Malicious software prevention Nick Barron

Photo credit NIAID, Flickr Creative Commons https://xkcd.com/1180/ Used with permission

About me (again)

• IT admin and security controller

for mid-sized MOD supplier

• I don’t sell anti-malware, I just

use and shout at it

• DISA IT techie

• Have way too many computers

at home

What’s ahead

• What is malicious software

• Types and capabilities of anti-

malware

• Cyber Essentials requirements

• Possible problems (things

salespeople won’t tell you)

• Summary

What is malware?

• Cyber Essentials definition: https://www.cyberaware.gov.uk/cyberessentials/files/requirements.pdf, page 10

– “Malware, such as computer viruses, worms and spyware,

is software that has been written and distributed

deliberately to perform unauthorised functions on one or

more computers”

• Key points

– “written and distributed deliberately”, so not just buggy

software.

– “unauthorised functions”, as legitimate software may

perform the same function but with proper authorisation

(e.g. deleting or encrypting files)

How antimalware works

• Hooks in to operating system so it can look at files before

they run

• Checks files for

– Indicators of known viruses (“signatures”)

– Suspicious characteristics

– Suspicious activity (why is my Word document trying to

open a secure shell connection?!)

• Two main types of scanning:

– “On access” scans files when they are accessed (opened,

run, etc)

– “On demand” scans files when asked, e.g. “Scan this USB

stick”.

Extra features

• Web filtering

– Check web pages for malicious scripts

– Block pages from blacklist/content

• Device control

– Control access to USB devices (e.g. “non-encrypted USB

disks are read only”)

– Prevent network bridging

• Control non-malware

– Block access to non-malware tools that may be used for

bad things (e.g. normal users generally don’t need to run

password cracking software)

Cyber Essentials requirements

• Malware protection

– installed on all computers “connected to or capable of

connecting to the Internet”

– must be kept up to date, “at least daily”

– configured to scan files automatically on access, and scan

web pages when being accessed.

– configured to perform regular scans of all files

– prevent connections to malicious websites

Installed on all devices

• All devices with access (or potential access) to the Internet

– Some accreditors will allow the use of firewall rules to

isolate, e.g. test systems

• Exclusion for devices that have no available anti-malware

– Routers, printers, iPhones…

– But not Linux machines

Kept up to date

• All good anti-malware updates regularly and automatically

• More frequent updates mean shorter exposure

– You should expect multiple updates per day

• If you have IT monitoring, make sure they check updates are

working on clients and servers

Configured to scan on access

• On access scanning ensures files are checked before use

without any user intervention

• Can have a performance impact, so may be unpopular in

software development environments

• Scanning web pages usually supported, checks for malicious

web scripts etc

Regular full scans

• Full scans still beneficial even when on-access scanning in

place

• Can catch infected files that slip through

• Runs in background and can run out of hours, so more

thorough checks can be enabled (e.g. zip files, all file types

etc)

Prevent connections to

malicious websites • Can be performed at firewall level but may need discussion

with accreditor

• Most anti malware packages now include basic web filtering

• Beware of false positive issues

– Sites often blacklisted due to malicious adverts

– Lookup should be live rather than based on downloaded

list

Things the sales people

won’t tell you • A reasonably skilled attacker will be able to get past your

antimalware product

– Common tools allow the creation of one-off malware

variants that will get through

– Often used by penetration tests

– I could show you how to do this in a lunch break…

• So…

– Do not trust antimalware to protect against targeted

attacks

– But it’s still useful to protect

against “off the shelf”

malware

Things the sales people

won’t tell you • Antimalware software can introduce new security holes

– Runs on all machines, and needs admin rights, so an

attractive target for an attacker

– Track record of not so great development practice

– Large, complex software

• Joxean Koret (below), broke Avast, AVG, Avira, BitDefender,

ClamAV, Comodo, DrWeb, ESET, F-Prot, F-Secure, Panda and

eScan. In a year.

https://vimeo.com/108053895,

http://joxeankoret.com/download/breaking_av_software_44con.pdf

You know when

you’ve been Tavis’d! • Tavis Ormandy breaks things…

https://googleprojectzero.blogspot.co.uk

– June 2016 Symantec

– March 2016 Comodo Antivirus, Trend

– February 2016 MalwareBytes

– December 2015 FireEye, AVG

– October 2015 Avast

– September 2015 Kaspersky

– June 2015 ESET

– August 2011 Sophos

• Google for “Ormandy” and the name

of your vendor!

By Alex E. Proimos - http://www.flickr.com/photos/proimos/4199675334/,

CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=22535544

Things the sales people

won’t tell you • Upselling

• You are sold an anti-malware product, then…

– “Buy our new XXX product to protect against the latest

threats”

• Ask…

– Why am I being charged more to address issues the

product you sold me was supposed to fix?

Summary

• Most commercial antimalware products can be easily

configured to meet Cyber Essentials requirements

– Configuration and monitoring are important

• Important to understand and address the limitations of

antimalware products

– Beware of sales promises

– Don’t be afraid to ask awkward questions

• Make sure technical staff are aware and up to date with

evasion techniques (send them to conferences like 44CON

and buy them Joxean’s book!)

• Useful links

– https://www.ncsc.gov.uk/guidance/10-steps-malware-

prevention

– https://www.ncsc.gov.uk/guidance/protecting-your-

organisation-ransomware

Questions?

Nick Barron

nick.barron@pennantplc.co.uk

01329 226346

(I checked on Twitter they said gratuitous cat pics are fine!)