1 / 49

SIA308 Advanced Threat Detection and Removal with FEP 2010

SIA308 Advanced Threat Detection and Removal with FEP 2010. Randy Treit randyt@microsoft.com Senior Program Manager Antimalware Protection Technologies Microsoft Corporation. Agenda. Quick update on malware trends and the evolving threat landscape

bob
Download Presentation

SIA308 Advanced Threat Detection and Removal with FEP 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIA308 Advanced Threat Detection and Removal with FEP 2010 Randy Treit randyt@microsoft.com Senior Program Manager Antimalware Protection Technologies Microsoft Corporation

  2. Agenda • Quick update on malware trends and the evolving threat landscape • Overview of protection enhancements in FEP 2010 • Deep dive and demos on several new features

  3. 4 Threat Landscape: Last 10 years Exploits / 3rd Party SW Vuln. Mass Browser Adoption OS & SW Design Abuse Mass Mailers via Office

  4. We’ve been busy… Process/registry/network RTP watchers Directional scanning Persisted file cache Wildcard support for exclusions Scheduled scan randomization CPU throttling Command line scanner Signature update package chaining UNC signature distribution Signature source ordering fallback Dynamic translation Live system behavior monitoring Kernel inspection (Komoku) Dynamic signature service WLSP integration Network vulnerability shielding (NIS) Kernel Support Library (KSL) driver Reboot tracking (remediation) Directed scanning Offline scan integration Diagnostic scan Service hardening/anti-tampering State management Kernel-mode boot-time removal

  5. Goals for Protection in FEP 2010 Samples MMPC Signatures Customer machine Neutralizing active threats Blocking threat infections Known malware: blocked. Some new malware blocked by generics. Remaining new malware samples sent to MMPC for analysis. New signatures delivered to customers and active infections detected and neutralized. GOAL: Continue to provide high-quality protection& cover more attack vectors GOAL: Shrink customer “window of vulnerability” by discovering new threats and delivering signatures faster Real-time Protection Anti-rootkit Generics & Heuristics Behavior Monitoring Browser Protection Dynamic Signature Service Network Vulnerability Shielding Malware Response

  6. Forefront Protection Stack: Overview • Focus • Reduce time and cost to protect • Increase cost to attack, decrease exploit window • Operationalize new protection technologies • Operationalizing protection • Balancing protection vs. performance • Remediation and threat management improvements • Simplifying deployment Firewall & Configuration Management Antimalware Dynamic Signature Service Generics and Heuristics Behavior Monitoring Browser Protection Network Vulnerability Shielding Anti-rootkit Malware Response “MMPC”

  7. Forefront Protection Stack: Details Firewall & Configuration Management • Real-time protection provides high-quality reactive detection with optimized performance • Key improvements • Improved Monitoring: Process/Registry/Network watchers • Improved performance scenarios for servers • Performance improvements using advanced caching • Cached files are not rescanned • Cache persists across reboots • New exclusion features (wildcard support) • Scheduled scan flexibility • CPU throttling • Command line scan options • Service hardening/anti-tampering • Signature update improvements Antimalware Dynamic Signature Service Generics and Heuristics Behavior Monitoring Browser Protection Network Vulnerability Shielding Anti-rootkit Malware Response “MMPC”

  8. Signature update improvements • Support for UNC distribution • Source ordering (fallback) • Package chaining dramatically reduces signature update size • 95% reduction in WSUS traffic

  9. Forefront Protection Stack: Details Firewall & Configuration Management • Industry leading proactive detection based on our Dynamic Translation technology • Generics/heuristics based on emulated behavior and/or decrypted binary characteristics • Allows a single signature to detect thousands of malicious files • Advanced+ Certification from AV-Comparatives.org on pro-active detection • Dynamic Translation helps us deal with malware volume – many are the same threat, just obfuscated differently • With polymorphic malware, what the code does may be the only common aspect of two samples Antimalware Dynamic Signature Service Generics and Heuristics Behavior Monitoring Browser Protection Network Vulnerability Shielding Anti-rootkit Malware Response “MMPC”

  10. Generics and Heuristics: Dynamic Translation (DT) Potential malware Safe translation • DT is our evolution of emulation. • DT translates code that accesses real resources (unsafe) into code that accesses virtualized resources (safe). • DT runs the translated program on the real CPU – very fast. Real Resources Virtualized Resources • HANDLE hFile; • hFile = CreateFile(L"NewVirus.exe", GENERIC_WRITE, 0, NULL, CREATE_NEW, • FILE_ATTRIBUTE_HIDDEN, NULL); • ... • push 40000000h • push offset string L"NewVirus.exe” • call dwordptr [__imp__CreateFileW@28] • cmpesi,esp • ... • push 40000000h • push offset string L"NewVirus.exe” • call dwordptr [DT_CreateFile] • cmpesi,esp DT

  11. Forefront Protection Stack: Details Firewall & Configuration Management • Live system behavior monitoring identifies new threats • Tracks behavior of unknown processes and known good processes gone bad • Provides Live OS anomaly detection • Primary sensors • Process / File / Registry operations • Network Activity – Spam and BotNets • Kernel Modification – “Komoku Inc” Integration for Anti-rootkit (AR) protection • Web Downloads • Behavior Monitoring “detections” driven by the engine and trigger a request to the Dynamic Signature Service • New detections can be added with monthly Engine updates Antimalware Dynamic Signature Service Generics and Heuristics Behavior Monitoring Browser Protection Network Vulnerability Shielding Anti-rootkit Malware Response “MMPC”

  12. Behavior Monitoring 1 2 3 4 5 RTP Notifi -cation Queue BM syscalls Applications call library functions. Some of these library functions call a much smaller set of system calls. RTP logs calls to some of these system calls and enqueues notifications that are consumed by BM. Functions provided by user mode libraries • RTP logs calls, BM makes sense of them. • It takes some practice to map high-level behaviors (1) to low-level notifications (4) when designing new detections.

  13. Behavior Monitoring - Notifications Filesystem FileCreate FileModify FileDelete FileRename FileSeek StreamsOnDirs Registry RegistryKeyCreate RegistrySetValue RegistryKeyDelete RegistryValueDelete RegistryKeyRename Network NetworkConnect NetworkData NetworkListen Other ModuleLoad ProcessCreate OpenProcess ProcessTerminate DriverLoad BootSectorChange Good for bots and spammers. Good for detecting process infectors and exploits Good for detecting droppers and file infectors Good for ASEPS and detecting tampering with software keys and configuration. Good for detecting rootkit installers

  14. Behavior Monitoring - Example Detections Upon detection… Trojan Dropper: A process creates or modifies a file and a traditional signature indicates the new file is malware. IRC Bot: A process sends IRC traffic over the network. MBR/VBRtampering: A process modifies a Master or Volume Boot Record. Kernel tampering: the Anti-Rootkit sensor detects tampering in kernel memory. • Emit Event and Telemetry: • the program the process was running. • the malware it dropped. • the program the process was running. • the program the process was running. • the driver the AR sensor found linked to the tampering, if any. FILTER for EVENTS: Ignore if the program the process is running has a clean file reputation (Or driver in the kernel tampering case.)

  15. Behavior Monitoring Example: New Rootkit Identification SSDT: All entries must point to ntoskrnl code segment. IDT: Register must point to an IDT with entries pointing only to ntoskrnl or HAL. GDT: Register must point to a GDT that does not contain any call gates. SYSENTER: Register must point to ntoskrnl code segment. Explorer.exe CPU IDT Syscall handler SSDT Kernel function IDT, GDT, SYSENTER Predicates IDT, GDT, SYSENTER Predicates IDTR SSDT Predicate Hook Chain following for all predicates More predicates added via monthly engine updates

  16. Forefront Protection Stack: Details Firewall & Configuration Management Antimalware Dynamic Signature Service Generics and Heuristics Behavior Monitoring Browser Protection Vulnerability Shielding Anti-rootkit Malware Response “MMPC”

  17. Dynamic Signature Service • SpyNet • Delivers protection for new threats not in signature set on endpoint. • Low Fidelity: New class of generics looks for suspicious characteristics as behavior is emulated with dynamic translation • Queries cloud telemetry service about ‘interesting’ files • Back-end classifiers use machine learning to identify new malware • If the file is known bad, a new signature is delivered in real-time to the client requesting it • Balances signature distribution time/cost with need for real-time updates • Admins must choose to opt-in to use this feature Researchers • Real-Time Signature Delivery • Behavior Classifiers • Reputation Sample Submit Real-time Signature Properties / Behavior Sample Req Client

  18. Behavior Monitoring & Dynamic Signature Service Randy Treit Senior Program Manager Microsoft Antimalware demo

  19. Forefront Protection Stack: Details Firewall & Configuration Management • FEP 2010 tightly integrates with browser download managers (IE, Firefox) to ensure deep scanning of all downloads • Integration and data sharing with Internet Explorer SmartScreen cloud services provides real-time protection from malicious Web sites without additional performance and compatibility costs when running IE • URL reputation • File reputation (recently enabled in IE9) • Telemetry: • Source URLs • URLs improve WLSP/Smartscreen for all IE users • Intelligence for SSIRP events, MS vuln exploitation trends, takedowns Antimalware Dynamic Signature Service Generics and Heuristics Behavior Monitoring Browser Protection Vulnerability Shielding Anti-rootkit Malware Response “MMPC”

  20. Forefront Protection Stack: Details Firewall & Configuration Management Antimalware Dynamic Signature Service Generics and Heuristics Behavior Monitoring Browser Protection Network Vulnerability Shielding Anti-rootkit Malware Response “MMPC”

  21. Network Vulnerability Shielding Problem Space 1. Network vulnerabilities are exploitable with no persistent file trace • An attacker can take over a passive computer by sending a maliciously crafted network packet. Example: Conficker • Traditional AM technologies are unable to mitigate these attacks as the attack doesn’t reside in the file system. 2. Exploits reuse the same vulnerability to penetrate and propagate • Different malware exploit the same vulnerability to propagate • Polymorphic malware generates new variants to evade AM detection 3. Vulnerability patching life cycle opens opportunity window between vulnerability announcement to patch deployment • Publically disclosed 0-day vulnerabilities have no immediate patch available • Attackers reverse engineer security updates and use exploits sometimes before the update is deployed.

  22. Forefront Protection Stack: Details Firewall & Configuration Management Network Inspection System (NIS) detects and blocks Conficker-style network vulnerability exploits NIS inspects inbound and outbound network traffic and blocks detected exploits Only on if users are vulnerable: signatures enabled individually based on specific patch level – disabled once the machine is patched If no signatures are active, NIS turns off traffic interception Starting small in FEP 2010 – protection for top severity Windows vulnerabilities – but can be extended via engine updates over time Antimalware Dynamic Signature Service Generics and Heuristics Behavior Monitoring Browser Protection Network Vulnerability Shielding Anti-rootkit Malware Response “MMPC”

  23. Network Vulnerability Shielding • Initial signature set • Optimized for performance: if the system is fully patched, NIS turns off traffic interception. Microsoft Confidential

  24. A Successful Network-Based Attack Attacker Experience The attacker launches the attack A new vulnerability is discovered The exploit is successful

  25. Blocking The Exploit with NIS A new vulnerability is discovered The attacker launches the attack Attack is blocked Attacker Experience NIS blocks the attack: An Event is logged A new NIS signature is released NIS telemetry report is sent Protection Technologies Time to test the update Threat Telemetry Signature is distributed using MU Protection Services

  26. Vulnerability Shielding: Network Inspection System Randy Treit Senior Program Manager Microsoft Antimalware demo

  27. Forefront Protection Stack: Details Firewall & Configuration Management • Advanced rootkit scanning and remediation defends against sophisticated threats. • New remediation features • Reboot Tracking Provides awareness that the system is in the process of rebooting which lets us take aggressive remediation actions that would be too risky otherwise (e.g. swapping out registry hives) • Directed scanning • Offline scan integration • Diagnostic Scan Antimalware Dynamic Signature Service Generics and Heuristics Behavior Monitoring Browser Protection Vulnerability Shielding Anti-rootkit Malware Response “MMPC”

  28. Anti-rootkit • We try to do as much in the monthly engine releases as possible so that down-level clients such as FCS and MSE v1 still get detection and removal • KSL (Kernel Support Library)Kernel-inspection technology acquired from Komoku Inc that lets us detect advanced rootkits such as TDSS/TDL3 Alureon • kBTR (Kernel-mode boot-time removal)Kernel-mode driver that loads early in the boot process to perform remediation actions before the malware starts • DFSP (Direct File System Parsing)Raw parsing of the disk to detect hidden rootkits and identify potential new rootkits • However advanced detection and remediation for rootkits and other sophisticated threats may require new platform features • Diagnostic Scan • Advanced remediation support

  29. Anti-rootkit - Diagnostic Scan • In FCS quick scan is relatively brain dead: • Scan is static – do x, then y, then z… • All users pay the same tax • What’s missing is the scan context • If RTP has been on the whole time, do we really need to rescan user-mode ASEPs that were scanned by RTP, during quick scan? • If we can determine the kernel integrity has been tampered, doesn’t it make sense to be more aggressive with features like direct file-system parsing (DFSP) or KSL (kernel rootkit detection) • If the computer is clearly at greater risk, the scan should be more aggressive • At the same time, users who are “doing everything right” should have a less aggressive scan • Medical test metaphor: regular doctor visit may find something suspicious and order up some blood work, which may in turn point to the need for an MRI. Healthy patients don’t get exploratory surgery. Microsoft Confidential

  30. Anti-rootkit - Diagnostic Scan • Quick scan in FEP 2010 = Smarter, Safer Scan • Quick Scan is now context-based. Users with signs of a possible infection will receive a more thorough system check-up than users whose computer appears healthy and haven’t been exposed to possible infection. • Benefits • Default scan is faster and less obtrusive on uninfected computers • Default scan is thorough and more aggressive on infected computers • AM Engine dynamically adjusts the depth of the scan based on context information • Scanning behavior learns over time and adjusts • Telemetry from user base provides a clear picture of real-world scan behavior • Improved detection rates Microsoft Confidential

  31. Diagnostic Scan Randy Treit Senior Program Manager Microsoft Antimalware demo

  32. Anti-rootkit – Advanced Remediation Support • New remediation features: • Reboot TrackingProvides awareness that the system is in the process of rebooting which lets us take aggressive remediation actions that would be too risky otherwise (e.g. swapping out registry hives) • Directed scanningEnsures all parts of a threat are found and removed at once • Offline scan integrationSupport for “Offline Scan Required” remediation action that lets administrators know that they need to run Standalone System Sweeper to remove the rootkit.

  33. Forefront Protection Stack: Details FEP customer submissions and telemetry are prioritized across the global response team Ability for enterprise customers to engage virus researchers and analysts 24/7 for high priority submissions Ability to track submission status online Detailed information on detections added or modified in a definition set (change log) RSS feeds to keep our customer base up to date on new encyclopedia write ups, definition releases, and telemetry Visit the portal at: www.microsoft.com/mmpc Firewall & Configuration Management Antimalware Dynamic Signature Service Generics and Heuristics Behavior Monitoring Browser Protection Network Vulnerability Shielding Anti-rootkit Malware Response “MMPC”

  34. Forefront Protection Stack: Summary Real-time Protection Provide high-quality protection Generics and Heuristics Browser Protection Cover more attack vectors Network Vulnerability Shielding Anti-rootkit Discovering new threat Behavior Monitoring Dynamic Signature Service Delivering signatures faster Malware Response

  35. Now available! • Forefront Endpoint Protection 2010 Release Candidate is Now Available in the Download Center: • Search for “Forefront RC” or download from: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8b46c3ff-d9a0-4741-8ba5-458c1b3d2257

  36. Q & A

  37. Related Content SIA302 | Forefront Endpoint Protection 2010 Technical Overview SIA 203 | Forefront Protection Server Update SIA309 | Forefront Threat Management Gateway 2010 Service Pack 1 Overview SIA310 | Planning and Deploying Forefront Endpoint Protection 2010 with Microsoft System Center Configuration Manager SIA317 | Securing the Cloud Expert Panel SIA302-IS | Centralized Management of Anti-malware/Anti-Spam using Forefront Protection Server Management Console (FPSMC) SIA303-IS | Forefront Online Protection For Exchange Deep Dive SIA304-IS| Forefront Endpoint Protection 2010-Security Management Pack: Enabling Real Time Monitoring and Optimized Policies for Servers SIA301-LNC | Forefront Endpoint Protection 2010 Overview SIA302-LNC | Centralized Management of Anti-malware/Anti-spam using FPSMC SIA03-HOL | Forefront Endpoint Protection (FEP) 2010 Overview SIA12-HOL | Anti-malware for Messaging and Collaboration SIA13-HOL | Forefront Online Protection for Exchange (FOPE) Administration and Reporting

  38. Session Evaluations Tell us what you think, and you could win! All evaluations submitted are automatically entered into a daily prize draw*  Sign-in to the Schedule Builder at http://europe.msteched.com/topic/list/ * Details of prize draw rules can be obtained from the Information Desk.

  39. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  40. Appendix

  41. Behavior Monitoring + DSS Scenario: Running an Unknown Program User Launches an unknown program Program Starts Result State Threat Warning/Sample Request/None Customer Experience -RTP- Mini-filter Intercepts -Scanning- Loading Signatures Dynamic Translation -Scanning- Checking Against Local Reputation Cache -Performance- Adding to Reputation Cache -BM- Behavior Monitoring Telemetry Protection Technology Protection Services -SpyNet- Reputation Check -SigPipe- Signatures Downloaded -SpyNet- Low-Fidelity Detection -SpyNet- Expensive File -SpyNet- BM Detection -AVSubmit- Sample Submitted • Sample Submission Request • Extended Report • Real-time Signature SpyNet Responses Include:

  42. Anti-rootkit - Diagnostic Scan When the scan runs, the context in which it is running is taken into account when determining the scan behavior Microsoft Confidential

  43. Anti-rootkit - Diagnostic Scan Store of scan context information persists across engines Microsoft Confidential

  44. Anti-rootkit - Diagnostic Scan in FEP 2010 Beta Quick scan with RTP enabled since last scan now takes < 30 seconds Microsoft Confidential

  45. Anti-rootkit - Diagnostic Scan (Generalized View) Microsoft Confidential

  46. Definition Update Scenario (Forefront and MSE) The following diagram illustrates how definition updates flow to clients via MU/ADL 1 Microsoft Update 3 3 Microsoft Security Essentials (V1, V2) Forefront Client (V1, V2, FEP 2010) AM NIS 2 WSUS AM NIS 4 5 Download Center UNC AM NIS AM NIS • Definition Update Scenarios: • Definition updates(AM and NIS) are shipped to Microsoft Update(MU) and Download Center (aka Alternate Download Location). • WSUS syncs with MU on a regular basis and downloads AM and NIS definition updates. • For Torino we are implementing “Package Chaining” which will bring down the Total cost of ownership for WSUS by 70% • Forefront Client (V1, V2 and FEP 2010) and MSE clients (V1, V2) receives definition updates (AM/NIS) from WSUS. • FEP 2010 and MSE V2 consume both AM and NIS updates • FEP 2010, MSE V1 and MSE V2 have code to fallback to Download center in case they fail to receive definition updates from MU • FEP 2010 also has support for distributing signatures using UNC.

  47. Definition Update Packages - Today • We reset the definition updates through a process we call ‘re-base’ – currently once a month as part of the engine release • Today there are 4 types of packages which can be used to update FEP clients • Full (~55MB) • The full signature set (called the base) + any signatures since the last engine release (delta) • Most recent engine • Delta (ranges from ~200KB to ~5MB) • Contains the incremental signatures added since the last engine release (rebase). • Binary Delta Engine (BDE) (ranges from ~2MB to ~15MB) • Binary diff of the previous base and engine with current base and engine plus the current incremental delta of signatures • Binary Delta Delta (BDD) (ranges from ~100KB to ~1MB) • BDD package is different than Delta package since it will offer differential content from the previous release. Hence only new content is offered to the user. • All three package types are available on MU • Only Full packages are available on the Download Center • Internal detection logic allows each client to download the smallest package size available • The more up-to-date the client, the smaller package that client needs to download (see slide #4)

  48. Definition Update Offering Logic (Client) The following diagram illustrates how the smallest applicable package is offered via MU to a Forefront client. Signature Version: 1.42.2000.0 Engine Version: 1.4000.0 Current Definition Updates available on MU 1 2 3 4 First Install Signature Version: 1.41.2000.0 Engine Version: 1.3000.0 Signature Version: 1.42.1500.0 Engine Version: 1.4000.0 Signature Version: 1.42.1700.0 Engine version : 1.4000.0 Forefront Client Definition Update Scenarios Full Package BDE Package Delta Package BDD Package • Forefront Client Definition Update Scenarios: • First Install – No definition updates on the client, so download Full package. • Same if really out of date (>2 engine releases behind) • Older Signatures, old engine – BDE package. • Signature >36hours old, current engine – Delta package. • Signature <36hours old, current engine – BDD package.

More Related