Different classes of security software

From CastleCopsWiki

Jump to: navigation, search
Caution The article below is currently in beta and has not been reviewed for factual errors.


This article discusses the different classes of security software covering signature based scanners, heuristics, behavioral blockers, virtualization, and sandboxing. Examples of real world products are also provided under each category.



Contents

[edit] Signature based scanners:-

Description : Broadly speaking signatures are based on blacklisting or fingerprinting technology, where known threats are identified and a signature is created for them to allow detection. The most common type of security software that uses these are Antivirus programs. Malware programs are analyzed and a signature is created for them by tagging certain portions of the code or file that is unique to the malware.

Technical note

Blacklisting is a broader concept and is not restricted to just antivirus signatures. By definition any system that is based on enumerating badness is doing blacklisting. Hosts files, restricted zones and anti-phishing services like McAfee's SiteAdvisor can be used to blacklist domains, Spywareblaster blacklists activex controls based on CSLID, while adblockers, proxy filters and firewalls can blacklist ip addresses, content based on strings or other properties.

The other major security strategy involves Whitelisting which lists only known good entries and denies the rest


Pros : Signature based scanners are very accurate compared to other technologies and have low false positives. What are false positives? They occur when the security product flags a file has dangerous when it is actually harmless. They can also identify the exact type of malware and clean the system if it is already infected. Hence they are very easy to use for people who don't have much technical ability.


Cons : Signature based scanners can only detect malware for which a signature already exists. With thousands of malware being produced daily, security vendors have a hard time keeping up. Existing malware can also be modified to evade signature scanners using techniques as simple as hex editing , use of packers unsupported by the scanner , to more complicated techniques used to 'change the signature' of the file. Of course specially home-made crafted malware won't be detected at first without the need for all these tricks. It is also reactive as opposed to proactive, because you must wait for security vendors to react to new threats by producing a signature before you can be protected. In today's environment, where worms can spread around the world in a couple of hours, this might be too slow.


Examples Most anti-viruses, including Norton Antivirus, AVG Anti-Virus etc. See Lists_of_freeware_antivirus and Lists_of_freeware_antispyware and Lists_of_freeware_antitrojan for more.

[edit] Heuristics:-

Description Heuristics broadly refers to a general rules of thumb or algorithm for decision making. In the context of security software, they are generally used to supplement signature based scanners by scanning code for generic suspicious instructions in code that are likely to be malicious. Again the most common and familiar type of security software to use this are antiviruses. Heuristics embodies some (crude) form of intelligence. Fuzzy matching and statistical methods are also used to enable detection of closely related malware, such as 'families of worms'. Heuristics in Antiviruses also scans the code for generic code structures that might indicate malicious behavior to detect totally unknown forms of malware. These methods are known as Passive (or static) heuristics. Some antiviruses use Active (or dynamic) heuristics as well. This involves the use of emulation to trick the malware into running in a virtual system or emulates part of the code so it can defeat polymorphic or encrypted/packed malware.


Though the term heuristics can be construed very broadly to cover almost everything, in this document, the term refers specifically to techniques that are used prior to the potentially malicious process being run (this includes emulation and virtualization techniques which are not run on the real machine). Methods that involve monitoring processes after they are run (either fully or partially) to see if their actions are malicious - so called behavioral analysis/monitoring will be considered the province of behavior blockers (see next section).

Technical note

According to Kurt Wismer of anti-virus rants , heuristics are also a form of blacklist as "heuristics compares properties (like the presence of certain familiar routines) of the program being scanned to a list of properties known to be used in bad programs and so also represents a type of blacklist"[1]. Not everyone agrees.


Pro : Heuristics can provide protection against future threats by detecting threats not cataloged by signatures. It can allow detection of future versions of closely related worms ( includes so called generic signatures) or brand new malware (though accuracy is lower) without the need to update the signatures . Heuristics can also help detect polymorphic and metamorphic malware.


Cons : Heuristics are not as reliable as true blue signatures and can trigger false positives. This can lead to unnecessarily anxiety if it tags a file wrongly as infected. The effectiveness of heuristics in detecting unknown malware is also uncertain. They are generally measured using retrospective tests, where the scanner using a one month old signature database is used to scan new malware found in the wild.If you are infected by malware that is detected using heuristics, no cleaning is possible in most cases for obvious reasons.


Examples Most antiviruses have at least passive heuristics. Others like NOD32's Advanced Heuristics, BitDefender's HIVE, Norman SandBox boast active heuristics.


Many generic antirootkits scanners attempt to catch rootkits in a lie when they hide themselves enabling them to detect hidden processes or files. These rookit scanners also look for generic modifications to the kernel , hooks to SSDT table etc for typical changes made by rootkits. They can also be considered to be using heuristics since they are not targeted against any specific rootkits. These generic rootkit detectors generally cannot identify the specific rootkit used but in the right hands can be used to detect rootkits that are hidden from conventional malware detectors.


[edit] Behaviorial blockers:-

Description Unlike signature based scanners which are mostly focuses on code, behavioral blockers focus on detecting and blocking generic malicious behavior and events as they happen. Behavior blockers also commonly referred to as HIPS (Hosts Intrusion Prevention Systems), sometimes also known as system firewalls and also IDS/IPS (Intrusion Detection/Prevention Systems).


Technical note

The term HIPS (Hosts Intrusion Prevention System) is getting very popular but it is a source of great confusion, as definitions differs. It can refer narrowly to Behavior blockers, more broadly to behavior blockers and Sandboxes (excluding antivirus like technology), or most broadly it can broadly refer to any security software that runs on the host computer as opposed to on servers. See here and here, or refer to HIPS FAQ


A sample of monitored behavior includes

  • modification of hosts files
  • modification of browser settings
  • installation of Layered Service Provider (LSP) (possible spyware/adware filtering of Winsock commands to redirect user internet activity)
  • dll injection/process modification/termination (rootkit,trojan behavior)
  • registering to autostart (almost all malware) as well as starting of unauthorized processes.
  • An unknown (none whitelisted) executable starting
  • Starting of scripts locally - Unlikely for most home users


Many of these changes affect the registry, so some of these software are mainly registry guards.


Pros : Compared to Antiviruses using traditional blacklisting technology they are proactive in that they can detect a wide range of malware without the need for signatures. In theory, while there are infinite ways to write code and ways to evade signatures, the range of malicious behavior is finite.


Cons : Behavior blockers tend to rely heavily on the expertise of the user. Many of the behavior monitored by the software is often exhibited by legitimate software as well, so it is up to the user to decide whether such an alert is really dangerous. This is a heavy burden to bear for most users, particularly so when some of the behaviors monitored is highly technical and deciding whether to allow or deny becoming pretty much a guessing game.


Behavior blockers are also often very noisy producing a lot of prompts for the user to answer leading to popup fatigue. This can be supplemented by various ways including using a whitelist of legitimate applications.


The nature of behavior blockers also means that the malware must be executed first before the malicious behavior can be detected. Hence it is possible that damage can be already done despite use of the behavior blocker. This occurs either because the security app is too late (polling of registry for example is done only once every x seconds), or it only catches the later part of the malicious behavior (you might be warned that some malware is trying to set a registry key to autostart but miss all the other malicious behavior before that.)


Lastly, most of these software are built on Windows NT style system restrictions or use kernel hooking methods specific to these machines, most of them will work only on XP, 2K but not work on Windows 98.ME etc. Also the upcoming Windows Vista completely disallows many of the kernel modification methods typically utilized by these software, so most of them (again with certain exceptions) will not work in Windows Vista as it stands without a major rewrite.


Examples There are generally two kinds of behavior blockers. The most common kind, merely report on singular behavior that might be dangerous and leave the decision to allow or deny in the hands of the user. These are the so called Policy based behavior blockers

Many antispyware realtime monitors fall into this group, as well as standalone programs such as System_Safety_Monitor, AntiHook, ProcessGuard, Prosecurity and WinPatrol to name a few. Some call this kind of software system firewalls. In recent years (2006 onwards), there has been an explosion of products in this area, but they are still relatively unknown to the public (though mass market antivirus and firewall products have begun adding such capabilities slowly). Anti-keyloggers that detect 'hook based' actions as a generic way to detect keyloggers (as opposed to signatures for specific targets) are also a kind of limited behavior blocker.

A second group of behavior blockers (which some insist are the REAL behavior blockers) employ a heuristics rule based expert system (or signatures, if you prefer) to decide whether to block the behavior (or prompt the user) using a combination of several criteria to detect fishy processes, hence lifting the burden from the user. They may, for example, study the process in context and may alert only if a certain combination of actions occur together or when a certain number of rules of a certain level of severity are broken.


In other words these behavior blockers are "smart," as they don't alert on just any behavior, hence reducing unnecessary prompts. Thus, they might be more suitable for less skilled users. An example is Cyberhawk (now ThreatFire) and Norton Antibot. They can be viewed as similar to antiviruses with signatures except that they try to detect malware based on observed behavior of the process rather than scanning the code (emulation is a grey area). Another advantage they have over the "dumb" behavior blockers is that many of the smart blockers can actually remove malware, as opposed to just blocking it, by tracking changes made and reversing them.


These are also sometimes known as Intrusion Detection/Prevention systems (IDS/IDPS), but are distinct from purely network based IDS which detect anomalous network behavior and are typically used by corporations. The disadvantage of this approach is that an attacker can work around the strategy by targeting weaknesses in the rules. Software like Starforce's SafenSec, Panda's TruPrevent and a-squared's Intrusion Detection System fall into this category. How effective and sophisticated their rules are is a matter of debate and they often require updates to their rules (signatures). Also obviously, the line between this two types of behavior blockers is somewhat thin.


Technical note

The smart behavior blockers could be classified as a type of blacklisting software. They create blacklists of behavior (similar to conventional antiviruses, except behavior rather than code is blacklisted) and only alert when those specific behavior occur. The dumb behavior blockers that alert on everything except those already allowed would be making their users create in effect whitelists of behavior.


[edit] Selected listing (both free and paid)

Though HIPS mostly incorporate behavior blocking, most of them also use a blend of other technologies including blacklisting, whitelisting of legitimate apps, Sandboxing and virtualization. For lists of only free software see Lists_of_freeware_behavior_blockers and Lists_of_freeware_antikeyloggers.


Behavior blocking


Behavior blocking plus Sandboxing


Behavior blocking plus Blacklisting (Antivirus module or build-in blacklists )

  • Cyberhawk (now ThreatFire) Liteware (Build-in lists used for specific identification, also includes optional AV module)
  • DriveSentry - Freeware(Build-in lists, inc AV/antispyware/HIPS/whitlist)
  • Online Armor - Liteware (Build-in lists, also includes optional AV module)
  • Prevx Community protection Liteware (Build-in lists)
  • Safe n Sec (Includes optional AV module)


Smart expert based Behavior blockering


Process Filters, whitelist only


Integrity checker


Light HIPS


Antikeyloggers blocking using generic methods


Other popular security products normally classed as antivirus ,antispyware, firewall or antikeylogger but comes with some behavioral blocking features (paid products unless otherwise indicated)


[edit] Sandboxing:-

Description A sandbox is a virtual container in which untrusted programs can be safely run. This security technique is used to run dubious and untrusted software safely by restricting the privileges available, hence limiting the damage the untrusted software can do. What is restricted depends on the sandbox policies, but typically, since the aim is to protect the integrity of the system, critical system files/folders and processes cannot be over-written or affected. Sandboxes also block various behaviors such as installing drivers and services to gain system privileges, since these could allow the software to bypass the sandbox restrictions. Depending on the product, the sandboxed process might also have limited read or write access to other files and folders, access which may be configurable by the user. More rarely, various keylogging hooks and network access might also be blocked when running in the sandbox; refer to the product manual for more details.


As you can see, sandboxing is somewhat similar to behavior blocking in that both restrict behavior. Behavior blockers generally monitor the whole system for malicious behavior (though you can give programs privileges), while sandboxes only restrict behavior for a restricted subset of dangerous or untrusted programs.


The line between the two behavior blocking and sandbox is thin. Sandboxing also often requires behavior monitoring and blocking, but in general a pure classic behavior blocker does not allow you to set up file or folder restrictions for processes. A pure sandbox also does not prompt you when a rule is violated but just denies the request.


Another category of such programs (dropmyrights etc.) uses the native Windows XP user system. It allows you to run dubious or easily-exploited software like browsers with lower (user) rights, which automatically limits the damage the software can do as opposed to running with full administrative rights.


The best sandboxes are flexible enough that they can keep track of not only the processes but also files created by sandboxed programs, and ensure that they are also sandboxed.


Many Sandboxes also add file and registry virtulization, see below.


Technical note

Besides the already mentioned blacklisting and whitelisting, Kurt Wismer of Anti-virus blogs considers sandboxing the last of the three preventative paradigms [2].


Pros : Similar to that of behavior blockers. In addition, sandboxing tends to be less noisy as you focus only on handling suspect programs instead of all programs on your computer.


Cons : Sandboxing can be too restrictive, and sandboxed programs might fail to run because of policy restrictions. Sandboxes can spring leaks, for example it might erronously allow behaviors that on the surface seem innocent, but might actually allow the program to breakout of the sandbox to cause damage.

Examples Sandboxie, Defensewall, Bufferzone, Geswall


[edit] Selected Listing (both free and paid)

Many products also use virtualization technology to increase compatibility while reducing damage. See also Lists_of_freeware_sandboxes


Sandboxing with no file system virtualization


Sandboxing with file system virtualization


Restriction of privileges

[edit] Virtualisation:-

Description This is often used together with sandboxing. Virtualization gives the user the freedom to allow untrusted applications to make bigger changes than otherwise possible because all changes made to the file system, registry system are virtualised, such that any changes made do not really affect the underlying system, and virtualised changes can be easily reversed or cleared.It is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others. This can also be done by keeping track of the changes made by the virtualized application so as to reverse them later (i.e. Virtualization of the file system).

Note: There are actually several different kinds of virtualizations.


  • Hardware or real virtualization - This type of virtualization literally simulates hardware, so you have a second computer inside the host machine. This is what many people mean when they say most HIPS are not real virtualization. The most famous example is VMware. Because VMware simulates a completely new machine, you will need to install a separate operating system and build your virtual machine from the ground up. This however provides you the highest amount of flexibility, almost as good as having a second machine. You can run practically any type of program, even those that install drivers, in your virtual machine. Note: There are ways for the program to determine it is running on a virtual machine and hence refuse to run. On the flip side, such hardware virtualization tends to be memory intensive and requires large storage space because you need to install a separate operating system.


  • File system level virtualization - In this case, the virtualized program still runs on your normal host machine and there is no attempt to simulate another machine. However any changes made by the virtualized program is separated from the real file system (and sometimes registry). This kind of products are not 'real virtual machines' as described above. Most, in fact, merely filter the operating system functions to control how other applications handle files on the hard drive. They will intercept and filter file/registry read and writes so changes are 'virtualized'. This is less secure but much resource intensive, and you don't need to install a separate operating system.

The most famous examples include Sandboxie and Bufferzone. Defensewall only virtualizes (limited) the registry though it does track (and allow reverting of) file changes made by sandboxed programs.


  • Partition virtualization/snapshots - These are intermediate in complexity and flexibility between the first two. The entire hard disk partition (even the operating system) is virtualized so you can easily revert back to an earlier snapshot of the partition. This allows you to install and run software that will not run using file level virtualization only.

Examples include Shadowuser and FirstDefense-ISR.


Most HIPS out there are of the second type, with file system and registry level virtualization.

Technical note

Even this discussion of virtualization can be disputed, because many software like DeepFreeze, arguably do not use any form of virtualization except in the loose sense of the word. Instead we are dealing with a kind of quick snapshot/image restore. Still arguably, the effects are the same as if partition virtualization was used, so the differences are ignored here


Pros You can allow untrusted applications to make changes, and if such changes are deemed to be malicious, they can be cleared easily restoring you to the clean state.


Cons Technically complicated, memory heavy (depending on implementation). Virtualization is similar to a form of backup, but some malware can hurt you even if it is removed later. For example, a keylogger that worked (if not blocked by sandboxing policy restrictions) and stole your password could still hurt you, even if any changes it made was later reversed via virtualization; restriction of privileges is required to prevent this. Hence sandboxing is still necessary together with virtualization.


Examples Bufferzone, Greenborder or full disk versions like Vmware, ShadowUser, DeepFreeze, First Defense (the later two are closer to backups).

[edit] Selected listing (both free and paid)

See also Lists_of_freeware_virtualization.


Virtualization + Sandboxing


Partition virtalization (both known as operating system virtualization + rollback)


Full hardware virtualization

[edit] Misc:-

The categories above are by no means 100% comprehensive, though they cover the major methods used. Many of the other security tools that do not fall into these categories are mostly blacklisting technologies mixed with some other technologies. For example anti phishing tools generally consist of blacklists of domain names argumented by some heuristics based on url characteristics (no proper domain name, similarity of domain name to well known domains like ebay etc) and/or characteristics of the website.

A recent trend is also towards a community peer to peer approach, where security products constantly, update themselves and share information based on feedback from users. For example if a thousand users allow a learn process it is likely to be safe (though many users allow everything without thinking!)

Hardening tools generally, reduce your area of vulnerability by disabling features that you don't use or traditionally have being prone to exploitation.

[edit] Selected listing (both free and paid)

See also Lists_of_freeware_antiphishing, Lists_of_freeware_hardening_tools and Lists_of_freeware_blocklists.

[edit] References

  1. http://anti-virus-rants.blogspot.com/2007/07/three-preventative-paradigms.html
  2. Ibid
Retrieved from "http://wiki.castlecops.com/Different_classes_of_security_software"
Personal tools