1 / 30

Threat & Virus best practices

Threat & Virus best practices . Denver Security & Compliance User Group March 17, 2010 Presenter: Chris Sandalcidi, CISSP - Symantec. Contents. Threat Primer. 1. Threat Landscape. 2. Current Common Threats and Prevention. 3. Submitting Samples. 4. Working with Support. 5.

yul
Download Presentation

Threat & Virus best practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Threat & Virus best practices Denver Security & Compliance User Group March 17, 2010 Presenter: Chris Sandalcidi, CISSP - Symantec

  2. Contents Threat Primer 1 Threat Landscape 2 Current Common Threats and Prevention 3 Submitting Samples 4 Working with Support 5 How Symantec Stacks Up 6 Threat & Virus best practices

  3. ThreatPrimer 1 Threat & Virus best practices

  4. Definitions of Threats Threat A threat is a circumstance, event, or person with the potential to cause harm to a system Virus Spread by infecting good files (hosts) Worm Spreads by copying itself to other machines Trojan Horse Does not spread itself. Info Stealers Steals information Backdoors Allows unauthorized access Downloaders Downloads additional threats Browser Helper Objects Loads into a browser Rootkits Hides files from user/OS Risk Any file that is not malicious but could pose a threat to security. (Not listed as a “threat”) Threat & Virus best practices

  5. ThreatLandscape 2 Threat & Virus best practices

  6. Brave New World Threats are being re-written, and re-packed at such a fast rate, that the reliance of “reactive technology”, like signature based AntiVirus, alone is no longer sufficient. Threat & Virus best practices

  7. Escalating Threat Landscape • 524% increase in threats over the second half of 2007 • More detections were created in 2008, than in all the other years combined. • In 2003 Symantec released an average 5 definitions a day, in 2007 - 1431 daily • At the beginning of 2008 Symantec was releasing 7500 definitions daily • In 2009 we started releasing up to 12,000 new detections a day, and by June had days where over 20,000 new detections were released. Source: Symantec Security Response Threat & Virus best practices

  8. Current Common Threats 3 Threat & Virus best practices

  9. Autorun Worms Autorun worms use the Autorun.inf file to automatically launch and spread across an environment. The Autorun.inf file is used by Windows to launch executables whenever a drive is mounted, be it USB, local, or a network drive. Example A: W32.Silly and its variants. The Silly family of threats use Autorun.inf to spread across the environment and then download secondary threats in the form of revenue generating software. Example B: W32.Sality.AE Sality is a fast moving, file infecting virus, that is capable of disabling SAV/SEP remotely and the infecting the target machine from the host. There are so many re-packed variants that almost every outbreak include one or more new threats. This is one of the most destructive viruses we have seen in awhile. Threat & Virus best practices

  10. Browser Helper Objects (BHO’s) BHO’s plug into most browsers, but as a threat they generally target Windows Explorer and Internet Explorer Example: Trojan.Vundo 3rd party research estimates a new Vundo variant is created every 3.5 minutes for the last year or so. Vundo is a revenue generating Trojan that downloads additional threats to the system. They are generally spread through Adobe flash vulns and email and then download new variants of itself to keep it up to date. Threat & Virus best practices

  11. Finding and Submitting a File 4 Threat & Virus best practices

  12. Finding a Suspect File (ESUG LPDU) The Enterprise Support Utilities Group Load Point Diagnostic Utility or LPDU is used to collect data on all the common load points for threats on a machine. Support trains front line engineers to use this utility to find threats quickly. To access this tool open a Support case and request help with finding a new threat, we will work with you to see if it is right for your case. We can move much faster with all the data. Threat & Virus best practices

  13. What makes a file suspect? • Name – Misspelled or “spoofed” names. (Microsofts, SVCH0ST) • Version – Missing or overly simple version information (1.0.0.1) • Size – Between 50 and 500k • Creation date – within the last two months Remember we are looking for Portable Executable files, first. .BAT .SCR .EXE .PIF .COM And then we are looking for these other types: .SYS .VBS .DLL Threat & Virus best practices

  14. Submitting The Suspect File Submissions should be made to Security Response through the submission website. BCS customers should submit through https://submit.symantec.com/bcs Essential customers should submit through https://submit.symantec.com/essential Basic customers should submit through https://submit.symantec.com/basic You should also consider submitting to Threat Expert for an automated technical description of the threat within a few minutes Symantec policy states that at no time are Symantec employees, outside of Security Response, permitted to accept suspect or malicious code. Please do not send a sample via email. • Once the file is submitted you will receive: • A tracking email and number within about an hour. • A closing email with additional information about the files and detections. Threat & Virus best practices

  15. Threat & Virus best practices

  16. Submit to Threat Expert • http://www.threatexpert.com/submit.aspx Threat & Virus best practices

  17. Working with Support 5 Threat & Virus best practices

  18. Case Type 1 Does Symantec know about Virus X? ….and am I protected? Case Type 2 I think I may have a virus but I cant detect it. Case Type 3 I am in a full outbreak and have multiple machines infected. What do I do? Standard Types of Virus Cases In each of these cases it is important to note what services we can offer, and what is appropriate advice for the circumstances. Threat & Virus best practices

  19. W32/Nyxem-D Tearec.A Email-Worm. Win32.Nyxem.e MyWife.d@MM ???????? W32.Blackmal.E@mm W32/MyWife.d@MM!M24 Case Type 1: Does Symantec know about Virus X? and am I protected? Difficulties: • Virus names differ from vendor to vendor • Viruses may re-use files names or may use different file names for the same virus variant.Example: Use Google to search for the file name “internat.exe” • Small difference in variants can make a big difference in detection.Example: Look at the differences between W32.Spybot.AKNO and W32.Spybot.ACYR • We may add 100s of different variants to each virus family a day. It is impossible to tell if we have detection without a sample • Solutions: • Virus Submission – Best A virus submission is the only way we can confirm that the threat that the customer is concerned about is one we already detect, or can add detection for. • URL Investigation – Good If the customer knows a site or link that the suspect file was downloaded from Security Response can get the file and check it. – Don’t check it yourself. Threat & Virus best practices

  20. Case Type 2: “I think I might have a virus but I cant detect it.” Questions: • What is going on that makes you think you have a virus?Behavior can sometimes tell you where you need to start, or at least what you may be dealing with. • Are Virus Definitions up to date?Note: “Up to date” does not mean “today’s defs”. Ask for date and version. Or check the definfo.dat file • Have you ran a scan, with the most up to date defs? • Tasks: • Start a scan with current virus definitions. • Suggest the customer check “Common Load Points” • Help the customer check “Common Load Points” (ESUG LPDU or manually) Other Important Note: Because Auto-Protect is disabled in an upgrade, don’t upgrade unless you can remove the machine from the network. Never upgrade during a virus emergency if it is not needed. Important Note: With some minor exceptions, all versions of SAV detect equally well. Therefore it is not important to have the newest version of SAV. It is important to have the newest defs. Also, for detection of a threat, a Safemode scan is NOT necessary. Safemode should only be used to remove threats that can’t be removed in regular mode. Threat & Virus best practices

  21. Case Type 3: “I am in a full outbreak and have multiple machines infected. What do I do?” Questions: • What is going on that makes you think you have an outbreak? (1200 x 1%= 12) • Are Virus Definitions up to date? Note: “Up to date” does not mean “today’s defs”. Ask for date and version. Or check the definfo.dat file. Note this for all infected systems • Have you run a scan, with the most up to date defs? (Do this for 1 or 2 systems, if it works, make this part of your 1st step) • Tasks: • Start a scan with current virus definitions. • Suggest the customer check “Common Load Points” • Help the customer check “Common Load Points” (ESUG LPDU or manually) Other Important Note: Because Auto-Protect is disabled in an upgrade, don’t upgrade unless you can remove the machine from the network. Never upgrade during a virus emergency if it is not needed. Important Note: With some minor exceptions, all versions of SAV detect equally well. Therefore it is not important to have the newest version of SAV. It is important to have the newest defs. Also, for detection of a threat, a Safemode scan is NOT necessary. Safemode should only be used to remove threats that can’t be removed in regular mode. Threat & Virus best practices

  22. Missed Detections and False Positives 6 Threat & Virus best practices

  23. False Positives vs Detection Rates (18 months) Source: http://www.av-comparatives.org Threat & Virus best practices

  24. If Symantec is detecting 98.7% of the threats, why does it seem like we have MORE Outbreaks recently? If we apply the same detection rate to the amount of new threats as seen each year, the answer becomes more clear. Symantec Detection Rate = 98.7% Missed Detections = 1.3% Threat & Virus best practices

  25. The 5 Steps to Virus Troubleshooting During an outbreak it is important that we have a game plan of what to do and in what order to do it. 1. Identify The Threat2.Identify The Machine3.Quarantine The Machine4. Clean The Machine5. Prevent Re-Infection Threat & Virus best practices

  26. There is no Magic Solution But proper settings help Like using real world setting for AV and Truscan Threat & Virus best practices

  27. Default settings may have worked when product shipped Number of signatures SEP 11 SAV 10 SAV 9 Period Threat & Virus best practices

  28. They don’t provide the best protection now Threat & Virus best practices

  29. Additional Resources Threat & Virus best practices

  30. Helpful links • Security Response public blog:http://www.symantec.com/business/security_response/weblog/ • Internet Security Threat Report:http://www.symantec.com/business/theme.jsp?themeid=threatreport • Submission Websitehttps://submit.symantec.com/(TYPE ENTITLMENT HERE) • Threat Experthttp://www.threatexpert.com/submit.aspx Threat & Virus best practices

More Related