security model provided to other applications, in which case the components of the security product are protected better than any other application and resource in the system. Both approaches are common in today's security suites.

Part III: Web protection and additional functions

The final part of the Features of Modern Security Suites series discusses Web and Browser Protection features and also briefly mentions several minor features of security suites, such as Parental Control, Anti-spam, Vulnerability Protection. The features listed in this part are usually not core parts of security products. Rarely you can find a product that implements all of them. Their implementations among various products differs a lot. This is why we try to cover just the basic principles and aspects that are common.

Web and Browser Protection

Also called: Web Control, Web Security, Web Protection, Browser Protection, Web Browsing Protection

Web browsers are most common targets of malicious attacks. They are exploited to infect computers from the Internet, they are used to send stolen information from the infected machine to malicious servers, and they are also attacked because of the credentials that many users save in browsers' password storage or enter into their forms. This is why there is a great effort from the security vendors to secure web browsers more than anything else in the users' computers.

Plugin Control
Also called: Plugin Prevention

Browser's processes, threads, files and other resources can be protected with common behavior control features, but this is not enough. Most common browsers allow various plug-ins, add-ons, Browser Helper Objects, or toolbars to be installed, which can also threaten their security. A component control feature may help here. Security suites should make sure that all components the browser application is using are trusted and wanted by the user.

Domain and URL Filters, Blocking Ads

Blacklisting known malicious domains and URLs is a very common feature. Users are usually allowed to add their own entries on the list of the filters. When a browser is about to make a connection to a blocked URL, the filter detects it and abort the action before any data transfer occurs. This can be implemented either on the network level with a low level kernel driver or as a browser extension, which is more common because the behavior of the browser can be easily controlled this way, which means a proper error message can be displayed rather than a confusing general error that it was not able to establish a connection. By default the filters contain destinations that are known as malicious or illegal. Various phishing and scam sites, sources of malware, bad reputation and pornography sites can appear on the list.

Blocking ads can be implemented as a part of this feature too. Although advertisements are very important for many Internet business models, some products offer their users to block them and not to display them in browsers. If a product implements domain and URL filters, it is easy for it to define a list of domains of ads providers and thus block most of the advertisements on the Internet very effectively.

Other forms of blocking ads can be based on blocking images by their size or blocking specific keywords. This form of blocking is pointed against intrusive and improper content and most of the legitimate advertisements should be displayed correctly.

Dynamic Content

The dynamic web content such as Flash, Java applets, or ActiveX objects, presents new ways to bypass common security measures. Security suites may control and block dynamic objects that are loaded from untrusted websites. Some products also implement blocking of hidden frames and pop-up windows to prevent annoying their users.

The most restrictive way is to block all dynamic content including scripting languages, such as JavaScript. However, the side effect of such configuration is that many web sites will stop operate correctly.

Cookies

Browser's cookies are small files that a web site can ask the browser to store on the user's computer. The web site can then request the cookie back which allows the web site to extend its functionality and the level of interaction with the user. However, the mechanism of cookies can be also used to track user's activity on the Internet. This can be considered as an unacceptable violation of the user's privacy. Security suites allow its users to control web browsers cookies, delete them automatically or forbid their creation completely. Although this functionality is a common part of today's web browsers, users may prefer to manage the computer security from a single application – their security suite.

Similarly to blocking the dynamic content, blocking cookies may cause many web sites to be unable to work properly.

Browser Virtualization

Browser Virtualization is a reaction of security software vendors to the fact that the Internet browser is one of the most vulnerable programs in home computers as well as the primary target of many cyber attacks. It is the browser that is used to surf websites and if a website is itself malicious or is infected with malicious content it may attempt to exploit a vulnerability inside the browser to infect the computer.

Browser Virtualization creates a virtual environment in which the browser runs. All actions of the browser are controlled and in case they are considered as potentially harmful, they are redirected to a safe sandbox. For example, if a browser is infected with a malicious code, it may try to save malicious files to the disk and set up autorun registry entries, so that the malware persists in the system and is started after every reboot. If file and registry actions of the browser are virtualized, the installation of the malware occurs only in the virtual environment and no infection of the system actually happens. When the browser is closed, the virtual environment is destroyed and the infection is gone forever.

And at the same time, it is allowed to download the files the user wants to download to the real file system outside the sandbox. Legitimate actions of the browser are not redirected and so the usability of the browser is preserved.

The browser virtualization feature is very similar to the sandbox feature we have discussed earlier. The only difference is that instead of putting unknown applications into the sandbox, it is the well known and otherwise trusted Internet browser that runs in the sandbox.

Browser and Search Advisor, Anti-phishing
Also called: Safe Web

The purpose of Browser and Search Advisors is to provide an information about a reputation of the web site that the user is visiting or is about to visit. If the browser advisor detects that the user is browsing potentially dangerous web site it displays a warning to the user. The search advisor is focused on the result pages of search engines. These pages are modified in a way all potentially dangerous links are removed or at least visibly marked and an additional information is provided for these links when the user requests it.

Internet web sites are ranked by security software vendors. Various criteria are being used here. The web sites are scanned for malware and links to other web sites that are malicious. Web page content is analyzed and classified using keyword filters. Whitelisting and blacklisting is also applied. One of the most important criterion is Community ranking. The community of users of the security product is a strong self-protecting entity that helps its members to avoid dangerous web sites. When a significant number of users of the community surfs a malicious web site it is likely that this web site will be recognized as malicious by these users and reported through their security product. Such a negative ranking is then used to warn all others in the community.

Anti-phishing features try to prevent credential thefts. There exist many techniques how to recognize a phishing web page including content analysis, recognition of invalid or fake certificates, detection of suspicious URLs, etc. If a phishing attempt is detected the offending web site is blocked by the security product or a strong warning is displayed to the user.

Web Content Scanning

Some of the features we have described above rely on scanning of web pages content. This task is very common to all products anti-virus engines, it is very similar task to file scanning. The only problem can be with encrypted communication – for example over HTTPS, or any other protocol running over SSL/TLS, which is used when sensitive data are transferred to secure web applications. This kind of encryption is designed so that even if an attacker is able to watch whole communication, it is hard for them to decrypt it. The only entities that can decrypt the data easily are the sender and the receiver – the server application and the browser, for example.

For security products, this means that it is hard to reveal what data are being transferred and so it is not possible to scan the data for malware. However, security products can install their own modules into the browsers and thus become a part of the entity that has access to the raw, unencrypted, data. This is how some security products are able to scan even the web content that is transferred in the encrypted form. And this is also why it is important to control which add-ons and plugins are running inside the browser. If a browser is infected with a malicious module, the encryption of the otherwise secure communication can be easily bypassed.

Privacy Protection
Also called: ID Protection, Identity Safe, Identity Protection

Credit card numbers, bank account numbers, web application credentials and other passwords, personal information, email addresses, social security numbers, telephone numbers are all sensitive information that should be protected well against malicious software. Privacy Protection allow the user to define which data are most sensitive and should not leave the computer without a consent. The outbound computer traffic is scanned for the protected data and the transfer is blocked in case of a positive match.

Password Management is sometimes included as a part of Privacy Protection. The users can maintain their passwords securely as they are saved in an encrypted form and only the owner can access them. Some security products extend the encryption to all user files and can thus protect settings of third party applications as well as their logs. This applies especially to various chat programs and instant messengers that may save session logs with sensitive data to the hard drive.

Internet browser history, cookies and temporary files cleaning is also a common part of Privacy Protection. The user can set how often the cleaning tasks run. This can be as often as every time after closing the browser's application, but such an aggressive approach may cause worse user experience on some web sites; or this can be scheduled as a daily task, a weekly task etc., which means that monitoring of the user's activity on the Internet is limited to that specified period of time.

Parental Control

Also called: Access Control

Parental Control allows privileged users (parents) to control how the computer is used by less privileged users (children). It can be used to limit the ability of a user to log in – i.e. use the computer at all. This can effectively restrict children to be able to use computer only during specific hours during the day or for a limited number of hours per day. Also the purpose of using the computer can be restricted. This can be achieved by controlling which applications the restricted user is able to start and use. The time restrictions can be combined with application restrictions and thus creating very specific conditions, such as that a certain application can be used only for two hours a day.

Parents may also want to regulate the Internet web sites their children have access to. This restriction can be created using user specific URL blacklists but most of suites with Parental Control allow controlling the access by web site content categories. The content of most popular web sites is either evaluated by the security software vendor or there is a list of keywords that the web site content is dynamically searched for. Each web site can then be put into one or more categories, such as Adult content, Hate, Violence, Racism, Weapons, Gambling, Drugs, Obscene language, Chat, Terrorism, E-mail, Social networks, Online payment, Online dating, Pornography, Hacking, Scam, etc. The parent can thus restrict access to web sites that are either in a specific category or contain keywords that belong to the category.

The Parental Control feature may also allow to create restrictions to access specific hardware, such as USB ports, Floppy disks, or CD/DVD.

Except for setting up restrictions, parents may want to review the computer activity of their children. Parental Control is responsible for logging the activity of computer users including their Internet history, so that the privileged user can check whether the computer is being used properly.

Anti-spam

The role of the Anti-spam module is to reduce the number of unsolicited messages the user receives mainly through email. A common implementation of security suite's anti-spam supports selected email clients, such as Outlook, Outlook Express, Windows Mail, The Bat, Thunderbird, etc., and does not work with any other clients. Web based email interfaces are usually unsupported too. There are several methods to detect spam message. The methods are usually combined to a complex anti-spam solution.

One of the most common method is that contents of incoming messages are evaluated using complex algorithms and each email receives a score from the Anti-spam module. If the score is greater than a specific limit the message is marked as spam and either moved to a special folder or deleted immediately. The limit and the action to take when the limit is reached can usually be configured in the settings of Anti-spam. A spam is recognized through the text content analysis or through detection of specific parts of a typical spam message. For example, many common spams contain links to unknown or poorly rated web sites. Goods, services and winnings of various kinds are being offered in spams. Emails with executable binaries or infected documents in attachments are also typical examples. Most of the users with systems using Latin are unlikely to receive emails written in Cyrillic or any of Asian alphabets. Each of these typical signs of spam increases the email's spam score.

Another method is to use cloud or community (sometimes called Web query). The security software vendor maintains a large database of spam messages that contains most of the widespread spam messages, scam offers, phishing emails, hoaxes etc. When a user receives an email the Anti-spam module queries the database on whether the email is similar to any of the well known spam messages. New spam messages are added to the database either by the vendor itself, manually or using automatic scripts, or using a community of users that mark spam messages in their email clients.

Anti-spam solutions commonly work with whitelists and blacklists of email addresses. Emails sent from a whitelisted address is never marked as spam. Emails coming from a blacklisted address are always considered as spam. Whitelists can be generated from the user's address book, but the final list is usually maintained by the user itself. Blacklists are updated from the vendor's servers.

Another effective method to fight spam is blocking spam mail servers. Every spammer needs a computer to send spam messages from. Improperly configured mail servers and hacked machines are commonly used to send spam. Such sources of spam can be identified and their Internet addresses can be put into blacklists. There exist many public blacklists of spam sources that are used as additional method of stopping the spam. If an email is received from a server which address is on the blacklist the email is treated as a spam regardless its content. New and new machines are misused for sending spam all the time. This is why the blacklists have to be updated often to be effective.

Vulnerability Protection

Also called: Vulnerability Monitor

This feature helps users to maintain their computer so that it is free of known vulnerabilities that could be exploited by malware to infect the computer. It checks up whether all important updates of the operating system and well known applications are installed. It also scans user accounts for weak passwords and checks for possible problems in system settings, such as removable media autorun settings. More advanced vulnerability protection systems can be connected to vendors of unofficial system and application patches, also called vaccines, that prevent exploiting vulnerabilities before the official update is available.


Updates

Most of the security suites contain components that rely on regular updates. Other components can be updated from time to time to newer versions that add new functionality or fix bugs. Updating is thus vital to keep the computer secure. There are several types of updates.

The first type of updates is called Database updates, signature updates, or rules updates. These updates are used by the Anti-virus component for example. It needs these updates to be able to detect the latest threats. When a new malware is created and then analyzed by the security software vendor a new signature is created for it and this signature is propagated to all anti-virus clients using an update. Before updating the database with the new signature it is possible that the malware might not be detected. This depends on whether other detection methods, such as heuristic-based scans or behavioral scans, can detect the particular malware.

Program updates are very important too. Every software including security software suites contain bugs. Bugs are fixed during the product's lifetime and bug fixes are propagated to clients through program updates. Besides bug fixes, program updates can add new functionality to the product. Sometimes, even major version updates are installed through program updates. This depends on the business and licenses model of the vendor.

There are not many things user can configure with updates. The common settings allow users to choose whether the updates should be done completely automatically – i.e. check for updates automatically and download and install updates automatically – or whether any part of the update process should be manual. In case the automatic checking for update is set, the frequency of updating can be configured. Database updates should be done frequently, daily for example, while program updates can be set to weekly, or even longer term. On computers that are connected to the Internet through proxy it is necessary to have the correct proxy settings for updates. However, the automatic detection of proxy settings works well on most systems and hence users need not to care about these settings. Some products allow to switch updates into bandwidth saving mode in which only critical updates are downloaded and other updates are put on hold until the bandwidth saving mode is disabled.

Settings Protection

Also called: Password Protection, Access Management, User Management

The purpose of Settings Protection is obvious – to protect the product's settings from being modified by both malware and unauthorized users. Relating to this feature there exist three kinds of products. The first group of products are usually smaller products that do not implement this feature at all. Their settings are unprotected against manipulation of unauthorized users but they may protect their integrity against some kinds of malware attacks via Self-defense features. The second group of products implement a simple protection using a single password. This password has to be entered when a user wants to change the settings or create a new permanent rule. The third group of products implement more complex system of rights. A common solution is to derive users and groups from the operating system and to set up privileges and limitations to modify the settings to each user account or group. In such solutions system administrators usually have full access to the security product's settings and it is possible to define what kind of access to the product's settings have non-admin users.

Online Backup

Also called: SafeBox

Online Backup belongs among non-core features that many security products do not even offer. The basic idea is simply to provide users an independent, well protected, secondary storage for their most critical data. In case of a hardware problem, virus infection, or unintentional destructive actions, users may lose their data stored on their computers. The online backup feature can help then by providing relatively recent version of the most critical data.

The final selection of the files and folders to backup is usually left to the user's choice, but the backup system can recommend common folders that contain important data, such as the Documents folder, to be backed up. Besides files and folders some online backups are able to save important registry keys too.

The backed up data are stored on vendor's servers. The standard size of the remote storage is up to several gigabytes. In order to be effective, the backup process has to run regularly. On the other hand the heavy utilization of disk and network may be uncomfortable for users during their work with the computer and hence it should be done when the computer is idle.


Performance Monitoring

Another feature that is less common but some suites offer it as an additional mechanism to reveal non-standard behavior that may suggest malware infection or other problems. There are many things related to the system performance and resource usage that can be monitored in the system. Many processes in the system have their typical number of threads, handles, memory consumption, CPU utilization, disk usage that do not change too much over time. There might be peaks but in long term it is possible to recognize that a process behaves differently than usual. If such a suspicious event occurs the Performance Monitoring feature initiates an alert. As a result the user can be informed about the situation, or an automatic action, such as thorough anti-virus scan over the suspicious process components, can be performed. In the context of this feature the user can define limits that are enforced in order to protect the stability of the system or that initiate additional actions of the security suite. Usually, Performance Monitoring must be trained for some time in order to obtain statistical data about the normal system behavior before it is able to recognize discrepancies.

Tune-up

Also called: PC Clean-up

PC Tune-up or clean-up are names for a set of utilities that some security products offer as a bonus to the standard set of features. Tune-up utilities are intended to speed up the computer using various tricks. The longer the computer is used the more objects, such as files and registry entries it works with. There are many lists being created in the system, such as the list of recently opened documents, the operating system and applications work with. Some of the lists are not limited in their length and hence over the time they become longer and longer. Similarly, the number of various temporary and cache files that are not being used anymore increases. It can also happen that applications do not uninstall properly and leave their files and registry entries in the computer. Another problem that slows down the system is fragmentation of disks.

Tune-up tools are able to find and remove useless or redundant objects, defragment disks, clean up history and cache of well known applications and thus speed up the computer a little bit. Significant improvements in the computer's performance can be expected only if the system has been used for very long time without any cleaning being done. Otherwise, effects of cleaning up might not be noticeable.

Reports and Logs

Security suites offer adjustable logging that can provide very detailed information about system events and actions of every of their components. Reports and Logs are useful when a security incident occurs. The user is able to find out what happened and how it was treated. Logs from the firewall component can be used to reveal infected machines on local and remote networks and for example, react to their presence by creating new firewall rules. Logs from the behavioral control component can call user's attention to applications which behave in a way the user does not want them to. However, a good understanding of how each of the component works internally may be required for the detailed logs to be understandable. Reports tend to be more user friendly than logs and readable for users without any advanced requirements of users' knowledge. They summarize the work of the security product over a period of time without providing too much details.

The logging feature is also important for bug reporting. The more detailed information are provided to the vendor the easier its developers can locate and fix the bug.

from Matousec
 
Last edited: