Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat & Virus best practices Denver Security & Compliance User Group March 17, 2010 Presenter: Chris Sandalcidi, CISSP - Symantec.

Published byCordelia Bradley Modified over 8 years ago

Similar presentations

Presentation on theme: "Threat & Virus best practices Denver Security & Compliance User Group March 17, 2010 Presenter: Chris Sandalcidi, CISSP - Symantec."— Presentation transcript:

1 Threat & Virus best practices Denver Security & Compliance User Group March 17, 2010 Presenter: Chris Sandalcidi, CISSP - Symantec

2 Working with Support Submitting Samples Current Common Threats and Prevention Threat Landscape Threat Primer Contents 1 2 3 4 5 How Symantec Stacks Up 6 2Threat & Virus best practices

3 1 Threat Primer 3Threat & Virus best practices

4 Virus Spread by infecting good files (hosts) WormSpreads by copying itself to other machines Trojan HorseDoes not spread itself. Definitions of Threats Info StealersSteals information BackdoorsAllows unauthorized access DownloadersDownloads additional threats Browser Helper ObjectsLoads into a browser RootkitsHides files from user/OS Risk Any file that is not malicious but could pose a threat to security. (Not listed as a “threat”) ThreatA threat is a circumstance, event, or person with the potential to cause harm to a system 4Threat & Virus best practices

5 2 Threat Landscape 5Threat & Virus best practices

6 Brave New World Threats are being re-written, and re-packed at such a fast rate, that the reliance of “reactive technology”, like signature based AntiVirus, alone is no longer sufficient. 6Threat & Virus best practices

7 Escalating Threat Landscape 524% increase in threats over the second half of 2007 More detections were created in 2008, than in all the other years combined. In 2003 Symantec released an average 5 definitions a day, in 2007 - 1431 daily At the beginning of 2008 Symantec was releasing 7500 definitions daily Source: Symantec Security Response In 2009 we started releasing up to 12,000 new detections a day, and by June had days where over 20,000 new detections were released. 7Threat & Virus best practices

8 3 Current Common Threats 8Threat & Virus best practices

9 Autorun Worms Autorun worms use the Autorun.inf file to automatically launch and spread across an environment. The Autorun.inf file is used by Windows to launch executables whenever a drive is mounted, be it USB, local, or a network drive. Example A: W32.Silly and its variants. The Silly family of threats use Autorun.inf to spread across the environment and then download secondary threats in the form of revenue generating software. Example B: W32.Sality.AE Sality is a fast moving, file infecting virus, that is capable of disabling SAV/SEP remotely and the infecting the target machine from the host. There are so many re-packed variants that almost every outbreak include one or more new threats. This is one of the most destructive viruses we have seen in awhile. 9Threat & Virus best practices

10 Browser Helper Objects (BHO’s) BHO’s plug into most browsers, but as a threat they generally target Windows Explorer and Internet Explorer Example: Trojan.Vundo 3 rd party research estimates a new Vundo variant is created every 3.5 minutes for the last year or so. Vundo is a revenue generating Trojan that downloads additional threats to the system. They are generally spread through Adobe flash vulns and email and then download new variants of itself to keep it up to date. 10Threat & Virus best practices

11 4 Finding and Submitting a File 11Threat & Virus best practices

12 Finding a Suspect File (ESUG LPDU) The Enterprise Support Utilities Group Load Point Diagnostic Utility or LPDU is used to collect data on all the common load points for threats on a machine. Support trains front line engineers to use this utility to find threats quickly. To access this tool open a Support case and request help with finding a new threat, we will work with you to see if it is right for your case. We can move much faster with all the data. 12Threat & Virus best practices

13 What makes a file suspect? Name – Misspelled or “spoofed” names. (Microsofts, SVCH0ST) Version – Missing or overly simple version information (1.0.0.1) Size – Between 50 and 500k Creation date – within the last two months Remember we are looking for Portable Executable files, first..EXE.BAT.COM.PIF.SCR.DLL.VBS.SYS And then we are looking for these other types: 13Threat & Virus best practices

14 Submitting The Suspect File Submissions should be made to Security Response through the submission website. BCS customers should submit through https://submit.symantec.com/bcshttps://submit.symantec.com/bcs Essential customers should submit through https://submit.symantec.com/essentialhttps://submit.symantec.com/essential Basic customers should submit through https://submit.symantec.com/basichttps://submit.symantec.com/basic Once the file is submitted you will receive: A tracking email and number within about an hour. A closing email with additional information about the files and detections. Symantec policy states that at no time are Symantec employees, outside of Security Response, permitted to accept suspect or malicious code. Please do not send a sample via email. You should also consider submitting to Threat Expert for an automated technical description of the threat within a few minutes 14Threat & Virus best practices

15 15Threat & Virus best practices

16 Submit to Threat Expert http://www.threatexpert.com/submit.aspx 16Threat & Virus best practices

17 5 Working with Support 17Threat & Virus best practices

18 In each of these cases it is important to note what services we can offer, and what is appropriate advice for the circumstances. Does Symantec know about Virus X? ….and am I protected? Case Type 1 I think I may have a virus but I cant detect it. Case Type 2 Standard Types of Virus Cases I am in a full outbreak and have multiple machines infected. What do I do? Case Type 3 18Threat & Virus best practices

19 Case Type 1: Does Symantec know about Virus X? and am I protected? Email-Worm. Win32.Nyxem.e MyWife.d@MM W32/MyWife.d@MM!M24 Tearec.A W32/Nyxem-D W32.Blackmal.E@mm ???????? Difficulties: Virus names differ from vendor to vendor Viruses may re-use files names or may use different file names for the same virus variant. Example: Use Google to search for the file name “internat.exe” Small difference in variants can make a big difference in detection. Example: Look at the differences between W32.Spybot.AKNO and W32.Spybot.ACYR We may add 100s of different variants to each virus family a day. It is impossible to tell if we have detection without a sample Solutions: Virus Submission – Best A virus submission is the only way we can confirm that the threat that the customer is concerned about is one we already detect, or can add detection for. URL Investigation – Good If the customer knows a site or link that the suspect file was downloaded from Security Response can get the file and check it. – Don’t check it yourself. 19Threat & Virus best practices

20 Case Type 2: “I think I might have a virus but I cant detect it.” Questions: 1.What is going on that makes you think you have a virus? Behavior can sometimes tell you where you need to start, or at least what you may be dealing with. 2.Are Virus Definitions up to date? Note: “Up to date” does not mean “today’s defs”. Ask for date and version. Or check the definfo.dat file 3.Have you ran a scan, with the most up to date defs? Tasks: 1.Start a scan with current virus definitions. 2.Suggest the customer check “Common Load Points” 3.Help the customer check “Common Load Points” (ESUG LPDU or manually) Important Note: With some minor exceptions, all versions of SAV detect equally well. Therefore it is not important to have the newest version of SAV. It is important to have the newest defs. Also, for detection of a threat, a Safemode scan is NOT necessary. Safemode should only be used to remove threats that can’t be removed in regular mode. Other Important Note: Because Auto-Protect is disabled in an upgrade, don’t upgrade unless you can remove the machine from the network. Never upgrade during a virus emergency if it is not needed. 20Threat & Virus best practices

21 Case Type 3: “ I am in a full outbreak and have multiple machines infected. What do I do? ” Questions: 1.What is going on that makes you think you have an outbreak? (1200 x 1%= 12) 2.Are Virus Definitions up to date? Note: “Up to date” does not mean “today’s defs”. Ask for date and version. Or check the definfo.dat file. Note this for all infected systems 3.Have you run a scan, with the most up to date defs? (Do this for 1 or 2 systems, if it works, make this part of your 1 st step) Tasks: 1.Start a scan with current virus definitions. 2.Suggest the customer check “Common Load Points” 3.Help the customer check “Common Load Points” (ESUG LPDU or manually) Important Note: With some minor exceptions, all versions of SAV detect equally well. Therefore it is not important to have the newest version of SAV. It is important to have the newest defs. Also, for detection of a threat, a Safemode scan is NOT necessary. Safemode should only be used to remove threats that can’t be removed in regular mode. Other Important Note: Because Auto-Protect is disabled in an upgrade, don’t upgrade unless you can remove the machine from the network. Never upgrade during a virus emergency if it is not needed. 21Threat & Virus best practices

22 6 Missed Detections and False Positives 22Threat & Virus best practices

23 False Positives vs Detection Rates (18 months) Source: http://www.av-comparatives.org 23Threat & Virus best practices

24 If Symantec is detecting 98.7% of the threats, why does it seem like we have MORE Outbreaks recently? If we apply the same detection rate to the amount of new threats as seen each year, the answer becomes more clear. Symantec Detection Rate = 98.7% Missed Detections = 1.3% 24Threat & Virus best practices

25 1. Identify The Threat 2. Identify The Machine 3. Quarantine The Machine 4. Clean The Machine 5. Prevent Re-Infection The 5 Steps to Virus Troubleshooting During an outbreak it is important that we have a game plan of what to do and in what order to do it. 25Threat & Virus best practices

26 There is no Magic Solution Threat & Virus best practices26 But proper settings help Like using real world setting for AV and Truscan

27 Default settings may have worked when product shipped 27 Period Number of signatures SAV 9 SEP 11 SAV 10 Threat & Virus best practices

28 They don’t provide the best protection now Threat & Virus best practices28

29 Additional Resources 29Threat & Virus best practices

30 Helpful links Security Response public blog: http://www.symantec.com/business/security_response/weblog / http://www.symantec.com/business/security_response/weblog / Internet Security Threat Report: http://www.symantec.com/business/theme.jsp?themeid=threat report http://www.symantec.com/business/theme.jsp?themeid=threat report Submission Website https://submit.symantec.com/(TYPE ENTITLMENT HERE) https://submit.symantec.com/(TYPE Threat Expert http://www.threatexpert.com/submit.aspx http://www.threatexpert.com/submit.aspx 30Threat & Virus best practices

Download ppt "Threat & Virus best practices Denver Security & Compliance User Group March 17, 2010 Presenter: Chris Sandalcidi, CISSP - Symantec."

Similar presentations

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Using Anti-virus Software A SeniorNet Workshop SeniorNet is a service program of the Lutheran Service Society of Western Pennsylvania.

Using Anti-virus Software A SeniorNet Workshop SeniorNet is a service program of the Lutheran Service Society of Western Pennsylvania.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Information Security Information Technology and Computing Services Information Technology and Computing Services

Information Security Information Technology and Computing Services Information Technology and Computing Services
R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.

R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.
Contents  Viruses Viruses  Computer Worms Computer Worms  Trojans Trojans  Spyware Spyware  Adware Adware  Spam Spam  Hoaxes and Scams Hoaxes and.

Contents  Viruses Viruses  Computer Worms Computer Worms  Trojans Trojans  Spyware Spyware  Adware Adware  Spam Spam  Hoaxes and Scams Hoaxes and.
First Community Bank www.fcbnm.com Prevx Safe Online Rollout & Best Practice Presentation.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
About Us Inception in 2001, Bitdefender has continued to raise the bar to set new standards in proactive threat prevention and virus removal. Offices.

About Us Inception in 2001, Bitdefender has continued to raise the bar to set new standards in proactive threat prevention and virus removal. Offices.

Similar presentations

Ads by Google