Embed Size (px)
Citation preview
Reuel A. Morales(Sr. Security Analyst, APAC-RTL)
04.29.2008
APAC RTL Clean Tool v5.0 SolutionAPAC RTL Clean Tool v5.0 Solution
Challenges We Are Facing…
• As the volume of malware variants increases as foreseen, the following were found to be the top challenges in APAC…– Long malware case solution cycle time (SCT) – Undetection and cleanup issues– Security issues in the customer environment
• APAC customers tend to use third party/competitor tools for immediate mitigation while waiting for Trend Micro solution and the reason behind this…– Process Issues
• Customer felt that current process is so tedious to do• Customer environment limitations• Long process flow
– Product/Tool Effectiveness Issues• Customer perception is that competitor is much better in most cases• Product can not remove malware and/or restore the system completely• Customer need to use third party tools to comply with the current
process
What is ARTLClean Tool?
• ARTLClean tool is a support tool developed by Trend Micro APAC RTL team that does the following:– Assess the system for the following:
• Possible infection of undetected malware/s• Possible system security holes that might cause malware
attack/infection• Possible infection vectors whereby malware had used as a channel for
infection
– Collect detailed system information for malware infection forensic analysis
– Collect undetected and/or detected suspicious/malicious files which can be found on the system
– Uploading of suspicious/malicious samples to Trend Micro RTL or to specified FTP server
– Detection and Cleanup of malwares using Trend Micro CPR pattern and/or Trend Micro RTL bandage small pattern for detection
ARTLClean Tool Objectives
• Help shorten SCT of low-priority malware cases– Collect samples from customer infected machine in just one click– Provide automated feedback to customers – Deploy small pattern for immediate detection (bandage solution) to
leverage DCT generic clean for immediate cleanup• Provide early detections for in-the-wild malwares
– Small pattern includes all detection of malicious files coming from…• All of APAC customers• APAC RTL proactive sourcing
• Not to give opportunity for customers to use third party or competitor tools by providing them just ‘one tool’ to handle everything from malware retrieval to removal
• Act as a displacement tool to promote Trend Micro technology and gain more customers in return
Improvements from v3.50 to v5.00 (GUI)
Enclosed by this rectangle are the improvements of
ARTLClean v5.0 over v3.50
New Features of ARTLClean for v5.0• Tool Integrity Check
– This ensures that all components are intact before execution– If one of the components got modified then ARTLClean will not
execute• System Infection Check and Security Assessments
– With the use of special DCT called “assessment pattern”, ARTLClean can determine if the system is currently infected or not by checking several infection test points in the machine.
– It can determine possible channels of infection and system security holes and provide information on how does the malware able to infect the system
• Logs and Messages– Improved status messages and debug logs (ARTLCLEAN.LOG)– Show suspect list in the tool dialog window– Show system infection assessment result in the tool dialog window
and generate assessment log (ASSESS.LOG)• Inclusion of Rootkit Buster
– Rootkit Buster will help the tool to search for hidden objects
New Features of ARTLClean for v5.0• Improved SOS
– SOS has an improved copy mechanism that is able to filter files digitally signed by trusted signers
– With SOS integrated with RCM, it will not be having difficulty in retrieving locked and hidden files
• Small Pattern Download– This enables the user to update small pattern in just one-click or
automatically• Trend Micro Latest CPR Download in just one click
– This gives the user to optionally use latest CPR for Scan/Clean together with the small pattern
– CPR would be helpful in scanning and cleaning computers with no Trend Micro product installed
• HiJackThis Tool– This gives the user an option to use HiJackThis tool
• Help Button and EULA– This gives the user complete instruction and understanding on the
usage of the tool.
APAC RTL Feedback Loop
• ARTLClean provide an option for users to send suspicious files to APAC RTL via FTP.
• By doing so, users will just have to enter FTP credentials provided by APAC-RTL via Trend Micro support and also enter in their email address.
• After sending the suspicious files, these files will be verified in the APAC RTL backend system (for several minutes only) and the result will be sent to the email address which was entered before the sending process.
• The email from APAC RTL backend contains the analysis of the files telling which one is malicious or not including the small pattern that was created for the detection of the identified malicious files.
• Note: Users can go to their nearest Trend Micro support to get the proper FTP credentials from APAC RTL
APAC RTL Email Feedback
ARTL Dallas analysis result attachment
Small Pattern that can be used to detect and
remove verified malicious samples
APAC RTL Dallas Analysis
Result Summary
Detailed Analysis
ARTLClean Tool Benchmark Test (1)
ARTLClean can identify more malware files than other known
collector tools
ARTLClean Tool Benchmark Test (2)
ARTLClean can identify more
grayware files than other known
collector tools
ARTLClean Tool Scope and Limitations
• Detection Scope
– APAC-RTL endpoint small pattern only meant to detect malicious Win32 (or PE-type) binary executable files (trojans and worms)
– Pattern will only be created for undetected MALICIOUS binary files only as tagged by the Dallas System
• Detection Limitation
– APAC-RTL small pattern does NOT detect malicious non-binary files such as script and macro malwares (except for some instances)
– Pattern is limited only to one-whole-file detection and does not address detection of file infectors such PE virus
• Cleanup Scope and Limitation
– This would only depend on what DCT GenClean can do
