Jason Conradt Randy Treit Microsoft Antimalware Engineering SIM310 Antimalware Realities Malware threats used to be relatively simple Antimalware Realities Malware threats used to be relatively simple ID: 600610
Download Presentation The PPT/PDF document "Advanced Threat Detection and Remediatio..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Advanced Threat Detection and Remediation Using Microsoft Forefront Endpoint Protection
Jason ConradtRandy TreitMicrosoft Antimalware Engineering
SIM310Slide2
Antimalware RealitiesMalware threats used to be relatively simple…Slide3
Antimalware RealitiesMalware threats used to be relatively simple…Slide4
Antimalware Realities
With advances in the Web come increasingly complex threats
2.
IFrame
embedded
in page secretly
loads another page
3. The page redirects
to another page
containing an exploit
4. If the exploit
succeeds, malware
downloads from
another server to the
victim’s computer
User
Compromised or
Malicious Web Server
Redirector
Exploit Server
Malware Server
1. User with vulnerable
computer visits
compromised
Web page with
invisible
IFrameSlide5
Antimalware RealitiesMalware has grown into a thriving global business
1)
“Malware Author’ grows
BOTNET
& makes available to “buyers”
2) Access is purchased via ‘
MarketPlace
’
4
) BOTNET attacks seen at multiple entry points
5
) BOTNET also serves to ‘recruit’ additional BOTs
3) BOTNET use grantedSlide6
Antimalware RealitiesThe volume of malware is explodingSlide7
Antimalware Engineering Releases
Platform – once / yearlyEngine – monthlySignatures – 3x dayDynamic Signatures (DSS) – realtimeSlide8
We’ve been busy…
Zip file detection/remediation
Diagnostic scan
Process/registry/network RTP watchers
Directional scanning
Persisted file cache
Wildcard support for exclusions
Scheduled scan randomization
CPU throttling
Command line scanner
Signature update package chaining
UNC signature distribution
Signature source ordering fallback
Dynamic translation
Kernel inspection Dynamic signature serviceWLSP integrationNetwork vulnerability shielding (NIS)Kernel Support Library (KSL) driverReboot tracking (remediation)Directed scanning improvementsOffline scan integrationZip file detection/remediationService hardening/anti-tamperingState managementKernel-mode boot-time removalLive system behavior monitoringSlide9
Forefront Protection Stack: Overview
Putting our assets together – we have created a comprehensive protection stackFocus:Operationalize new protection technologies
Destroying malware’s value prop
Recent investments:
Closing vulnerability and social engineering vectors
Operationalizing protection
Balancing protection vs. performance
Remediation and threat management improvements
Simplifying deployment
Firewall & Configuration Management
Malware Response “MMPC”
Generics and Heuristics
Antimalware
Behavior Monitoring
Dynamic Signature Service
Anti-Rootkit
Network Vulnerability ShieldingSlide10
Antimalware DetailsReal-time protection provides high-quality reactive detection with optimized performance
Key improvements:Improved Monitoring: Process/Registry/Network watchersImproved performance scenarios for servers
Performance improvements using advanced caching
Cached files are not rescanned
Cache persists across reboots
New exclusion features (wildcard support)
Scheduled scan flexibility
CPU throttling
Command line scan options
Signature
update improvements
Service hardening/anti-tampering
Firewall & Configuration Management
Malware Response “MMPC”Generics and Heuristics
AntimalwareBehavior Monitoring
Dynamic Signature ServiceAnti-Rootkit
Network Vulnerability ShieldingSlide11
Generics and HeuristicsIndustry leading proactive detection based on our Dynamic Translation technology
Dynamic Translation helps us deal with malware volume – many are the same threat, just obfuscated differentlyWith polymorphic malware, what the code does may be the only common aspect of two samplesGenerics/heuristics based on emulated behavior and/or decrypted binary characteristics
Allows a single signature to detect thousands of files
Advanced+ Certification from AV-Comparatives.org on pro-active
detection
Firewall & Configuration Management
Malware Response “MMPC
Generics and Heuristics
Antimalware
Behavior Monitoring
Dynamic Signature Service
Anti-Rootkit
Network Vulnerability ShieldingSlide12
Generics and Heuristics: Dynamic Translation (DT)
Translate code that accesses unsafe resources into code that accesses safe resourcesExecute translated program on the real CPU – very fast
Potential malware
Safe translation
Real Resources
Virtualized
Resources
HANDLE
hFile
;
hFile
=
CreateFile
(
L"NewVirus.exe
", GENERIC_WRITE, 0, NULL, CREATE_NEW,
FILE_ATTRIBUTE_HIDDEN, NULL
);
...
push 40000000h
push offset string
L"NewVirus.exe
”
call
dword
ptr
[
__imp__CreateFileW@28
]
cmp
esi,esp
...
push 40000000h
push offset string
L"NewVirus.exe
”
call
dword
ptr
[
DT_CreateFile
]
cmp
esi,esp
DTSlide13
Behavior MonitoringLive system behavior monitoring identifies new threats
Tracks behavior of unknown processes and known good processes gone badProvides Live OS anomaly detectionPrimary sensorsProcess / File / Registry operations
Network Activity – Spam and
BotNets
Kernel Modification – “
Komoku
Inc” Integration for Anti-rootkit (AR) protection
Behavior
Monitoring “detections” driven by the engine and trigger a request to the Dynamic Signature Service
New signature support enables AV researchers (MMPC) to rapidly
respond
to evolving threats
Firewall & Configuration Management
Malware Response “MMPC”Generics and Heuristics
AntimalwareBehavior Monitoring
Dynamic Signature ServiceAnti-Rootkit
Network Vulnerability ShieldingSlide14
Behavior Monitoring: Notifications
Filesystem
FileCreate
FileOpen
FileModify
FileDelete
FileRename
Registry
RegistryKeyCreate
RegistrySetValue
RegistryKeyDelete
RegistryValueDelete
RegistryKeyRename
NetworkIRC
OtherModuleLoadProcessCreateOpenProcessProcessTerminateDriverLoadBootSectorChange
RemoteThreadInjectRawWriteGood for detecting droppers and file infectors
Good for ASEPS and detecting tampering with software keys and configuration.Good for detecting process infectorsand exploits
Good for detecting rootkit installers
Good for detecting IRC botsSlide15
Behavior Monitoring: Example DetectionUpon detection:
Trojan Dropper: A process creates or modifies a file and a traditional signature indicates the new file is malware.
MBR/VBR
tampering: A process modifies a Master or Volume Boot Record.
Kernel
tampering: the Anti-Rootkit sensor detects tampering in kernel memory
Emit Event and Telemetry:
Program
the process was running.
Malware it dropped.
Program
the process was running.
Driver the AR sensor found linked to the tampering, if any.
FILTER for EVENTS:
Ignore if the program the process is running has a clean file reputation (Or driver in the kernel tampering case.)Slide16
Behavior Monitoring – Zbot variants
Zbot installer signature checked in – 3/1/2011Looks for created files in
appdata
with particular naming pattern
Worm:Win32/
Dorkbot
found 3/8/2011
IRC backdoor, browser hooking for stealing passwords, blocks certain domains, spreads via USB, downloading and IM clients
Detection released on 3/8/2011
Worm:Win32/
Boinberg found 3/9/2011IRC backdoor, browser hooking for stealing passwords, blocks certain domains, spreads via USB, archive file formats, IM clients
Detection released on 3/9/2011Slide17
Dynamic Signature Service (DSS)
Delivers protection for new threats not in signature set on endpoint.Low Fidelity: New class of generics looks for suspicious characteristics as behavior is emulated with Dynamic TranslationQueries SpyNet
telemetry service about ‘interesting’ files
Back-end classifiers use machine learning to identify new malware
If the file is known bad, a new signature is delivered in real-time to the client requesting it
Balances signature distribution time/cost with need for real-time updates
Admins must choose to opt-in to at least ‘Basic’
SpyNet
to use this
feature
Firewall & Configuration Management
Malware Response “MMPC”
Generics and Heuristics
Antimalware
Behavior MonitoringDynamic Signature Service
Anti-RootkitVulnerability ShieldingSlide18
demo Behavior Monitoring & Dynamic Signature ServiceSlide19
Anti-RootkitAdvanced rootkit scanning and remediation defends against sophisticated threats.
New remediation features:Reboot Tracking Provides awareness that the system is in the process of rebooting which lets us take aggressive remediation actions that would be too risky otherwise (e.g. swapping out registry hives)
Directed scanning improvements
Offline scan integration
Diagnostic
Scan
Firewall & Configuration Management
Malware Response “MMPC”
Generics and Heuristics
Antimalware
Behavior Monitoring
Dynamic Signature Service
Anti-Rootkit
Network Vulnerability ShieldingSlide20
Anti-Rootkit
Monthly engine releases let us respond to many of the latest advanced rootkit techniques:KSL (Kernel Support Library)Kernel-inspection technology to detect advanced rootkits such as
Alureon
kBTR
(Kernel-mode boot-time removal)
Kernel-mode driver that loads early in the boot process to perform remediation actions before the malware starts
DFSP (Direct File System Parsing)
Raw parsing of the disk to detect hidden rootkits and identify potential new rootkits
However advanced detection and remediation for rootkits and other sophisticated threats may require new platform features only in FEP
Diagnostic Scan
Advanced remediation supportSlide21
Anti-Rootkit: Diagnostic Scan
In FCS quick scan is very linear:Scan is static – do x, then y, then z…All users pay the same ‘tax’FEP 2010 adds scan intelligence based on context
If we can determine the kernel integrity has been tampered use more aggressive scanning with features like direct file-system parsing (DFSP) or KSL (kernel rootkit detection)
If the computer is clearly at greater risk, the scan should be more aggressive
If RTP has been on the whole time, don’t rescan user-mode ASEPs during quick scan
Users who are “doing everything right” should have a less aggressive scanSlide22
Anti-Rootkit: Diagnostic Scan
Quick scan in FEP 2010 = Smarter, Safer ScanQuick Scan is now context-based. Users with signs of a possible infection will receive a more thorough system check-up than users whose computer appears healthy and haven’t been exposed to possible infection. Benefits
Default scan is faster and less obtrusive on uninfected computers
Default scan is thorough and more aggressive on infected computers
AM Engine dynamically adjusts the depth of the scan based on context information
Scanning behavior learns over time and adjusts
Telemetry from user base provides a clear picture of real-world scan behavior
Improved detection
ratesSlide23
demo Diagnostic ScanSlide24
Anti-rootkit: Advanced Remediation SupportNew remediation features:
Reboot TrackingProvides awareness that the system is in the process of rebooting which lets us take aggressive remediation actions that would be too risky otherwise (e.g. swapping out registry hives)
Directed scanning
improvements
Ensures
all parts of a threat are found and removed at
once
Offline scan integration
Support for “Offline Scan Required” remediation action that lets administrators know that they need to run Standalone System Sweeper to remove the rootkit. Slide25
Network Inspection SystemNetwork Inspection System (NIS) detects and blocks
Conficker-style network vulnerability exploitsNIS inspects inbound and outbound network traffic and blocks detected exploitsOnly on if users are vulnerable: signatures enabled individually based on specific patch
level
D
isabled
once the machine is patched
If no signatures are active, NIS turns off traffic interception
Starting small in FEP 2010 – protection for top severity Windows
vulnerabilities
Can
be extended via engine updates over
time
Firewall & Configuration Management
Malware Response “MMPC”Generics and Heuristics
AntimalwareBehavior Monitoring
Dynamic Signature ServiceAnti-Rootkit
Network Vulnerability ShieldingSlide26
demo Vulnerability Shielding: Network Inspection SystemSlide27
Microsoft Malware Protection Center
FEP customer submissions and telemetry are prioritized across the global response teamAbility for enterprise customers to engage virus researchers and analysts 24/7 for high priority submissionsAbility to track submission status onlineDetailed information on detections added or modified in a definition set (change log)
RSS feeds to keep our customer base up to date on new encyclopedia write ups, definition releases, and telemetry
Visit the portal at:
www.microsoft.com/mmpc
Firewall & Configuration Management
Malware Response “MMPC”
Generics and Heuristics
Antimalware
Behavior Monitoring
Dynamic Signature Service
Anti-Rootkit
Network Vulnerability ShieldingSlide28
Forefront Protection Stack: Summary
Anti-Rootkit
Generics and Heuristics
Real-time Protection
Behavior Monitoring
Dynamic Signature Service
Malware Response
Provide
high-quality protection
Cover
more attack vectors
Discovering
new
threats
Delivering
signatures faster
Network Vulnerability ShieldingSlide29
Forefront Endpoint Protection and VDI
Perform a full scan in the base image before deployment. This will build our MOAC scanning cache and ensure that the scanning we do is pre-optimized. Update the signatures in the base image before deployment if at all possible. Otherwise clients will need to individually pull down updates. If clients will download signatures, make sure to leave signature update randomization enabled.
Focus on real-time scanning protection:
Disable scheduled scans.
If scheduled scans are required, make sure to leave scan randomization enabled.
Disable Behavior Monitoring
Disable Network Inspection SystemSlide30
Forefront Endpoint Protection 2012 Beta
Convergence of Management and Security
Built on System Center Configuration Manager 2012
Advanced protection with lower impact on productivity
New Enhancements
Simplified hierarchy model
Role Based Access Control
Definition Updates and automatic approval rules through
ConfigMgr
Improved alert timings
Evaluation Options
FEP 2012 Beta
available now
:
http://www.microsoft.com/fep
Join Community Evaluation Program (included in
ConfigMgr
CEP)
https://connect.microsoft.com/site1211Slide31
Track Resources
Don’t forget to visit the
Cloud Power area within the TLC (
Blue
Section
)
to see product
demos and speak with experts about the
Server & Cloud Platform solutions that help drive your business forward.
You
can also find the latest information about
our products
at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power -
http://
www.microsoft.com/cloud/
Private Cloud - http://
www.microsoft.com/privatecloud/ Slide32
Resources
www.microsoft.com/teched
Sessions On-Demand & Community
Microsoft Certification & Training Resources
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.Slide33
Complete an evaluation on
CommNet
and
enter to win!Slide34Slide35
©
2011 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation
. MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide36