Methods of anti-malware protection. Anti-malware protection Protecting an enterprise network from malware

Everyone knows that to protect against malware you need to use antivirus software. But at the same time, you can often hear about cases of viruses penetrating computers protected by antivirus. In each specific case, the reasons why the antivirus did not cope with its task may be different, for example:

  • The antivirus has been disabled by the user
  • Antivirus databases were too old
  • Were installed weak settings protection
  • The virus used an infection technology against which the antivirus had no means of protection
  • The virus got onto the computer before the antivirus was installed and was able to neutralize the antivirus tool
  • This was a new virus for which anti-virus databases had not yet been released

But in general, we can conclude that simply having an installed antivirus may not be enough for complete protection, and that additional methods need to be used. Well, if an antivirus is not installed on your computer, then you cannot do without additional protection methods.

If you look at the reasons given for example for an antivirus to miss a virus, you can see that the first three reasons are related to the incorrect use of the antivirus, the next three are related to the shortcomings of the antivirus itself and the work of the antivirus manufacturer. Accordingly, protection methods are divided into two types - organizational and technical.

Organizational methods are aimed primarily at the computer user. Their goal is to change the user's behavior, because it is no secret that malware often gets onto the computer due to the user's rash actions. The simplest example of an organizational method is the development of computer rules that all users must follow.

Technical methods, on the contrary, are aimed at changes in the computer system. Majority technical methods consists of using additional protection tools that expand and complement the capabilities of anti-virus programs. Such protection measures may be:

  • Firewalls are programs that protect against attacks over the network.
  • Anti-spam tools
  • Fixes that eliminate holes in the operating system through which viruses can enter

All of the methods listed below are discussed in more detail.

Organizational methods

Rules for working at the computer

As already mentioned, the most simple example organizational methods protection against viruses is the development and compliance with certain rules for processing information. Moreover, the rules can also be divided into two categories:

  • Information processing rules
  • Rules for using programs

The first group of rules may include, for example, the following:

  • Do not open email messages from unknown senders
  • Check removable storage devices (floppy disks, CDs, flash drives) for viruses before use
  • Scan files downloaded from the Internet for viruses
  • When working on the Internet, do not agree to unsolicited offers to download a file or install a program.

The common place of all such rules are two principles:

  • Use only those programs and files that you trust and whose origin is known
  • All data coming from external sources - from external media or over the network - should be carefully checked

The second group of rules usually includes the following characteristic points:

  • Ensure that security programs are always running and that security functions are activated
  • Regularly update anti-virus databases
  • Install patches regularly operating system and frequently used programs
  • Do not change the default settings of programs that provide protection unless necessary and fully understand the nature of the changes

Two general principles can also be traced here:

  • Use the most current versions of security software - since the methods of penetration and activation of malware are constantly improving, security software developers are constantly adding new protection technologies and expanding the database of known malware and attacks. Therefore, for best protection It is recommended to use the latest versions
  • Do not interfere with antivirus and other security programs to perform their functions - very often, users believe that security programs unnecessarily slow down the computer, and seek to increase productivity through security. As a result, the chances of your computer becoming infected with a virus significantly increase.

Security Policy

On a home computer, the user sets the rules for himself that he considers necessary to follow. As he accumulates knowledge about the operation of a computer and about malware, he can consciously change protection settings or make decisions about the danger of certain files and programs.

In a large organization everything is more complicated. When a team unites large number With employees performing different functions and specializations, it is difficult to expect everyone to behave reasonably from a safety perspective. Therefore, in every organization, the rules for working with a computer must be common to all employees and officially approved. Typically, the document containing these rules is called a user manual. In addition to the basic rules listed above, it must necessarily include information about where the user should turn if a situation arises that requires the intervention of a specialist.

At the same time user manual in most cases it contains only rules limiting its actions. Rules for using programs may be included in the instructions only in the most limited form. Since most users are not sufficiently competent in security issues, they should not, and often cannot, change the settings of security tools and somehow influence their operation.

But if not the users, then someone else must still be responsible for setting up security tools and managing them. Typically, this is a specially designated employee or group of employees who are focused on performing one task - ensuring the secure operation of the network.

Security employees have to install and configure security programs on a large number of computers. If each computer decides anew what security settings should be set, it is easy to assume that different employees in different times and on different computers they will install similar, but slightly different settings. In such a situation, it will be very difficult to assess how protected the organization as a whole is, since no one knows all the established protection parameters.

To avoid the described situation in organizations, the choice of protection parameters is carried out not at the discretion of responsible employees, but in accordance with a special document - the security policy. This document describes the dangers of malware and how you need to protect yourself from them. In particular, the security policy should provide answers to the following questions:

  • Which computers should be protected by antiviruses and other programs
  • What objects should be scanned by the antivirus - should it scan archived files, network drives, incoming and outgoing email messages, etc.
  • What actions should the antivirus perform when it detects an infected object - since ordinary users cannot always correctly decide what to do with an infected file, the antivirus should perform actions automatically, without asking the user

Malware evolves along with the Internet. If previously the actions of such programs were destructive, today malware tries to hide the fact of “infection” in order to use the resources of the computer system for its own purposes.

A botnet is a collection of network hosts that have been “infected” with a malicious software(hereinafter referred to as malware). This software contacts the so-called unnoticed by the user. C&C (Command and Control) for the purpose of receiving commands / sending information. Typical uses of botnets include sending spam, carrying out DDoS attacks, stealing sensitive information (bank accounts, credit card numbers, etc.).

“Infection” of a host occurs in several ways: through an attachment to an e-mail, through a service vulnerability, through a downloaded file, etc. The most common method is drive-by download (downloading malware from a website, which occurs unnoticed by the user). After malware gets onto the host in one way or another, as a rule, attempts to “infect” neighboring stations occur. Thus, in a heterogeneous environment, propagation can occur very quickly.

Corporate networks are no exception; these threats are just as relevant for them as for home PCs.
1 ESG APT Survey October 2011
2 Ponemon 2nd Annual Cost of Cyber ​​Terrorism Study August 2011
3 Kaspersky lab research. 2011
4 Sophos Security Threat Report 2011

Tools

The proposed solution is based on the product Check Point Anti-bot Software Blade. Anti-bot Software Blade is included in Check Point Security Gateway software version R75.40 and later.

Installation is also possible in monitoring mode, when traffic is collected from the SPAN port. The second option is convenient to use at the initial stage, when it is necessary to determine the degree of threat in a particular network, for example, the percentage of infected hosts.

Technologies used

The key elements in organizing security are two information structures provided by Check Point: ThreatCloud Repository And ThreatSpect Engine.

ThreatCloud is a distributed information storage that is used to identify infected network hosts.

The repository is filled with data received from several sources. First of all, this is an extensive network of sensors that are located around the world. Data is also collected from the Check Point devices themselves, on which the Anti-Bot Software Blade is activated. Additional information is provided by partner companies. Information and IP/DNS/URL reputations are exchanged with them.

Another source of updates is the Check Point division, which is engaged in research (in particular reverse engineering) of malware instances. This unit analyzes the behavior of malware in an isolated environment. The information obtained as a result of the analysis is uploaded to ThreatCloud.

The information contained in ThreatCloud is a set of addresses and DNS names that are used by bots to communicate with C&C. It also contains behavioral signatures of various malware families, and information received from sensors.

ThreatSpect Engine is a distributed multi-level computing system that analyzes network traffic and correlates the received data to detect bot activity, as well as other types of malware.

The analysis is carried out in several directions:

  • Reputation– the reputation of URLs, IP addresses and domain names that hosts located within the organization are trying to access is analyzed. A search is made for known resources or suspicious activity, such as accessing C
  • Signature analysis– the presence of a threat is determined by searching for unique signatures in files or in network activity;
  • Suspicious email activity– detection of infected hosts by analyzing outgoing mail traffic;
  • Behavioral analysis– detection of unique patterns in the behavior of the host, which indicate the fact of infection. For example, a fixed frequency of calls to C&C using a specific protocol.

ThreatSpect and ThreatCloud work together - ThreatSpect receives information for analysis from ThreatCloud, and after analysis and correlation, loads the received data back into distributed storage in the form of signatures and reputation databases.

The main advantage of the technology is the fact that, in essence, we have a global database with information about malware activity, updated in real time. Thus, if a massive infection of hosts occurs in the network of one of the participants in this system, information about the attack via ThreatCloud is sent to other participants. This allows you to limit the rapid spread of malware on the networks of many companies.

Methods used to identify the threat

It should be understood that the functionality of Anti-Bot Software Blade is aimed at identifying already infected stations and minimizing the harm from them. This solution is not intended to prevent infection. For these purposes, other means should be used.

The following methods are used to detect suspicious activity:

  • Identification of C&C addresses and domain names– addresses change constantly, so it is important to keep the list up to date. This is achieved using the Check Point ThreatCloud infrastructure;
  • Pattern Identification, used in communication by different malware families - each malware family has its own unique parameters by which it can be identified. Research is carried out on each family in order to form unique signatures;
  • Identification by behavior– detecting an infected station by analyzing its behavior, for example, when participating in a DDoS attack or sending spam.

Incidents recorded by Anti-Bot Software Blade are analyzed using the SmartConsole components: SmartView Tracker and SmartEvent. SmartView Tracker provides detailed information about the traffic that triggered Anti-Bot Blade. SmartEvent contains more detailed information about events. You can group into different categories; there is also the ability to analyze security events over a long period and generate reports.

Methods used to prevent the threat

In addition to detecting threats, Anti-Bot Software Blade is able to prevent damage that infected hosts can cause.

The infected host's attempts to contact the C&C and receive instructions from it are blocked. This mode of operation is available only when traffic passes through a gateway with Anti-Bot Software Blade enabled (inline mode).

Two independent blocking methods are used:

  • Blocking traffic that is directed to a known address C
  • DNS Trap is an implementation of the DNS sinkhole technique. Blocking occurs when attempting to resolve a domain name that is used by infected hosts to access C&C. In the DNS server's response, the IP address is replaced with a fictitious one, thus making it impossible for the infected host to send a request to C&C.

In general, information is obtained from the cache, but if suspicious activity is detected that is not clearly identified by the available signatures, Anti-Bot Software Blade makes requests to ThreatCloud in real time.

Classification and reliability assessment

Security Event Process

Processing of information collected using the Anti-Bot Software Blade is carried out by two SmartConsole applications - SmartView Tracker And SmartEvent. SmartEvent requires a separate blade (SmartEvent Software Blade), and is highly recommended for use in analysis.

When analyzing Anti-Bot Software Blade events, you should first of all pay attention to multiple triggers on traffic with the same Source IP and triggers that occur with some frequency.
The picture largely depends on the behavior model of the bot program.
For example, primitive malware types make frequent DNS calls in an attempt to resolve the C&C name. In this case, SmartEvent will have a fairly large number of events of the same type with the same Source IP, and the events will differ from each other only by the DNS name in the request to the server.

You should also pay attention to multiple single detections of the same type of malware for different source IPs. This method analysis is effective because malware usually tries to spread to other vulnerable hosts in local network. This is especially true for a corporate environment, and the set of software, including anti-virus software, is often the same on workstations. The screenshot above shows mass detection of one type of malware. In a similar situation, it is worth selectively checking a couple of cars from the list.

Although Anti-Bot Software Blade helps detect and block the activity of malware-infected hosts, in most cases additional analysis of the information received is required. Not all types of malware can be easily identified. To handle incidents, qualified specialists are needed to study packet traces and identify malware activity. Anti-Bot Software Blade is a powerful tool for automating the monitoring of malware activity.

Actions after detection

The first step is to use the Threat Wiki provided by Check Point.
If the threat is current, you must use the procedure recommended by the vendor.

Also, to confirm that the host is infected, you should search for malware by name using Google; you will probably be able to find technical details of this malware, which will help to accurately identify it. For example, searching for the name “Juasek” (the name is taken from the Anti-Bot Software Blade event) allows you to find a lot of information about this malware on the Symantec website. It also contains a description of the removal procedure.

If the goal is not to study malware, then you can use one or more malware removal tools. The most popular products are from Malwarebytes, Kaspersky, Microsoft.

Practical results of use

Below are the results of daily traffic monitoring in the organization. The switch mirrored the traffic of one of the user segments going to the DNS servers and to the proxy servers. Reports were obtained using Check Point SmartEvent software.

Antibot practical usage statistics

During the day, the Antibot report included 1,712 events, of which 134 were unique hosts. Results of a random scan of computers.

How to properly organize the defense of computer networks against malware.

The article is addressed to novice system administrators.

By anti-virus protection I mean protection against any malware: viruses, Trojans, root kits, backdoors,...

Step 1 for anti-virus protection - install anti-virus software on each computer on the network and update it at least daily. Correct scheme anti-virus database updates: 1-2 servers go behind the updates and distribute updates to all computers on the network. Be sure to set a password to disable protection.

Antivirus software has many disadvantages. The main drawback is that they do not catch custom-written viruses that are not widely used. The second drawback is that they load the processor and take up memory on computers, some more (Kaspersky), some less (Eset Nod32), this must be taken into account.

Installing anti-virus software is a mandatory, but insufficient way to protect against virus epidemics; often the virus signature appears in anti-virus databases the next day after it spreads; in 1 day, a virus can paralyze the operation of any computer network.

Typically, system administrators stop at step 1, worse, do not complete it or do not follow updates, and sooner or later infection still occurs. Below I will list other important steps to strengthen antivirus protection.

Step 2 Password Policy. Viruses (Trojans) can infect computers on a network by guessing passwords for standard accounts: root, admin, Administrator, Administrator. Always use strong passwords! For accounts without passwords or with simple passwords, the system administrator must be fired with a corresponding entry in work book. After 10 attempts to enter an incorrect password, the account should be locked for 5 minutes to protect against brute force (brute-force password guessing). It is highly advisable to rename and block built-in administrator accounts. Passwords need to be changed periodically.

3 Step. Restriction of user rights. A virus (Trojan) spreads across the network on behalf of the user who launched it. If the user has limited rights: no access to other computers, no administrative rights to his computer, then even a running virus will not be able to infect anything. There are often cases when system administrators themselves become responsible for the spread of a virus: they launched the admin key gene and the virus began to infect all computers on the network...

4 Step. Regular installation of security updates. This is difficult work, but it must be done. It is not only the OS that needs to be updated, but also all applications: DBMS, mail servers.

5 Step. Limiting the entry routes of viruses. Viruses enter an enterprise’s local network in two ways: through removable media and through other networks (the Internet). By denying access to USB, CD-DVD, you completely block 1 path. By limiting access to the Internet, you are blocking path 2. This method is very effective, but difficult to implement.

6 Step. Firewalls (Firewalls), also known as firewalls, also known as firewalls. They must be installed at the edges of the network. If your computer is connected directly to the Internet, then the firewall must be turned on. If the computer is connected only to a local area network (LAN) and accesses the Internet and other networks through servers, then it is not necessary to enable the firewall on this computer.

7 Step. Division of an enterprise network into subnets. It is convenient to split the network according to the principle: one department in one subnet, another department in another. Subnets can be divided at the physical level (SCS), at the data link level (VLAN), at the network level (subnets not intersected by IP addresses).

8 Step. Windows has a wonderful tool for managing the security of large groups of computers - group policies (GPO). Through GPO, you can configure computers and servers so that infection and distribution of malware becomes almost impossible.

9 Step. Terminal access. Raise 1-2 terminal servers on the network through which users will access the Internet and the likelihood of infecting them personal computers will drop to zero.

10 Step. Monitoring all processes and services running on computers and servers. You can make sure that when an unknown process (service) starts, the system administrator receives a notification. Commercial software that can do this costs a lot, but in some cases the cost is justified.


Unfortunately, any computer user has encountered viruses and malware. What this threatens is not worth mentioning - at a minimum, all data will be lost and you will have to spend time formatting the disk and reinstalling the system. So, to avoid unnecessary hassle, it would be better to prevent it. As they say, prevention is better than cure.

1. Be careful when opening messages on social networks



One rule to remember is that you can greatly improve your chances of avoiding viruses by reviewing your messages before opening them. If something looks suspicious and there are strange files attached to the message, you should not open them at all (or at least scan them with an antivirus).

2. Current antivirus



Antivirus programs offered by Internet service providers are not enough to protect your entire computer system from viruses and spyware. For this reason, it is better to install additional protection against malware.

3. Scan your computer daily


Despite installing anti-virus and anti-malware programs, it is still best to perform a daily scan of your hard drive to ensure that no virus has made its way into the system. In fact, you can catch a whole bunch of viruses every day, so the only way to reduce the damage is to scan your files daily.

4. Free antivirus Avast


The creators of Avast antivirus have simplified working with this program to the maximum. All it takes is just pressing a couple of buttons. At the same time, Avast provides sufficient protection against viruses - both Trojans and worms.

5. SUPERAntiSpyware


SUPERAntiSpyware is an all-inclusive antivirus. It can be used to combat spyware, adware, trojans, worms, keyloggers, rootkits, etc. However, it will not slow down your computer.

6. Firewall


This is a basic rule that all computer users should understand. Although using a firewall is not effective at catching Internet worms, it is still very important to combat potential infections from a user's internal network (for example, an office network).

7. AVG Internet Security


This protection is ideal for home and commercial use, and is notable for the fact that it includes assistance from Internet security experts. It is constantly updated and has advanced features. AVG Internet Security can be used to combat viruses, spyware and Trojans, and can also help prevent identity theft and other web exploits.

8. Avira AntiVir


Avira offers an improved way to remove malware, including virus residuals. However, users should be careful as a fake version of the program is being circulated on the Internet. Avira also features a simplified, intuitive user interface.

9. Kaspersky Internet Security


This antivirus essentially contains everything that a computer user must have to work safely and reliably on the Internet. It can be used to secure transactions while working, processing banking transactions, including online purchases and online games.

10. Ad-Aware and Avast-Free


Ad-Aware provides free antivirus protection. It was created specifically for simultaneous installation with Google Chrome, but can also work with any other browser. It is effective in preventing malware from running automatically on Windows and cleaning up your computer.

11. ESET Online Scanner


For effective solution anti-malware, ESET Online Scanner offers a premium security package that literally has everything included. It also knows how to clean already infected machines and use an online firewall.

Anti-malware methods

The main method of combating malware, as in medicine, is timely prevention. Computer prevention involves following the rules of “computer hygiene,” which can significantly reduce the likelihood of infection and loss of any data. Understanding and strictly following the basic rules of conduct when using an individual computer and on the network is an important method of protection against computer intruders. There are three basic rules that are true for both individual and corporate users.

  • 1. Mandatory use of anti-virus protection. If you are not an expert in the field of computer security, then it is better to use reliable anti-virus protection and protection against network attacks (firewall) - entrust your security to professionals. Most modern antivirus programs protect against a wide variety of computer threats - viruses, worms, Trojan horses and adware. Integrated security solutions also filter against spam, network attacks, and visits to unwanted and dangerous Internet resources.
  • 2. You should not trust all information coming to your computer - emails, links to websites, messages on Internet pagers. You should absolutely not open files and links coming from an unknown source. The risk of infection is also reduced through organizational measures. Such measures include various restrictions on the work of users, both individual and corporate, for example:
    • ban on the use of Internet pagers;
    • access only to a limited number of web pages;
    • physically disconnecting the enterprise’s internal network from the Internet and using dedicated computers to access the Internet, etc.

Unfortunately, strict restrictive measures may conflict with the wishes of each individual user or with the business processes of the enterprise. In such cases, it is necessary to seek a balance, and in each individual case this balance may be different.

3. You should pay enough attention for information from antivirus companies and computer security experts. They usually promptly report new types of Internet fraud, new virus threats, epidemics, etc. - pay more attention to such information.

Factors that determine the quality of antivirus programs

The quality of an antivirus program is determined by several factors; We list them in order of importance.

  • 1. Reliability and ease of use - no antivirus freezes or other technical problems that require special training from the user.
  • 2. Quality of detection of viruses of all common types, scanning inside document files/tables, packed and archived files. No “false positives”. Possibility of treating infected objects.
  • 3. The existence of antivirus versions for the main popular platforms (DOS, Windows, Linux, etc.).
  • 4. Possibility of on-the-fly scanning.
  • 5. Existence of server versions with the ability to administer the network.
  • 6. Speed ​​of work.