Presentation on theme: "KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director,"— Presentation transcript:
KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com
We’ll talk about new protection technologies Plan of presentation New heuristic based engine based on emulator Greatly improved Anti-root kit Outbound protection improvements (anti-leaks) New Privacy control concept Protection against new type of key loggers Improved PDM detection Improved self-protection
New heuristic engine (1) KAV 3.0, 4.0, 5.0: best detection rate and fastest reaction time: signature-based detection KAV 6.0: + Proactive Defense Module – based on analyses of applications behavior KAV 7.0: + new Heuristic engine based on emulator Now KL’s 7.0 products contain a full set of most effective technologies which give our users the unique level of protection against all types of modern threats. Triple shield of protection
New heuristic engine (2) 1.Heuristic engine uses the same decision making logic (set of rules) as Proactive defense module. 2.But events for heuristic engine and PDM are generated by different modules: emulator and kernel mode driver. Windows kernel mode driversEmulator Decision making logic Proactive defense moduleHeuristic engine Events providers The driver intercepts operations on real file system and system registry, network and other activities of all processes The emulator gets the same information during emulation of the execution of application’s program code
New heuristic engine (3) Signature based engine Heuristic engineProactive defense module Real time protection Scan tasks Signature based engine + + Influence on system performance New emulator won’t increase system slowdown caused by AV because KAV 7.0 uses the power of triple shield: With default settings PDM and signature engine work in real-time, Heuristic engine and signature engine work for scan tasks.
New heuristic engine (5) Demo: scan of emul.zip archive with 4 test viruses 1. Heuristic is disabled: no threats detected
New heuristic engine (6) 2. Heuristic is enabled Аll threats are detected with 3 different behavior-based verdicts
Greatly improved Anti-rootkit (1) Anti-root technologies 1.During installation of rootkit Interception of rootkit’s drivers and services registration Interception of injection of rootkit’s code in trusted processes + self-protection of KAV Detect of active rootkits Detect of hidden processes in memory Active threats disinfection technology Detect and removal of hidden files on disk New in 7.0!
Greatly improved Anti-rootkit (2) Detection of hidden files Main idea is a cross-scan – get the list of the files using Window API, get the same list using direct disk access and compare! Rootkit scan Direct disk access for all files and NTFS Alternative Data Streams of folders Advanced rootkit scan The same as basic plus scan of ADS for all files (much more slowly but necessary in some cases)
Greatly improved Anti-rootkit (3) Materials Fighting Rootkits with Kaspersky Internet Security 6.0/Kaspersky Antivirus 6.0 (http://www.kaspersky.com/fighting_rootkits_ver sion_6_products) In the nearest future we’ll publish the second part of the article about Anti-rootkit in KIS 7.0 But right now you can make a demo using 3 rootkits described on the next slides (Costrat, Unreal, Elite Keylogger)
Greatly improved Anti-rootkit (4) Costrat (Rustock.B; Spambot) http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=2 family of back door programs with advanced user and kernel mode rootkit capabilities, very powerful rootkit, described in VB in August 2006, Elite Keylogger http://www.elitekeylogger.com/ http://www.elitekeylogger.com/ very powerful keylogger and rootkit, uses 3 kernel mode drivers detected by KAV 6.0 during installation; Rescue CD was needed to remove it. Unreal.A by MP_ART & EP_X0FF proof of concept nonmalicious stealth rootkit designed to be invisible to all current rootkit detection technologies
Greatly improved Anti-rootkit (5) Trojan-Clicker.Win32.Costrat.ab (Rustock) Driver is hidden in NTFS Alternate Data Stream of System32 folder
Greatly improved Anti-rootkit (7) Exploit.Win32.Unreal.a 1. Driver is hidden in NTFS Alternate Data Stream of the root C:\ folder 2. This Alternate Data Stream is hidden itself by rootkit’s driver!
Firewall outbound protection improvements (1) Leaktests failed in KIS 6.0 MP2 BITStesterUsing of BITS service BreakoutWindows Messages to IE Breakout2changing of ActiveDesktop with URL CPILSuite3SetWinEventHook function DNStesterDnsQuery from Dnsapi.dll OSfwbypassShowHTMLDialog from Mshtml.dll SurferDDE communication with IE * http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php
Firewall outbound protection improvements (6) 1.KIS 7.0 should improve its result by 650+(300-600 points - I am not sure about FPR tests) In any case KIS will surpass ZoneAlarm and SSM in the result table. We will consider our 3-rd place as the best possible result because we are not going to fight against specific solutions from Comodo and Jetico (the only difference will be in the default settings - we think that our settings is the best balance for 95% of Internet users).
New Privacy control concept (1) 1.Concept of Privacy Control component implemented in the most Security Suites: “enter all your private data – PINs, Passwords, …” “we will analyze outgoing traffic and if some of your private data will be found – it will be replaced by “***” Cool idea but it DOES NOT work in real world. Why? Because almost all of the trojans encrypt all sending data and Security Suite will found nothing in such encrypted traffic! 1.And how we can protect user’s private data? 1)we can block access to password’s storages for many well- known programs and Windows Protected storage, 2)we can block all attempts of data sending in hidden ways (used by most of the trojans).
New Privacy control concept (2) Real life example - Trojan-PSW.Win32.LdPinch Test sample - passview utility which try to get information from the Windows Protected storage
Protection against new type of keyloggers (1) Protection against all types of keyloggers User-mode SetWindowHook (global keyboad hook) GetAsyncKeyState/GetKeyState (keyboard polling) GetMessage/PeekMessage interception Using of Raw Input model Kernel-mode Kbdclass driver filter Device\KeyboardClass0 driver filter Kbdclass’s dispatch table patch KeServiceDescriptorTableShadow patch New in 7.0!
Protection against new type of keyloggers (2) Protection against new technique to intercept keyboard input: using model of Raw Input via DirectX functions Unique!
Improved PDM detection (1) Protection against new technique to install drivers in hidden way: save/restore registry hive for Services part of System registry Unique!
Improved PDM detection (2) Protection against new technique to install drivers in hidden way: using kernel function ZwLoadDriver (can be used by ring3-applications) Unique!
Improved self-protection (1) Self-protection technologies Protection of product’s files on disk Protection of product’s registry keys Protection of product’s processes in memory Protection of product’s folders against changes of permissions Protection of product’s registry keys against changes of permissions New in 7.0!
Improved self-protection (2) Protection against changes of permissions on KAV foldersUnique!
Improved self-protection (3) Protection against changes of permissions on KAV registry keysUnique!
Last point – network perfomance Influence on system performance Some users complained about decreasing of network performance after installing of KIS 6.0 (eMule, games, …) And we’ve completely rewritten our network driver Let’s see the result: Test stand Windows Vista and XP SP2 32bit. KIS 7.0 with Firewall and IDS enabled. Аbout 200 rules are added for different network applications. Network throughput is being measured by using the netcps.exe utility 7,93 2,84 8,03 In (MPS) 99,25 48,38 100 In (%) 98,757,94KIS 7.0 35,373,87KIS 6.0 1008,00w/o KIS Out (%) In (MPS) MPS = Mb per second