Download - Inside Av Engine
-
7/31/2019 Inside Av Engine
1/19
Anti malware* Engine
Information Sharing Talk
(IST)
*should we avoid usingterm virus as catch all term for Malware
*Why not two antivirus (anti malware) on a system
-
7/31/2019 Inside Av Engine
2/19
Classify
Blacklisting
Detect bad objects
Can not be perfect as problem itself is un-decidable
Signature (reactive mechanism)
Heuristics
Dynamic
Static parameters
Whitelisting Allow only good and block the remaining ones
Can be solved theoretically but practically challenging
Anti malware engine 2
-
7/31/2019 Inside Av Engine
3/19
Basic Activity
Scanning *
Behavior Based Engine
(On Process Activities)
Anti Virus Scanning
(On file content)
White listing
(On process creation)
Behaviors
database
Malware
Signature
database
Known
Applications
database( * Process activity, file read or write )
How an anti malware works
Anti malware engine 3
-
7/31/2019 Inside Av Engine
4/19
Design Problems
Scanning for clean file need to be faster
Scanning or disinfecting malware may take a
long
Where to keep the database while scanning
Tradeoff between memory and file IO
Engines differ for desktop and mobiles Preprocessing helps but
Will make booting slower
Anti malware engine 4
-
7/31/2019 Inside Av Engine
5/19
Scanning
Static
Scan/Analysis of a file structure and contents
Methods
On demand
On access
Dynamic
Monitoring while target is executing
Emulate
Anti malware engine 5
-
7/31/2019 Inside Av Engine
6/19
Malware.zip UNARCHIVER
Malware.exe
File type
recognizer
PE Parser
Un packer
Signature
scanning andheuristics
Clean infected
Components of AV engine
Anti malware engine 6
-
7/31/2019 Inside Av Engine
7/19
Scanning Techniques
String scanning
Hash scanning
Virus specific scanning Heuristics
Emulation
Used with other techniques
Anti malware engine 7
-
7/31/2019 Inside Av Engine
8/19
String Scanning
Native Scanning O(nm)
Boyer Moore O(n)
Aho Corasick Algorithm
Anti malware engine 8
a b c
a b a b a b c a b a m
n
-
7/31/2019 Inside Av Engine
9/19
Aho-Carsick
Set Matching Problem
A multiple string matching algorithm that constructsa finite state machine from a pattern (list of keywords),
then uses the machine to locate all occurrences of the
keywords in a body of text. O(m + n + z) where z is the number of patter occurrences
in T
Anti malware engine 9
Pattern to search P = {P1, P2, ., Pk} in Target T = {1, ., m}
n = i=1 |Pi|k
-
7/31/2019 Inside Av Engine
10/19
Hash scanning
Take a hash of full file
Can not work for file infectors
Slow
Single junk byte appended in malware will denydetection
Use (start, length) pair for calculating hash
If length is short
False Positives
Long
Lot of disk access
Anti malware engine 10
-
7/31/2019 Inside Av Engine
11/19
Start position
It can be Arbitrary point
It can be fixed
PE Entry Point
Beginning of the file
Beginning of the code section
Beginning of an exported function
There can be many unique pairs
Makes the scan slower
Anti malware engine 11
-
7/31/2019 Inside Av Engine
12/19
Heuristics
Enabling a person to discover or learn for
themselves
Relating to a speculative formulation serving
as a guide in the investigation or solution of a
problem
Anti malware engine 12
-
7/31/2019 Inside Av Engine
13/19
Anti malware engine 13
-
7/31/2019 Inside Av Engine
14/19
Heuristics methods
Anti malware engine 14
Dynamic Static
Behavior Structure
Weights Rules
Strategy
Subject of Analysis
Analysis Methods
-
7/31/2019 Inside Av Engine
15/19
Weights Based
Anti malware engine 15
Activity Weight
Network server 2
Disable system tools 5
Hidden process 7
Writes to HOSTS File 3
Creating executables 2
NO GUI 1
Sends HTTP 2
Sends IRC 5
1. Small Executable AND Runs A SERVER
2. Kill AV Process AND contains decryption
loop
3. Packed Executable and deleted self
4. Suspicious Double Extension (for e.g.
amazingshoots.jpeg.exe)
5. Program Runs from Temp directory AND
Creates new executable in Windows
6.
7.
Rules Based
-
7/31/2019 Inside Av Engine
16/19
Script malware
A script host program is generally used to run thescripts Perl myscript.pl
msiexec.exe myinstall.msi
iexplore.exe mysc.js
Threat will be shown in process running
Approach of Behavior learning will generate falsepositives in this case
Simplest solution is to look at command line However not possible in many cases (WINWORD etc.)
Anti malware engine 16
-
7/31/2019 Inside Av Engine
17/19
Otherwise
Anti malware engine 17
Script NORMALIZER
PARSER/
AnalyzerEmulator
Rating Logic
Clean
Malware
-
7/31/2019 Inside Av Engine
18/19
Behavior Blocker
Of course not all provide same protection
Commonly known as HIPS = Host IntrusionPrevention System
HIPS monitors application make Sequence of system calls
Parameters passed into a call
HIPS Decision Logic
Ask user to decide Use heuristic methods
Use Both
Anti malware engine 18
-
7/31/2019 Inside Av Engine
19/19
Root kit Detection
Cross View Diff We use a variant of it
Low FP rate
Hook Detection
Good hooking is common (ENSAFE)
Can not be a decision point to Quarantine
But very important for security
Not allowed on many Linux systems and 64 Bit Windows
Static Analysis
Sequence which hooks
AND Sequence which manipulates EPRCESS pointers Hooking Behavior is monitored
Can take a decision from user
Anti malware engine 19