endpoint security solutions
TRANSCRIPT
Endpoint Security Solutions
• USB Pratirodh • Browser JS Guard • AppSamvid
•Malware Nivarak •Malware Resist •Application and Device Control •Workflow Analyser
USB Pratirodh
Protects from unauthorized usage of USB devices
Highlights of USBPratirodh
Blocking and unblocking of USB mass storage devices such as cameras, pen drives, mobiles, printers, external hard disks etc
Encryption and decryption of files and folders.
Virus detection and Autorun protection
User Authentication (only registered devices can be authenticated)
Verified and Certified by STQC
Highlights of USBPratirodh
Supports Windows (windows xp sp3, Vista, 7, 8)
Sold licenses to IRISET, ISRO, ECIL, Heavy water plant, Headquarters 9 corps and C-DAC Mumbai.
Deployed at NAVY, DRDO, CERT-IN, CDAC-Bengaluru.
Salient Features and Benefits
Whitelisting of USB Devices
User Authentication for accessing USB Devices
Malware Detection in USB storage Devices
Data Encryption for USB Storage Devices
List of Attacks Addressed
Protect Against misuse of USB Devices
Protect against malware executing from USB Devices
Encryption protects data in case if device is lost
Hardware and Software Requirements
Microsoft Windows XP(SP3) and above.
Recommended 100 MB of Hard disk space.
Snapshots
Snapshots
Snapshots
Potential user agencies / organizations
Any computer user or organization
Browser JS Guard
Add-on for browsers to protect from JavaScript based malware
Highlights of the Product
Detected the Malware which has not been detected by any other Anti-Malware solutions.
Validated and Certified by CERT-In Real-time code injection detection and prevention in the web
pages Everything we capture is happening in the wild (there is no
theory) Collects Little data and data reported is of high value Early warning and prevention Automatic product updates via Internet Designed as a Browser Extension and available in Popular web
browser repositories Consumption of minimal resources
Click here to see the Report
Salient Features
Content/Heuristic based JS & HTML Malware protection
Alerts the User on visiting Malicious Web pages
Provides detailed analysis of webpage threats
Ease of installation
Compatible Web Browsers
Web Browser Name Compatible with Version
Supported OS
Firefox >= 14.0 Windows & Linux
Google Chrome >= 14.0 Windows & Linux
Iceweasel >= 21.0 Windows & Linux
Opera >= 11.0 Windows & Linux
Internet Explorer = 9.0 Windows
Value of the Product
Detects
– Client side Redirections
– Redirections through DOM changing functions
– Runtime JavaScript Code Injections
Malicious Web Page Analysis and Detection through
Browser JS Guard
Malicious Redirection Attack Vectors
Possible vectors are
– Hidden Activities
– Obfuscated JavaScript code
– Un Authorized Redirections
Detection of Hidden Activities
Exploits Through “brenz.pl”
www.brenz.pl - exploit site pre-loaded with an exploit kit called Eleonore. It is dangerous domain specially created to propagate
rogue program, Trojan horse, browser hijacker and it can lead to system freeze.
It may even cause things like identity theft, financial loss and permanent file deletion.
The main Indian site of Moneycontrol.com was compromised and injected with malicious code on November 6, 2010. The injected code redirected users to an exploit website “brenz.pl”.
Example URL is http://www.tradersbay.in/login.php
Browser JS Guard - Detection of brenz.pl based attacks
Browser JS Guard - Detection of brenz.pl based attacks
Exploits Through “xanjan.cn”
www.xanjan.cn - collects the passwords on the site when user login into his account.
– Example infected URL is
• http://compass.co.in/achieve2003-2004.php
• Infection present in this website is
Browser JS Guard - Detection of xanjan.cn based attacks
Detection of Obfuscated JavaScript Code based Attacks
Drive by Download Attack
http://feeds.feedburner.com/bileblog is an infected URL.
It drops JavaScript Trojan. This URL performs the redirection chain as
follows:
hxxp://rsnvlbgcba.ibiz.cc/d/404.php?go=1
▪ Intermediate Redirection
hxxp://fukbb.com/
▪ Final Redirection
Analysis – Obfuscated Code
Analysis – De Obfuscated Code
Analysis
The de-obfuscated code loads an iFrame into the victim’s browser, which is redirecting the user to ‘hxxp://rsnvlbgcba.ibiz.cc/d/404.php?go=1’, which in turn redirects it to ‘hxxp://fukbb.com/’.
The source code hosted at intermediate site is a simple redirect.
Final Redirected Page
Browser JS Guard - Detection of Obfuscated JavaScript Code
Detection of Un Authorized Redirection Attacks
Infected URL
foto.kku.in is the infected URL It refers to malicious cross domains and attacks the user
Browser JS Guard - Detection of UnAuthorized Redirections
Detection Rate
Potential user agencies / organizations
Any end system user
Downloadable Links
Download links
– For Firefox web browser: https://addons.mozilla.org/en-US/firefox/addon/browser-jsguard/
– For Google chrome web browser: https://chrome.google.com/webstore/detail/browserjsguard/ncpkigeklafkopcelcegambndlhkcbhb
AppSamvid
Application Whitelisting Solution
Features
Whitelists .exe, .dll, .sys, .war, .jar and .class files
Automatic whitelisting of Windows Updates
Potential updater file(s) identification for 3rd party software’s
Installation mode – Supports installation of new software's
– To allow updating of applications
Folder scan option to add applications to database
Password based access to GUI
Password based uninstallation
1/23/2015 C-DAC 39
List of Attacks Addressed
Protects against
– Zero day attacks
– Trojans
1/23/2015 C-DAC 40
Technical Architecture
1/23/2015 C-DAC 41
Hardware and Software Requirements
No extra hardware required
Works with Microsoft Windows
– XP SP3 onwards
– Requires minimum 5 MB of free hard disk space to maximum of 25 MB of hard disk space approx.
Requires mini-filter driver support by Microsoft Windows
1/23/2015 C-DAC 42
Snapshot – Home screen
1/23/2015 C-DAC 43
Snapshot – Edit screen
1/23/2015 C-DAC 44
Snapshot – Settings screen
1/23/2015 C-DAC 45
Snapshot – Logs screen
1/23/2015 C-DAC 46
Potential user agencies
Industrial Control Systems
ATMs (Automated Teller Machines)
Point of Sale systems
Small Business Users
1/23/2015 C-DAC 47
Malware Nivarak
Application Behaviour Whitelisting
Objectives
Detects deviations at runtime from normal behaviour of modelled applications
Features
Ability to prevent Zero-day attacks on modelled applications via
– File access Monitor
– Registry access Monitor
Co-exists with other Anti-virus solutions
Integrated Malware Resist
Technical Architecture
Generate Model
Verify Model
Dynamic Policy Enforcement
GUI (Threat Alert)
Verification Policies
Applications Behavioral Heuristic Policies
Running Processes
Dynamic Model Enforcement
Execution
Trusted Models
success
Failure
Un-trusted Application
Software Requirements
Microsoft Windows XP(SP3) and above.
Recommended 100 MB of Hard disk space.
Bundled Application Models
with installer
By default, Malware Nivarak is bundled with
– Adobe Acrobat Reader (8 and 10)
– MS office 2007
– MS Excel
– MS Word
– MS Power point
Supports model generation of other applications
– One can generate model and enforce them at runtime.
Other Software Measurements
Memory Foot Print: ~ 50 MB
Hard disk space: ~ 10 MB (depends on the applications model files)
Malware Resist
Process Execution Control
Details
Detects – Malicious processes at runtime
Salient Features and Benefits – Able to detect malware with its unique heuristic
technology – Capability to detect unknown malware – Protects from the malware before they do any harm to
your system – Easy to use – Even if your antivirus hasn’t detected a suspicious
process, you can quarantine it
Malware Resist
• Classifies Processes (and monitors) in the system as
– Un-trusted
– user trusted processes
• Malicious behaviors which may cause damage to system
– 46 critical behaviors are monitored
57
Some of the behaviors monitored
Code injection attempts
Packed executables
Changing security rights
Attempts to disable system tools
Installing a hidden service
Hidden processes
58
Specifications
Processor - Pentium IV Processor onwards
RAM - 256 MB (recommended)
Hard Disk - 20 MB
OS - Windows XP SP2, SP3, Windows Vista
Application and Device Control
Manage Applications And USB Mass Storage Devices In Your Domain
Network
Introduction
ADC is centralized management console to manage client components in Windows Active Directory Domain Network
Integrates following components – AppSamvid functionality as Application Control
– Binary Heuristic Analysis
– Rootkit Detection Engine
– Browser JSGuard
– Malware Nivarak functionality as MPS
– USB Pratirodh functionality as Device Control
Features
SSL enabled Web based management console
Remote Deployment of client components – requires domain administrator privileges
Supports Batch Installation of remote clients
Centralized Logging – using MSMQ (Microsoft Message Queuing)
Graphical Log Analysis
Additional Features
Supports verifying application hashes with VirusTotal
Analysis of applications during scanning with heuristic application analyser
Supports Import/Export of whitelists
Remote registration of USB devices
Supports USB printers and scanners
Rootkit detection on Windows XP SP 2 and SP3 systems
Technical Architecture
Application Control Server
Application Sandbox for Unknown Applications
Active Directory Environment
Client System
Remote Installation of Agent
Client Server Communication Scan Notification, Submit application details Logs etc.
Database (Whitelists/Policies)
1. Application whitelists 2. Device control policies
Enforcement of Policies
Application Control Agent
Device Control Agent
Device Control Server
Minimum Hardware and Software Requirements
Server – Windows Server 2008 – Active Directory Environment – PostgreSQL 9.2 – Apache Web Server 2.2.x with PHP 5 – Minimum 500 MB hard disk space. (1 GB
Recommended)
Client – Microsoft Windows Vista and above. – Configured to use Active Directory. – Recommended 100 MB of Hard disk space.
Snapshots – Application Control
Snapshots – Device Control
Snapshots – Deploy components
Potential user agencies / organizations
Small to medium sized Enterprise networks
SCADA Environments
Work flow Analyzer
• Acts as a interceptor between web server and web client.
• Analyzes the state deviation attacks at run time execution of web application.
• Targeted attacks – Authentication bypass – Authorization bypass – Sequence bypass
• Works with 2 Phases – Learning Phase – Detection Phase
Work flow Analyzer
Learning Phase
Detection Phase
Thank You