Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protection Against Rootkits “Defense In Depth”

Published byColin Charles Modified over 6 years ago

Similar presentations

Presentation on theme: "Protection Against Rootkits “Defense In Depth”"— Presentation transcript:

1 Protection Against Rootkits “Defense In Depth”

2 The Symantec technology portfolio offers a multi-layered defense including Network Filtering, Behavior Blocking and Storage Filtering layers. All of these layers encompass a wide variety of protection technologies which interact and integrate together to provide a defense in-depth protection.

3 Rootkit Protection Highlights
Network Filtering Vulnerability signatures allow protection prior to exploit knowledge Addresses changing paradigm, and shortening window between vulnerability announcement and exploit discovery Provides protection from diskless threats and fast-moving network worms Dramatically reduces “time-to-protection” for customers, minimizing disruption Behavior Blocking technology Enumerate processes Analyze process behavior Score each process Automatic protection Storage Filtering Layer Direct Volume Scanning (VxMS) allows our engine to bypass the Windows File System APIs and directly access the raw NTFS volume

4 Network Filtering The Network Filtering, is the first line of defense against attacks. This layer examines incoming traffic and can stop threats before they have an impact on the PC. Network filtering layer includes the Network Intrusion Prevention System , and the desktop Firewall security technologies. Many of today’s threats including rootkits attempt to exploit known OS and application vulnerabilities to execute their code on the PC. The Network IPS engine (using it’s Generic Exploit Blocking capabilities) can filter out attempts to exploit these vulnerabilities, thus keeping malware from executing.

5 Intrusion Prevention System
rule tcp, tcp_flag&ack, daddr=$LOCALHOST, msg="[182.1] RPC DCOM buffer overflow attempt detected", content="\x05\x00\x00\x03\x10\x00\x00\x00"(0,8) GEB Signature IDS Custom Sig Engine RCP SMTP SMTP RCP SSH SSH HTTP IM IM FTP HTTP FTP Intrusion Prevention Features Deep packet inspection IDS engine allows admins to create their own signatures Uses signature format similar to SNORT™ Regex support Signatures applied only to vulnerable applications Resistant to common and advanced evasion techniques The Symantec Intrusion Prevention Engine is able to do deep packet inspection and is able read the entire Ethernet packet and uses all parts of the packet, including the data portion. This engine supports a high performance signature definition, which is able to use regular expressions. In addition, the Intrusion Prevention Engine is able to apply signatures based on what application is sending or receiving the traffic, as different applications require different signatures. This signature library of known vulnerabilities in each application is maintained on Sygate’s online update server and is updated on a regular basis. Also, using the Sygate Policy Manager customers can create their own signatures or modify signatures created by Sygate. Updating all the Agent’s signature files is quite easy. The updated signature files can be downloaded to any Sygate Policy Manager and then automatically and transparently distributed to every Agent in the next heartbeat, no matter how many Agents are being managed.

6 Generic Exploit Blocking
Vulnerability Announcement Vulnerability Exploit Virus Signature TruScanTM Proactive Threat Scan technology Behavior Analysis Generic Exploit Blocking Vulnerability-Based Signature Based on vulnerabilities’ characteristics 0 Day <24 Hours 6-7 Days ~3 Hours Later Number of Variants Blocked Single GEB Signature Threat 814 MS RPC DCOM BO Blaster 426 MS_RPC_NETDDE_BO 394 MS LSASS BO Sasser 250 RPC_NETAPI32_BO W97M.Invert.B 121 NetBIOS MS NO (TCP) W32.Gaobot.AAY

7 Behavior Blocking technology
The second layer of our multilayered protection is the Behavior Blocking technology. This technology monitors the execution activity of code on the PC and attempts to prevent the code from completing its malicious activitiesAt this layer there are two main proactive technologies : TruScan Outbound Heuristic (OEH). All of these technologies have the capability of detecting threats (including rootkits) executing on the PC and can automatically take action on these threats. This protection layer does not rely on specific detection signatures thus providing zero day protection against new threats release in the wild.

8 TruScan (Proactive Threat Protection)
Enumerate processes Enumerate all processes & embedded components Analyze process behavior Assess behavior & characteristics of each process Score each process Detection routines are weighted & processes are classified Automatic protection Malicious code is identified, reported & automatically mitigated ? Each Engine has two sets of detection modules: Pro-valid = evidence of valid application behavior Pro-malicious = evidence of malicious application behavior Each Detection Module has a weight The weight indicates the importance of the behavioral trait Each process gets 2 scores: Valid Score = measure of how valid the process is Malicious Score = measure of how malicious the process is

9 Storage Filtering Layer
This layer is adds: AV engine, threat remediation engine ERASER (Extendable, Replaceable, Advanced Side-Effects Repair), Direct Volume Scanning (VxMS) AutoProtect features. These are traditional signature-based technologies. These technologies continue to demonstrate their efficacy as the baseline of defense. Signature-base technology has a very low false positive rate, and is very efficient in detecting and removing known threats on the PC

10 Direct Volume Scanning (VxMS)
Our strong results are attributed to the integration of VxMS (Veritas Mapping Service—a Veritas technology) into our Symantec products. This technology allows our engine to bypass the Windows File System APIs and directly access the raw NTFS volume. From a rootkit removal perspective is important to understand that the Windows File System is designed to have exclusive access to the volume. As such, any direct modification can be unsafe while the system is running. To avoid harming system integrity, Symantec’s native application disables the driver and then reboots the system, allowing removal and clean up of the rootkit from the system. This method protects against kernel-mode rootkits and is at the lowest level within the operating system.

11 Improved Detection and Removal
Repair engine (Eraser) is extensible Improvements are ongoing Not dependant on new releases Enhancements in SEP 11 Lower level rootkit detection Admin specified homepage restore Surgical cookie cleanup Direct Volume Access ERASER ERASER Today MS File System API User Mode Kernel Mode Windows File System Reboot Volume Manager Physical Disk Rootkit Hook Points

Download ppt "Protection Against Rootkits “Defense In Depth”"

Similar presentations

FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.

Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.
1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.

1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
Department Of Computer Engineering

Department Of Computer Engineering
Avira AntiVir Premium Kaiyu Wang. About the Avira AntiVir Premium The Avira AntVir from German. It just has 30MB, but it can kill 1,600,000 virus Fust.

Avira AntiVir Premium Kaiyu Wang. About the Avira AntiVir Premium The Avira AntVir from German. It just has 30MB, but it can kill 1,600,000 virus Fust.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Using Windows Firewall and Windows Defender

Using Windows Firewall and Windows Defender
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Similar presentations

Ads by Google