Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intercept X Early Access Program Sophos Tester

Published byEllen Lucas Modified over 6 years ago

Similar presentations

Presentation on theme: "Intercept X Early Access Program Sophos Tester"— Presentation transcript:

1 Intercept X Early Access Program Sophos Tester
Karl Ackerman Principal Product Manager – Endpoint Security Group July 2017

2 Agenda Overview FAQ Tests described Platform Results

3 Overview FAQ What is Sophos Tester? Is this safe to use?
Demonstration of attack techniques from exploits and ransomware to atom bombing Is this safe to use? Sophos tester will not harm your PC It performs the techniques for multiple attack methods but does not deliver malware, communicate with command and control servers, or encrypt your documents NOTE running the tool with Intercept X will create detection events and they will show in Sophos Central so if that console is monitored by another team, they may wonder what the heck you are doing. Can I run Sophos Tester on a machine with a competitors AV? The tool is not intended for competitive comparisons, and was built to confirm detection methods available in Intercept X Some AV Vendors block the tool as malicious, or unknown, others may block some of the techniques of the attack as well  What platforms does the tool run on? Sophos tester was built for Windows 7 32bit and should run on Windows XP, 7, 8, 10 for 32 and 64 bit systems Some issues with OS’s other than windows 7 32bit are known with tests failing to run correctly

4 Overview FAQ (continued)
Does the test tool have a test for ALL the mitigations in Intercept X No this tool does not validate all exploit methods, just the most common ones Why don’t I see any tests for Disk-Wiping, Credential Theft of Process Protection? For these tests the test tool needs to be run as administrator Right click on the Sophos Tester.exe and select “Run as Administrator” When run with Intercept X, do detections generate events in the console? Yes, when run with Intercept X, the admin console will show the detection events and an Root Cause Analysis may also be generated Will Sophos Clean remove the test tool on detection? No Sophos Clean will allow sophos tester to remain after detections Ransomware detections by Intercept will identify the target application and block similar attacks until a reboot or sufficient time has elapsed for Intercept to unblock the application.

5 Agenda Overview FAQ Tests described Platform Results

6 Attack Targets Target We look for common infection vectors (Applications) used by malware on the machine and display these as target applications Using a target application will launch the application to perform the attack tecnique Dummy (Default) This is the sophos tester executable itself and can be used to demonstrate attacks Note some attacks on a protected system will identify the Sophos tester or target application and lock its use for a period of time A good way to avoid having to reboot is to try each ransomware test with a different target application

7 Category Attack Techniques Run Sophos Tester as Administrator
Code exploits Attacks that take advantage of vulnerabilities in the software being used Memory exploits Attacks that manipulate process and system memory to execute their code Logic Flaws Preventing malicious behaviors even when the application is ‘allowed’ to perform them Safe Browsing Detect man in the browser activity that present one view to the user and another to the site Ransomware Malicious rapid file encryption Often the application target is now blocked from similar activity, reboot to clear this state on Intercept protected devices See Settings for additional configurations Disk-wiping Attacks on the master boot record Credential Theft Attacks that steal authentication credentials Process Protection Newer exploits using Asynchronous Procedure Calls (Wanacry, eternal blue, double pulsar) Run Sophos Tester as Administrator

8 Agenda Overview FAQ Tests described Platform Results

9 Platform tests (Target Dummy-Default)
Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Code Exploit StackPivot1 Exploit Success Blocked StackPivot2 VirtualProtect ROP VirtualProtect ROP via legit call Succeeded (Test passed, legitimate) NtProtectVirtualMemory ROP WinExec Rop IAF VirtualProtect Via Legit Call Memory Exploit Nop Sled Heap Spray

10 Platform tests (Target Dummy-Default)
Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Memory Exploit Polymorphic Nop Sled Heap Spray Success Blocked Date Execution Prevention Logic Flaws Create, Execute Create, Execute elevated Blocked (Note MS warnings) Create, Rename, Execute Create, Execute via WMI Safe Browsing WinINet hijack Must run with a target browser. (Detected) Ransomware* CryptoLocker Crypto Guard Blocked1 1 – After an attack the target application(Sophos Tester) is temporarily blocked from similar activity, reboot may be required

11 Platform tests (Target Dummy-Default)
Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Ransomware* CTB-Locker Crypto Guard Success Blocked1 TorrentLocker CryptoWall 3 Locky HydraCrypt Cerber 3 Dharma Dharma Alternative CryptoShield Disk-wiping Master Boot Record Disk and Boot Protection Blocked 1 – After an attack the target application(Sophos Tester) is temporarily blocked from similar activity, reboot may be required

12 Platform tests (Target Dummy-Default)
Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Credential Theft Read LSASS memory Member of EAP protected devices Success Blocked2 Blocked3 Open SAM registry Blocked Process protection APC Exploit (Atom Bombing) APC Exploit (Start shellcode) Know Issues – we have had some reported issues with Sophos Tester not executing the tests correctly on some X64 devices we are investigating Support on Servers and MAC – With the exception of crypto-guard, is not yet available for Windows Servers or MAC OS Supported Operating Systems – Supported on Windows XP and above, NOT available for MAC OS 2 – This attack is shown as ‘unsuccessful’ in the Sophos Tester, but no notification is presented to the user, well fix it 3 – Windows 8 64 bit protected the LSASS memory from non-authorized processes

13 Notifications on the desktop
Detections from Sophos Tester will generate notifications on the device A Clean scan will be run and the Sophos Tester will remain on the device Events will be registered in Sophos Central and in a few minutes an Root Cause Analysis report will be available for review When running ransomware tests the target application is identified and Intercept will block the detected behavior from that application until a reboot

14 Notifications in Sophos Central
Sophos test results in a notification to the end user and in Sophos Central

15 Sophos Central – Root Cause Analysis
Root Cause Analysis reports should be generated for most detection events

16

Download ppt "Intercept X Early Access Program Sophos Tester"

Similar presentations

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Norman Endpoint Protection Advanced security made easy.

Norman Endpoint Protection Advanced security made easy.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Malicious Software.

Malicious Software.
Wireless and Mobile Security

Wireless and Mobile Security
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
W elcome to our Presentation. Presentation Topic Virus.

W elcome to our Presentation. Presentation Topic Virus.
1 #UPAugusta2016. 2 3 Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.

1 #UPAugusta Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

Similar presentations

Ads by Google