310 likes | 334 Views
KAV 7.0 Overview of technologies. Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com. Plan of presentation. We’ll talk about new protection technologies. New heuristic based engine based on emulator
E N D
KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com
Plan of presentation We’ll talk about new protection technologies • New heuristic based engine based on emulator • Greatly improved Anti-root kit • Outbound protection improvements (anti-leaks) • New Privacy control concept • Protection against new type of key loggers • Improved PDM detection • Improved self-protection
New heuristic engine (1) • KAV 3.0, 4.0, 5.0: best detection rate and fastest reaction time: signature-based detection • KAV 6.0: + Proactive Defense Module – based on analyses of applications behavior • KAV 7.0: + new Heuristic engine based on emulator Now KL’s 7.0 products contain a full set of most effective technologies which give our users the unique level of protection against all types of modern threats. Triple shield of protection
New heuristic engine (2) Heuristic engine uses the same decision making logic (set of rules) as Proactive defense module. But events for heuristic engine and PDM are generated by different modules: emulator and kernel mode driver. Proactive defense module Heuristic engine Decision making logic Windows kernel mode drivers Emulator The driver intercepts operations on real file system and system registry, network and other activities of all processes The emulator gets the same information during emulation of the execution of application’s program code Events providers
New heuristic engine (3) Influence on system performance New emulator won’t increase system slowdown caused by AV because KAV 7.0 uses the power of triple shield: • With default settings PDM and signature engine work in real-time, • Heuristic engine and signature engine work for scan tasks. Real time protection Scan tasks Proactive defense module Heuristic engine + + Signature based engine Signature based engine
New heuristic engine (5) 1. Heuristic is disabled: no threats detected Demo: scan of emul.zip archive with 4 test viruses
New heuristic engine (6) 2. Heuristic is enabled Аll threats are detected with 3 different behavior-based verdicts
Greatly improved Anti-rootkit (1) Anti-root technologies • During installation of rootkit • Interception of rootkit’s drivers and services registration • Interception of injection of rootkit’s code in trusted processes + self-protection of KAV • Detect of active rootkits • Detect of hidden processes in memory • Active threats disinfection technology • Detect and removal of hidden files on disk New in 7.0!
Greatly improved Anti-rootkit (2) Detection of hidden files • Main idea is a cross-scan – get the list of the files using Window API, get the same list using direct disk access and compare! • Rootkit scan • Direct disk access for all files and NTFS Alternative Data Streams of folders • Advanced rootkit scan • The same as basic plus scan of ADS for all files (much more slowly but necessary in some cases)
Greatly improved Anti-rootkit (3) Materials • Fighting Rootkits with Kaspersky Internet Security 6.0/Kaspersky Antivirus 6.0 (http://www.kaspersky.com/fighting_rootkits_version_6_products) • In the nearest future we’ll publish the second part of the article about Anti-rootkit in KIS 7.0 • But right now you can make a demo using 3 rootkits described on the next slides (Costrat, Unreal, Elite Keylogger)
Greatly improved Anti-rootkit (4) • Costrat (Rustock.B; Spambot) http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=2 • family of back door programs with advanced user and kernel mode rootkit capabilities, • very powerful rootkit, described in VB in August 2006, • Elite Keylogger http://www.elitekeylogger.com/ • very powerful keylogger and rootkit, uses 3 kernel mode drivers • detected by KAV 6.0 during installation; Rescue CD was needed to remove it. • Unreal.A by MP_ART & EP_X0FF • proof of concept nonmalicious stealth rootkit • designed to be invisible to all current rootkit detection technologies
Greatly improved Anti-rootkit (5) Trojan-Clicker.Win32.Costrat.ab (Rustock) Driver is hidden in NTFS Alternate Data Stream of System32 folder
Greatly improved Anti-rootkit (6) not-a-virus:Monitor.Win32.EliteKeylogger
Greatly improved Anti-rootkit (7) Exploit.Win32.Unreal.a 1. Driver is hidden in NTFS Alternate Data Stream of the root C:\ folder 2. This Alternate Data Stream is hidden itself by rootkit’s driver!
Firewall outbound protection improvements (1) Leaktests failed in KIS 6.0 MP2 • BITStester Using of BITS service • Breakout Windows Messages to IE • Breakout2 changing of ActiveDesktop with URL • CPILSuite3 SetWinEventHook function • DNStester DnsQuery from Dnsapi.dll • OSfwbypass ShowHTMLDialog from Mshtml.dll • Surfer DDE communication with IE * http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php
Firewall outbound protection improvements (3) 1. BITSAdmin 2. Breakout
Firewall outbound protection improvements (4) 4. CPILSuite (3) 3. Breakout2
Firewall outbound protection improvements (5) 5. Surfer 6. OSFwBypass
Firewall outbound protection improvements (6) • KIS 7.0 should improve its result by 650+(300-600 points - I am not sure about FPR tests) • In any case KIS will surpass ZoneAlarm and SSM in the result table.We will consider our 3-rd place as the best possible result because we are not going to fight against specific solutions from Comodo and Jetico (the only difference will be in the default settings - we think that our settings is the best balance for 95% of Internet users).
New Privacy control concept (1) • Concept of Privacy Control component implemented in the most Security Suites: • “enter all your private data – PINs, Passwords, …” • “we will analyze outgoing traffic and if some of your private data will be found – it will be replaced by “***” • Cool idea but it DOES NOT work in real world. • Why? Because almost all of the trojans encrypt all sending data and Security Suite will found nothing in such encrypted traffic! • And how we can protect user’s private data? • we can block access to password’s storages for many well-known programs and Windows Protected storage, • we can block all attempts of data sending in hidden ways (used by most of the trojans).
New Privacy control concept (2) • Real life example - Trojan-PSW.Win32.LdPinch • Test sample - passview utility which try to get information from the Windows Protected storage
Protection against new type of keyloggers (1) Protection against all types of keyloggers • User-mode • SetWindowHook (global keyboad hook) • GetAsyncKeyState/GetKeyState (keyboard polling) • GetMessage/PeekMessage interception • Using of Raw Input model • Kernel-mode • Kbdclass driver filter • Device\KeyboardClass0 driver filter • Kbdclass’s dispatch table patch • KeServiceDescriptorTableShadow patch New in 7.0!
Protection against new type of keyloggers (2) Unique! Protection against new technique to intercept keyboard input: using model of Raw Input via DirectX functions
Improved PDM detection (1) Unique! Protection against new technique to install drivers in hidden way: save/restore registry hive for Services part of System registry
Improved PDM detection (2) Unique! Protection against new technique to install drivers in hidden way: using kernel function ZwLoadDriver (can be used by ring3-applications)
Improved self-protection (1) Self-protection technologies • Protection of product’s files on disk • Protection of product’s registry keys • Protection of product’s processes in memory • Protection of product’s folders against changes of permissions • Protection of product’s registry keys against changes of permissions New in 7.0! New in 7.0!
Improved self-protection (2) Unique! Protection against changes of permissions on KAV folders
Improved self-protection (3) Unique! Protection against changes of permissions on KAV registry keys
Last point – network perfomance In (MPS) In (MPS) In (%) Out (%) w/o KIS 8,00 8,03 100 100 KIS 6.0 3,87 2,84 48,38 35,37 KIS 7.0 7,94 7,93 99,25 98,75 Influence on system performance • Some users complained about decreasing of network performance after installing of KIS 6.0 (eMule, games, …) • And we’ve completely rewritten our network driver • Let’s see the result: Test stand Windows Vista and XP SP2 32bit. KIS 7.0 with Firewall and IDS enabled. Аbout 200 rules are added for different network applications. Network throughput is being measured by using the netcps.exe utility MPS = Mb per second
Thank you! Questions?