threat & virus best practices
DESCRIPTION
Threat & Virus best practices . Denver Security & Compliance User Group March 17, 2010 Presenter: Chris Sandalcidi, CISSP - Symantec. Contents. Threat Primer. 1. Threat Landscape. 2. Current Common Threats and Prevention. 3. Submitting Samples. 4. Working with Support. 5. - PowerPoint PPT PresentationTRANSCRIPT
Threat & Virus best practices Denver Security & Compliance User Group
March 17, 2010
Presenter: Chris Sandalcidi, CISSP - Symantec
Working with Support
Submitting Samples
Current Common Threats and Prevention
Threat Landscape
Threat Primer
Contents
1
2
3
4
5
How Symantec Stacks Up6
2
Threat & Virus
best practic
es
1ThreatPrimer
3
Threat & Virus
best practic
es
Virus Spread by infecting good files (hosts)
Worm Spreads by copying itself to other machines
Trojan Horse Does not spread itself.
Definitions of Threats
Info Stealers Steals information
Backdoors Allows unauthorized access
Downloaders Downloads additional threats
Browser Helper Objects Loads into a browser
Rootkits Hides files from user/OS
Risk Any file that is not malicious but could pose a threat to security. (Not listed as a “threat”)
Threat A threat is a circumstance, event, or person with the potential to cause harm to a system
4
Threat & Virus
best practic
es
2ThreatLandscape
5
Threat & Virus
best practic
es
Brave New World
Threats are being re-written, and re-packed at such a fast rate, that the reliance of “reactive technology”, like signature based AntiVirus, alone is no
longer sufficient.
6
Threat & Virus
best practic
es
Escalating Threat Landscape
• 524% increase in threats over the second half of 2007
• More detections were created in 2008, than in all the other years combined.
• In 2003 Symantec released an average 5 definitions a day, in 2007 - 1431 daily
• At the beginning of 2008 Symantec was releasing 7500 definitions daily
Source: Symantec Security Response
• In 2009 we started releasing up to 12,000 new detections a day, and by June had days where over 20,000 new detections were released.
7
Threat & Virus
best practic
es
3Current Common Threats
8
Threat & Virus
best practic
es
Autorun Worms
Autorun worms use the Autorun.inf file to automatically launch and spread across an environment. The Autorun.inf file is used by Windows
to launch executables whenever a drive is mounted, be it USB, local, or a network drive.
Example A: W32.Silly and its variants.The Silly family of threats use Autorun.inf to spread across the environment and then download secondary threats in the form of revenue generating software.
Example B: W32.Sality.AESality is a fast moving, file infecting virus, that is capable of disabling SAV/SEP remotely and the infecting the target machine from the host. There are so many re-packed variants that almost every outbreak include one or more new threats. This is one of the most destructive viruses we have seen in awhile.
9
Threat & Virus
best practic
es
Browser Helper Objects (BHO’s)
BHO’s plug into most browsers, but as a threat they generally target Windows Explorer and Internet Explorer
Example: Trojan.Vundo3rd party research estimates a new Vundo variant is created every 3.5 minutes for the last year or so. Vundo is a revenue generating Trojan that downloads additional threats to the system.They are generally spread through Adobe flash vulns and email and then download new variants of itself to keep it up to date.
10
Threat & Virus
best practic
es
4Finding and Submitting a File
11
Threat & Virus
best practic
es
Finding a Suspect File (ESUG LPDU)
The Enterprise Support Utilities Group Load Point Diagnostic Utility or LPDU is used to collect data on all the common load points for threats on
a machine. Support trains front line engineers to use this utility to find threats quickly.
To access this tool open a Support case and request help with finding a new threat, we will work with you to see if it is right for your case.
We can move much faster with all the data.
12
Threat & Virus
best practic
es
What makes a file suspect?
• Name – Misspelled or “spoofed” names. (Microsofts, SVCH0ST)
• Version – Missing or overly simple version information (1.0.0.1)• Size – Between 50 and 500k• Creation date – within the last two monthsRemember we are looking for Portable Executable files, first.
.EXE .BAT .COM .PIF .SCR
.DLL .VBS .SYS
And then we are looking for these other types:
13
Threat & Virus
best practic
es
Submitting The Suspect File
Submissions should be made to Security Response through the submission website.
BCS customers should submit through https://submit.symantec.com/bcsEssential customers should submit through https://submit.symantec.com/essentialBasic customers should submit through https://submit.symantec.com/basic
Once the file is submitted you will receive:• A tracking email and number within about an hour.
• A closing email with additional information about the files and detections.
Symantec policy states that at no time are Symantec employees, outside of Security Response, permitted to accept suspect or malicious code. Please do not send a sample via email.
You should also consider submitting to Threat Expert for an automated technical description of the threat within a few minutes
14
Threat & Virus
best practic
es
15
Threat & Virus
best practic
es
Submit to Threat Expert• http://www.threatexpert.com/submit.aspx
16
Threat & Virus
best practic
es
5Working with
Support
17
Threat & Virus
best practic
es
In each of these cases it is important to note what services we can offer, and what is
appropriate advice for the circumstances.
Does Symantec know about Virus X?
….and am I protected?
Case Type 1I think I may have a virus
but I cant detect it.
Case Type 2
Standard Types of Virus Cases
I am in a full outbreak and have multiple
machines infected.What do I do?
Case Type 3
18
Threat & Virus
best practic
es
Case Type 1: Does Symantec know about Virus X? and am I protected?
Email-Worm.Win32.Nyxem.e
MyWife.d@MM
W32/MyWife.d@MM!M24
Tearec.A W32/Nyxem-D W32.Blackmal.E@mm
????????
Difficulties:• Virus names differ from vendor to vendor
• Viruses may re-use files names or may use different file names for the same virus variant.Example: Use Google to search for the file name “internat.exe”
• Small difference in variants can make a big difference in detection.Example: Look at the differences between W32.Spybot.AKNO and W32.Spybot.ACYR
• We may add 100s of different variants to each virus family a day. It is impossible to tell if we have detection without a sample
Solutions:• Virus Submission – Best
A virus submission is the only way we can confirm that the threat that the customer is concerned about is one we already detect, or can add detection for.
• URL Investigation – Good If the customer knows a site or link that the suspect file was downloaded from Security Response can get the file and check it. – Don’t check it yourself.
19
Threat & Virus
best practic
es
Case Type 2: “I think I might have a virus but I cant detect it.”
Questions:
1. What is going on that makes you think you have a virus?Behavior can sometimes tell you where you need to start, or at least what you may be dealing with.
2. Are Virus Definitions up to date?Note: “Up to date” does not mean “today’s defs”. Ask for date and version. Or check the definfo.dat file
3. Have you ran a scan, with the most up to date defs?Tasks:
1. Start a scan with current virus definitions.
2. Suggest the customer check “Common Load Points”
3. Help the customer check “Common Load Points” (ESUG LPDU or manually)Important Note:
With some minor exceptions, all versions of SAV detect equally well. Therefore it is not important to have the newest version of SAV. It is important to have the newest defs. Also, for detection of a threat, a Safemode scan is NOT necessary. Safemode should only be used to remove threats that can’t be removed in regular mode.
Other Important Note:
Because Auto-Protect is disabled in an upgrade, don’t upgrade unless you can remove the machine from the network. Never upgrade during a virus emergency if it is not needed.
20
Threat & Virus
best practic
es
Case Type 3: “I am in a full outbreak and have multiple machines infected. What do I do?”
Questions:
1. What is going on that makes you think you have an outbreak? (1200 x 1%= 12)
2. Are Virus Definitions up to date? Note: “Up to date” does not mean “today’s defs”. Ask for date and version. Or check the definfo.dat file. Note this for all infected systems
3. Have you run a scan, with the most up to date defs? (Do this for 1 or 2 systems, if it works, make this part of your 1st step)
Tasks:
1. Start a scan with current virus definitions.
2. Suggest the customer check “Common Load Points”
3. Help the customer check “Common Load Points” (ESUG LPDU or manually)Important Note:
With some minor exceptions, all versions of SAV detect equally well. Therefore it is not important to have the newest version of SAV. It is important to have the newest defs. Also, for detection of a threat, a Safemode scan is NOT necessary. Safemode should only be used to remove threats that can’t be removed in regular mode.
Other Important Note:
Because Auto-Protect is disabled in an upgrade, don’t upgrade unless you can remove the machine from the network. Never upgrade during a virus emergency if it is not needed.
21
Threat & Virus
best practic
es
6Missed
Detections and
False Positives
22
Threat & Virus
best practic
es
False Positives vs Detection Rates (18 months)
Source: http://www.av-comparatives.org 23
Threat & Virus
best practic
es
0
20000
40000
60000
80000
100000
120000
1 2
2000 Threats:11560
2009 Threats:113698
Missed Detections, 150
Missed Detections, 1478
Missed Detections
Total Threats
If Symantec is detecting 98.7% of the threats, why does it seem like we have MORE Outbreaks recently?If we apply the same detection rate to the amount of new threats as seen each year, the answer becomes more clear.Symantec Detection Rate = 98.7%Missed Detections = 1.3%
24
Threat & Virus
best practic
es
1. Identify The Threat
2. Identify The Machine
3. Quarantine The Machine
4. Clean The Machine
5. Prevent Re-Infection
The 5 Steps to Virus Troubleshooting
During an outbreak it is important that we have a game plan of what to do and in what order to do it.
25
Threat & Virus
best practic
es
There is no Magic Solution
Threat & Virus
best practic
es
26
But proper settings help
Like using real world setting for AV and Truscan
Default settings may have worked when product shipped
27Period
Num
ber o
f si
gnat
ures
SAV 9
SEP 11
SAV 10
Threat & Virus best practices
They don’t provide the best protection now
Threat & Virus
best practic
es
28
SEP AV Security Setting Default Settings High Security PolicyResponse Recommended
Lock settings Some Some AllRemediation – terminate processes No No YesRemediation – terminate services No No YesAP action taken for security risks Quarantine/Log Quarantine/Log Quarantine/DeleteNetwork AutoProtect Disabled Enabled Enabled*Bloodhound Level Default (2) Default (2) Maximum (3)*
Truscan Default SettingsResponse Recommended
Scan Sensitivity 9/Low 100
Action on detection Log Terminate
Scan Frequency 1:00 00:15
Additional Resources
29
Threat & Virus
best practic
es
Helpful links
• Security Response public blog:http://www.symantec.com/business/security_response/weblog/
• Internet Security Threat Report:http://www.symantec.com/business/theme.jsp?themeid=threatreport
• Submission Websitehttps://submit.symantec.com/(TYPE ENTITLMENT HERE)
• Threat Experthttp://www.threatexpert.com/submit.aspx
30
Threat & Virus
best practic
es