KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, [email protected]
Jan 15, 2016
KAV 7.0
Overview of technologies
Nikolay Grebennikov
Department of Innovative Technologies, Deputy Director,
We’ll talk about new protection technologies
Plan of presentation
• New heuristic based engine based on emulator
• Greatly improved Anti-root kit
• Outbound protection improvements (anti-leaks)
• New Privacy control concept
• Protection against new type of key loggers
• Improved PDM detection
• Improved self-protection
New heuristic engine (1)
• KAV 3.0, 4.0, 5.0: best detection rate and fastest reaction time: signature-based detection
• KAV 6.0: + Proactive Defense Module – based on analyses of applications behavior
• KAV 7.0: + new Heuristic engine based on emulator
Now KL’s 7.0 products contain a full set of most effective technologies which give our users the unique level of protection against all types of modern threats.
Triple shield of protection
New heuristic engine (2)1. Heuristic engine uses the same decision making
logic (set of rules) as Proactive defense module.
2. But events for heuristic engine and PDM are generated by different modules: emulator and kernel mode driver.
Windows kernel mode drivers Emulator
Decision making logic
Proactive defense module Heuristic engine
Events providers
The driver intercepts operations on real file system and system registry, network and other activities of all processes
The emulator gets the same information during emulation of the execution of application’s program code
New heuristic engine (3)
Signature based engine
Heuristic engineProactive defense module
Real time protection
Scan tasks
Signature based engine
+ +
Influence on system performanceNew emulator won’t increase system slowdown caused by AV because KAV 7.0 uses the power of triple shield:• With default settings PDM and signature engine work in
real-time,• Heuristic engine and signature engine work for scan
tasks.
New heuristic engine (5)Demo: scan of emul.zip archive with 4 test viruses
1. Heuristic is disabled: no threats detected
New heuristic engine (6)2. Heuristic is enabled
Аll threats are detected with 3 different behavior-based verdicts
Greatly improved Anti-rootkit (1)
Anti-root technologies
1. During installation of rootkit• Interception of rootkit’s drivers and
services registration• Interception of injection of rootkit’s code
in trusted processes + self-protection of KAV
• Detect of active rootkits• Detect of hidden processes in memory• Active threats disinfection technology• Detect and removal of hidden files on
disk
New in 7.0!
Greatly improved Anti-rootkit (2)
Detection of hidden files
• Main idea is a cross-scan – get the list of the files using Window API, get the same list using direct disk access and compare!
• Rootkit scan• Direct disk access for all files and NTFS
Alternative Data Streams of folders
• Advanced rootkit scan• The same as basic plus scan of ADS for all
files (much more slowly but necessary in some cases)
Greatly improved Anti-rootkit (3)
Materials
• Fighting Rootkits with Kaspersky Internet Security 6.0/Kaspersky Antivirus 6.0 (http://www.kaspersky.com/fighting_rootkits_version_6_products)
• In the nearest future we’ll publish the second part of the article about Anti-rootkit in KIS 7.0• But right now you can make a demo using
3 rootkits described on the next slides (Costrat, Unreal, Elite Keylogger)
Greatly improved Anti-rootkit (4)
• Costrat (Rustock.B; Spambot)http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-
99&tabid=2
• family of back door programs with advanced user and kernel mode rootkit capabilities,
• very powerful rootkit, described in VB in August 2006,
• Elite Keylogger http://www.elitekeylogger.com/
• very powerful keylogger and rootkit, uses 3 kernel mode drivers
• detected by KAV 6.0 during installation; Rescue CD was needed to remove it.
• Unreal.A by MP_ART & EP_X0FF • proof of concept nonmalicious stealth rootkit• designed to be invisible to all current rootkit
detection technologies
Greatly improved Anti-rootkit (5)
Trojan-Clicker.Win32.Costrat.ab (Rustock)
Driver is hidden in NTFS Alternate Data Stream of System32 folder
Greatly improved Anti-rootkit (6)
not-a-virus:Monitor.Win32.EliteKeylogger
Greatly improved Anti-rootkit (7)
Exploit.Win32.Unreal.a1. Driver is hidden in NTFS Alternate Data Stream of the root C:\ folder
2. This Alternate Data Stream is hidden itself by rootkit’s driver!
Firewall outbound protection improvements (1)
Leaktests failed in KIS 6.0 MP2
BITStester Using of BITS service
Breakout Windows Messages to IE
Breakout2 changing of ActiveDesktop with URL
CPILSuite3 SetWinEventHook function
DNStester DnsQuery from Dnsapi.dll
OSfwbypass ShowHTMLDialog from Mshtml.dll
Surfer DDE communication with IE
* http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php
Firewall outbound protection improvements (2)
Firewall outbound protection improvements (3)
1. BITSAdmin
2. Breakout
Firewall outbound protection improvements (4)
4. CPILSuite (3)3. Breakout2
Firewall outbound protection improvements (5)
6. OSFwBypass5. Surfer
Firewall outbound protection improvements (6)
1. KIS 7.0 should improve its result by 650+(300-600 points - I am not sure about FPR tests)
• In any case KIS will surpass ZoneAlarm and SSM in the result table.
We will consider our 3-rd place as the best possible result because we are not going to fight against specific solutions from Comodo and Jetico (the only difference will be in the default settings - we think that our settings is the best balance for 95% of Internet users).
New Privacy control concept (1)
1. Concept of Privacy Control component implemented in the most Security Suites:
“enter all your private data – PINs, Passwords, …” “we will analyze outgoing traffic and if some of your
private data will be found – it will be replaced by “***”
Cool idea but it DOES NOT work in real world.
Why? Because almost all of the trojans encrypt all sending data and Security Suite will found nothing in such encrypted traffic!
1. And how we can protect user’s private data?
1) we can block access to password’s storages for many well-known programs and Windows Protected storage,
2) we can block all attempts of data sending in hidden ways (used by most of the trojans).
New Privacy control concept (2)
Real life example - Trojan-PSW.Win32.LdPinch Test sample - passview utility which try to get
information from the Windows Protected storage
Protection against new type of keyloggers (1)
Protection against all types of keyloggers
User-mode SetWindowHook (global keyboad hook) GetAsyncKeyState/GetKeyState (keyboard
polling) GetMessage/PeekMessage interception Using of Raw Input model
Kernel-mode Kbdclass driver filter Device\KeyboardClass0 driver filter Kbdclass’s dispatch table patch KeServiceDescriptorTableShadow patch
New in 7.0!
Protection against new type of keyloggers (2)
Protection against new technique to intercept keyboard input: using model of Raw Input via DirectX functions
Unique!
Improved PDM detection (1)
Protection against new technique to install drivers in hidden way: save/restore registry hive for Services part of System
registry
Unique!
Improved PDM detection (2)
Protection against new technique to install drivers in hidden way: using kernel function ZwLoadDriver (can be used by
ring3-applications)
Unique!
Improved self-protection (1)
Self-protection technologies
• Protection of product’s files on disk
• Protection of product’s registry keys
• Protection of product’s processes in memory
• Protection of product’s folders against changes of permissions
• Protection of product’s registry keys against changes of permissions
New in 7.0!
New in 7.0!
Improved self-protection (2)
Protection against changes of permissions on KAV foldersUnique!
Improved self-protection (3)
Protection against changes of permissions on KAV registry keys
Unique!
Last point – network perfomance
Influence on system performance• Some users complained about decreasing of network
performance after installing of KIS 6.0 (eMule, games, …)• And we’ve completely rewritten our network driver• Let’s see the result:Test standWindows Vista and XP SP2 32bit. KIS 7.0 with Firewall and IDS enabled. Аbout 200 rules are added for different network applications. Network throughput is being measured by using the netcps.exe utility
7,93
2,84
8,03
In (MPS)
99,25
48,38
100
In (%)
98,757,94KIS 7.0
35,373,87KIS 6.0
1008,00w/o KIS
Out (%)
In (MPS)
MPS = Mb per second
Thank you!
Questions?