Malicious software prevention Nick Barron Photo credit NIAID, Flickr Creative Commons https://xkcd.com/1180/ Used with permission
Malicious software prevention Nick Barron
Photo credit NIAID, Flickr Creative Commons https://xkcd.com/1180/ Used with permission
About me (again)
• IT admin and security controller
for mid-sized MOD supplier
• I don’t sell anti-malware, I just
use and shout at it
• DISA IT techie
• Have way too many computers
at home
What’s ahead
• What is malicious software
• Types and capabilities of anti-
malware
• Cyber Essentials requirements
• Possible problems (things
salespeople won’t tell you)
• Summary
What is malware?
• Cyber Essentials definition: https://www.cyberaware.gov.uk/cyberessentials/files/requirements.pdf, page 10
– “Malware, such as computer viruses, worms and spyware,
is software that has been written and distributed
deliberately to perform unauthorised functions on one or
more computers”
• Key points
– “written and distributed deliberately”, so not just buggy
software.
– “unauthorised functions”, as legitimate software may
perform the same function but with proper authorisation
(e.g. deleting or encrypting files)
How antimalware works
• Hooks in to operating system so it can look at files before
they run
• Checks files for
– Indicators of known viruses (“signatures”)
– Suspicious characteristics
– Suspicious activity (why is my Word document trying to
open a secure shell connection?!)
• Two main types of scanning:
– “On access” scans files when they are accessed (opened,
run, etc)
– “On demand” scans files when asked, e.g. “Scan this USB
stick”.
Extra features
• Web filtering
– Check web pages for malicious scripts
– Block pages from blacklist/content
• Device control
– Control access to USB devices (e.g. “non-encrypted USB
disks are read only”)
– Prevent network bridging
• Control non-malware
– Block access to non-malware tools that may be used for
bad things (e.g. normal users generally don’t need to run
password cracking software)
Cyber Essentials requirements
• Malware protection
– installed on all computers “connected to or capable of
connecting to the Internet”
– must be kept up to date, “at least daily”
– configured to scan files automatically on access, and scan
web pages when being accessed.
– configured to perform regular scans of all files
– prevent connections to malicious websites
Installed on all devices
• All devices with access (or potential access) to the Internet
– Some accreditors will allow the use of firewall rules to
isolate, e.g. test systems
• Exclusion for devices that have no available anti-malware
– Routers, printers, iPhones…
– But not Linux machines
Kept up to date
• All good anti-malware updates regularly and automatically
• More frequent updates mean shorter exposure
– You should expect multiple updates per day
• If you have IT monitoring, make sure they check updates are
working on clients and servers
Configured to scan on access
• On access scanning ensures files are checked before use
without any user intervention
• Can have a performance impact, so may be unpopular in
software development environments
• Scanning web pages usually supported, checks for malicious
web scripts etc
Regular full scans
• Full scans still beneficial even when on-access scanning in
place
• Can catch infected files that slip through
• Runs in background and can run out of hours, so more
thorough checks can be enabled (e.g. zip files, all file types
etc)
Prevent connections to
malicious websites • Can be performed at firewall level but may need discussion
with accreditor
• Most anti malware packages now include basic web filtering
• Beware of false positive issues
– Sites often blacklisted due to malicious adverts
– Lookup should be live rather than based on downloaded
list
Things the sales people
won’t tell you • A reasonably skilled attacker will be able to get past your
antimalware product
– Common tools allow the creation of one-off malware
variants that will get through
– Often used by penetration tests
– I could show you how to do this in a lunch break…
• So…
– Do not trust antimalware to protect against targeted
attacks
– But it’s still useful to protect
against “off the shelf”
malware
Things the sales people
won’t tell you • Antimalware software can introduce new security holes
– Runs on all machines, and needs admin rights, so an
attractive target for an attacker
– Track record of not so great development practice
– Large, complex software
• Joxean Koret (below), broke Avast, AVG, Avira, BitDefender,
ClamAV, Comodo, DrWeb, ESET, F-Prot, F-Secure, Panda and
eScan. In a year.
https://vimeo.com/108053895,
http://joxeankoret.com/download/breaking_av_software_44con.pdf
You know when
you’ve been Tavis’d! • Tavis Ormandy breaks things…
https://googleprojectzero.blogspot.co.uk
– June 2016 Symantec
– March 2016 Comodo Antivirus, Trend
– February 2016 MalwareBytes
– December 2015 FireEye, AVG
– October 2015 Avast
– September 2015 Kaspersky
– June 2015 ESET
– August 2011 Sophos
• Google for “Ormandy” and the name
of your vendor!
By Alex E. Proimos - http://www.flickr.com/photos/proimos/4199675334/,
CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=22535544
Things the sales people
won’t tell you • Upselling
• You are sold an anti-malware product, then…
– “Buy our new XXX product to protect against the latest
threats”
• Ask…
– Why am I being charged more to address issues the
product you sold me was supposed to fix?
Summary
• Most commercial antimalware products can be easily
configured to meet Cyber Essentials requirements
– Configuration and monitoring are important
• Important to understand and address the limitations of
antimalware products
– Beware of sales promises
– Don’t be afraid to ask awkward questions
• Make sure technical staff are aware and up to date with
evasion techniques (send them to conferences like 44CON
and buy them Joxean’s book!)
• Useful links
– https://www.ncsc.gov.uk/guidance/10-steps-malware-
prevention
– https://www.ncsc.gov.uk/guidance/protecting-your-
organisation-ransomware
Questions?
Nick Barron
01329 226346
(I checked on Twitter they said gratuitous cat pics are fine!)