Inside Av Engine

7/31/2019 Inside Av Engine

1/19

Anti malware* Engine

Information Sharing Talk

(IST)

*should we avoid usingterm virus as catch all term for Malware

*Why not two antivirus (anti malware) on a system


2/19

Classify

Blacklisting

Detect bad objects

Can not be perfect as problem itself is un-decidable

Signature (reactive mechanism)

Heuristics

Dynamic

Static parameters

Whitelisting Allow only good and block the remaining ones

Can be solved theoretically but practically challenging

Anti malware engine 2


3/19

Basic Activity

Scanning *

Behavior Based Engine

(On Process Activities)

Anti Virus Scanning

(On file content)

White listing

(On process creation)

Behaviors

database

Malware

Signature

database

Known

Applications

database( * Process activity, file read or write )

How an anti malware works



4/19

Design Problems

Scanning for clean file need to be faster

Scanning or disinfecting malware may take a

long

Where to keep the database while scanning

Tradeoff between memory and file IO

Engines differ for desktop and mobiles Preprocessing helps but

Will make booting slower



5/19

Scanning

Static

Scan/Analysis of a file structure and contents

Methods

On demand

On access

Dynamic

Monitoring while target is executing

Emulate



6/19

Malware.zip UNARCHIVER

Malware.exe

File type

recognizer

PE Parser

Un packer

Signature

scanning andheuristics

Clean infected

Components of AV engine



7/19

Scanning Techniques

String scanning

Hash scanning

Virus specific scanning Heuristics

Emulation

Used with other techniques



8/19

String Scanning

Native Scanning O(nm)

Boyer Moore O(n)

Aho Corasick Algorithm


a b c

a b a b a b c a b a m

n


9/19

Aho-Carsick

Set Matching Problem

A multiple string matching algorithm that constructsa finite state machine from a pattern (list of keywords),

then uses the machine to locate all occurrences of the

keywords in a body of text. O(m + n + z) where z is the number of patter occurrences

in T


Pattern to search P = {P1, P2, ., Pk} in Target T = {1, ., m}

n = i=1 |Pi|k


10/19

Hash scanning

Take a hash of full file

Can not work for file infectors

Slow

Single junk byte appended in malware will denydetection

Use (start, length) pair for calculating hash

If length is short

False Positives

Long

Lot of disk access



11/19

Start position

It can be Arbitrary point

It can be fixed

PE Entry Point

Beginning of the file

Beginning of the code section

Beginning of an exported function

There can be many unique pairs

Makes the scan slower



12/19

Heuristics

Enabling a person to discover or learn for

themselves

Relating to a speculative formulation serving

as a guide in the investigation or solution of a

problem



13/19



14/19

Heuristics methods


Dynamic Static

Behavior Structure

Weights Rules

Strategy

Subject of Analysis

Analysis Methods


15/19

Weights Based


Activity Weight

Network server 2

Disable system tools 5

Hidden process 7

Writes to HOSTS File 3

Creating executables 2

NO GUI 1

Sends HTTP 2

Sends IRC 5

1. Small Executable AND Runs A SERVER

2. Kill AV Process AND contains decryption

loop

3. Packed Executable and deleted self

4. Suspicious Double Extension (for e.g.

amazingshoots.jpeg.exe)

5. Program Runs from Temp directory AND

Creates new executable in Windows

6.

7.

Rules Based


16/19

Script malware

A script host program is generally used to run thescripts Perl myscript.pl

msiexec.exe myinstall.msi

iexplore.exe mysc.js

Threat will be shown in process running

Approach of Behavior learning will generate falsepositives in this case

Simplest solution is to look at command line However not possible in many cases (WINWORD etc.)



17/19

Otherwise


Script NORMALIZER

PARSER/

AnalyzerEmulator

Rating Logic

Clean

Malware


18/19

Behavior Blocker

Of course not all provide same protection

Commonly known as HIPS = Host IntrusionPrevention System

HIPS monitors application make Sequence of system calls

Parameters passed into a call

HIPS Decision Logic

Ask user to decide Use heuristic methods

Use Both



19/19

Root kit Detection

Cross View Diff We use a variant of it

Low FP rate

Hook Detection

Good hooking is common (ENSAFE)

Can not be a decision point to Quarantine

But very important for security

Not allowed on many Linux systems and 64 Bit Windows

Static Analysis

Sequence which hooks

AND Sequence which manipulates EPRCESS pointers Hooking Behavior is monitored

Can take a decision from user


Documents

Inside Av Engine