Professional Documents
Culture Documents
Classify
Blacklisting
Detect bad objects Can not be perfect as problem itself is un-decidable Signature (reactive mechanism) Heuristics
Dynamic Static parameters
Whitelisting
Allow only good and block the remaining ones Can be solved theoretically but practically challenging
Anti malware engine 2
White listing (On process creation) ( * Process activity, file read or write )
Anti malware engine
Design Problems
Scanning for clean file need to be faster Scanning or disinfecting malware may take a long Where to keep the database while scanning
Tradeoff between memory and file IO
Scanning
Static
Scan/Analysis of a file structure and contents Methods
On demand On access
Dynamic
Monitoring while target is executing Emulate
Anti malware engine 5
Components of AV engine
Malware.zip UNARCHIVER PE Parser
Clean
Anti malware engine
infected
6
Scanning Techniques
String scanning Hash scanning Virus specific scanning Heuristics Emulation
Used with other techniques
String Scanning
Native Scanning O(nm) Boyer Moore O(n) Aho Corasick Algorithm
a a
b b
c a b
Aho-Carsick
Set Matching Problem
Pattern to search P = {P1, P2, ., Pk} in Target T = {1, ., m}
k
n = i=1 |Pi|
A multiple string matching algorithm that constructs a finite state machine from a pattern (list of keywords), then uses the machine to locate all occurrences of the keywords in a body of text. O(m + n + z) where z is the number of patter occurrences in T
Anti malware engine 9
Hash scanning
Take a hash of full file
Can not work for file infectors Slow Single junk byte appended in malware will deny detection
Long
Lot of disk access
Anti malware engine 10
Start position
It can be Arbitrary point It can be fixed
PE Entry Point Beginning of the file Beginning of the code section Beginning of an exported function
Heuristics
Enabling a person to discover or learn for themselves Relating to a speculative formulation serving as a guide in the investigation or solution of a problem
12
13
Heuristics methods
Strategy
Dynamic Static
Subject of Analysis
Behavior
Structure
Analysis Methods
Weights
Rules
14
Weights Based
Activity Weight
Rules Based
1. Small Executable AND Runs A SERVER
Network server
Disable system tools
2
5
Hidden process
Writes to HOSTS File Creating executables NO GUI Sends HTTP Sends IRC
7
3 2 1 2 5
7.
15
Script malware
A script host program is generally used to run the scripts
Perl myscript.pl msiexec.exe myinstall.msi iexplore.exe mysc.js
Threat will be shown in process running Approach of Behavior learning will generate false positives in this case Simplest solution is to look at command line
However not possible in many cases (WINWORD etc.)
Anti malware engine 16
Otherwise
Script NORMALIZER
PARSER/ Analyzer
Emulator
Clean
Rating Logic
Malware
17
Behavior Blocker
Of course not all provide same protection Commonly known as HIPS = Host Intrusion Prevention System HIPS monitors application make
Sequence of system calls Parameters passed into a call
Hook Detection
Good hooking is common (ENSAFE) Can not be a decision point to Quarantine But very important for security Not allowed on many Linux systems and 64 Bit Windows
Static Analysis
Sequence which hooks AND Sequence which manipulates EPRCESS pointers
19