查看: 6205|回复: 22
收起左侧

[一般话题] MMPC阐述:Microsoft Cloud Protection相关细节

[复制链接]
驭龙
发表于 2014-9-23 18:59:34 | 显示全部楼层 |阅读模式
MMPC终于发一点有意思的内容了,全文如下:
​Microsoft is using cloud protection to help keep our customers safe. In fact, nearly any detection made by Microsoft security products could be the result of cloud protection. Software developers often ask us how this cloud protection works and how they can improve our cloud’s impression of their software.

How our cloud protection works

When our antimalware products encounter anything unusual, they can send a small packet of information about the event or file to our server. The server then sends back a reply telling the antimalware software whether to block it or not. It can also request a sample for further analysis.

There are three situations that highlight the benefits of cloud protection:
•If a file is known to be malware by our servers but not by the local antimalware product, the cloud protection module can tell the local product to block or remove it.
•If a file is known to be clean by our servers, but the local antimalware product detects the file as malware (an incorrect detection situation), the cloud protection module can tell the local antimalware to not detect it, and the incorrect detection does not affect the user.
•If a local antimalware product encounters a file that we don’t know about, our server can make a determination based on probabilities, and tell the local antimalware software to block it, even without having seen a copy of the file.

It’s this third point that I would like to discuss further.

Improving your software’s cloud impression

We are often asked by software vendors if we have a way for them to pre-whitelist their software. However, our backend processing actually works better if we see your software as it’s naturally distributed. I will outline a few methods to improve our cloud’s impression of your software below:
•Digitally sign your software using a method accepted by Microsoft. This is the fastest way to get a good cloud reputation because the reputation of a good file can be distributed to all files signed by the same key.
•Once you have digitally signed your software, be careful that malware isn’t also signed by your key. This will negate any good reputation. You can help avoid this situation by:


◦Making sure you protect your key from being stolen by malware authors.
◦Ensuring your development process prevents a parasitic file-infecting virus from being inadvertently signed by your key.
◦Reading more about the best practices for signing software.



•If you can’t digitally sign your software, be aware that every minor version of your product will have to build reputation from scratch. This affects vendors who provide a different file on every single download. It doesn’t mean you can’t make bug-fix versions, different languages, etc.
•Make sure your software doesn’t install malware:
◦Take care to avoid security vulnerabilities. Even if you don’t intend to install malware, a security vulnerability could be detected as your product installing malware.
◦If you download executables off the internet, have your software check a digital signature or cryptographic hash, to ensure it has the correct file you intended it to download. We have seen one case where a popular installer had some URLs distributing malware and we had to detect every one of their installers in case it was downloading one of the malware URLs.

•Make sure your software isn’t installed by malware:
◦Proactively check your affiliates and companies who bundle your software.
◦Fill out the metadata information such as the information about the author and company in the file resources. If this and the digital signature isn’t enough, consider adding contact information, or a pointer to find contact information on the web. This contact information should direct to the right contact to report a security vulnerability, or work with to fix or prevent a incorrect detection.

•If you use a runtime packer or obfuscator, you need to be aware that the majority of malware is packed or obfuscated, and this does affect how your software is seen at the back end.
•Consider how your software is seen and whether it’s installed on the machines of users who really want it. We have honeypots, web crawlers, and automatic software testing. We can look at whether users chose to continue the download after the warning that a program isn’t commonly downloaded. We can also see whether users chose to ignore or remove software if our antimalware detects it. Bad behavior can quickly ruin a good software reputation.
•There are some behaviors that, while not enough to warrant a detection on their own, do attract the suspicion of human and automated systems. They could be used for legitimate reasons, but are often closely associated with malware behavior. This includes:
◦Installing outside the commonly accepted folders for the type of software.
◦Modifying or adding a sensitive registry key.
◦Process or thread injection.
◦Autonomous internet activity.


If you believe we have made an incorrect detection for your product you can submit a developer contact form. Making a slight change and pushing it out to your software won’t necessarily address any incorrect bad reputation applied to the code signing key you used for the file that was incorrectly detected. Our cloud protection might also note the similarity between the file that it still believes was correctly detected as malware, and the new version.


大谷歌机器翻译:
微软正在利用云防护,以帮助确保客户安全。事实上,几乎所有的检测由微软的安全产品做可能是云保护的结果。软件开发人员经常会问我们如何保护云的作品,以及他们如何能提高他们的软件我们的云的印象。

如何我们的云防护工程

当我们的反恶意软件产品遇到什么不寻常的,他们可以发送有关事件或文件到我们的服务器信息的小包。然后,服务器发回的答复告诉了反恶意软件是否阻止与否。它也可以要求进一步分析的样品。

有迹象表明,突出的云保护的好处三种情况:
•如果一个文件被称为是恶意软件,我们的服务器,而不是由当地的反恶意软件产品,云保护模块可以告诉当地的产品,以阻止或删除它。
•如果一个文件被称为我们的服务器是干净的,但当地的反恶意软件产品检测到的文件为恶意软件(不正确的检测情况而定),云保护模块可以告诉当地的反恶意软件检测不出它,不正确的检测不影响用户。
•如果本地的反恶意软件产品遇到我们不知道有关文件,我们的服务器可以基于概率的判断,并告诉当地的反恶意软件来阻止它,即使没有看过该文件的副本。

这是第三点,我想进一步讨论。

提高软件的云印象

我们经常被软件供应商询问我们是否有办法为他们预先列入白名单的软件。然而,我们的后端处理的实际工作更好,如果我们看到你的软件,因为它的自然分布。我将概述一些方法来提高你的下面的软件我们的云的印象:
•使用由微软认可的方法进行数字签名的软件。这是获得良好口碑的云,因为一个好的文件的信誉可以分布到由相同的密钥签名的所有文件的最快方式。
•一旦数字签名的软件,小心恶意软件是不是也用你的密钥签名。这将导致没有任何良好的口碑。你可以帮助避免这种情况:


◦Making一定要保护你的密钥被窃取恶意软件作者。
◦Ensuring您的开发过程中防止寄生文件感染病毒被无意中密钥签名。
◦Reading更多关于签署软件的最佳实践。



•如果您无法数字签名的软件,要知道,你的产品的每个小版本将不得不从头开始建立声誉。这会影响厂商谁提供的每一个下载不同的文件。这并不意味着你不能让错误修复版本,不同的语言,等等。
•确保您的软件没有安装恶意软件:
◦Take注意避免安全漏洞。即使你不打算安装恶意软件,安全漏洞可能被检测为您的产品上安装恶意软件。
◦If你下载的可执行文件从互联网上,有你的软件来检查数字签名或加密哈希,以确保它具有您预期它来下载正确的文件。我们已经看到了一个案例,其中一个受欢迎的安装程序有一些网址散播恶意软件,我们必须检测每个人的安装,以防它被下载的恶意软件URL之一。

•确保您的软件不会被安装恶意软件:
◦Proactively检查您的分支机构和谁捆绑的软件公司。
◦Fill了元数据信息,如有关作者和公司的文件资源中的信息。如果和数字签名是不够的,考虑添加联系人信息,或指向找到联系信息在网络上。此联系人的信息应该直接到正确的接触报告的安全漏洞,或工作,以修复或防止不正确的检测。

•如果您使用的是运行时包装商或混淆,你需要知道,大多数恶意软件的包装或混淆了,这确实会影响你的软件被认为是在后端。
•考虑一下你的软件被认为是和无论是安装在用户谁真正想要的机器。我们的mi-guan,网络爬虫和自动软件测试。我们可以看看用户是否选择了继续的节目是不常用下载的警告后下载。我们还可以看到用户是否选择忽略或删除软件,如果我们的反恶意软件检测到它。不良行为可以迅速毁掉一个良好的软件信誉。
•有一些行为,虽然并不足以支持自己的检测,做到吸引人类和自动化系统的怀疑。它们可以用于正当的理由,但往往与恶意软件的行为有关。这包括:
对于软件的类型的普遍接受的文件夹以外◦Installing。
◦Modifying或添加一个敏感的注册表项。
◦Process或线程注入。
◦Autonomous互联网活动。


如果您认为我们已经取得了不正确的检测你的产品,你可以提交一个开发者的联系表格。制作一个细微的变化,将其推到您的软件并不一定会解决应用到您使用的是不正确的检测到文件的代码签名密钥的任何不正确的坏名声。我们的云保护可能也注意到,它仍然被认为正确检测为恶意软件的文件,而新版本之间的相似性。

评分

参与人数 1人气 +3 收起 理由
HEMM + 3 3kiss

查看全部评分

HEMM
发表于 2014-9-23 19:06:45 | 显示全部楼层
本帖最后由 HEMM 于 2014-9-23 19:09 编辑

网络不好就只有愁的份~特征库都很难更新,别说云带来的安全体验了
= =我把必应输入法都卸载了,偶素X版用户还提交了反馈.......
明月丶舞白衣
发表于 2014-9-23 19:13:18 | 显示全部楼层
网络不好就只有愁的份~特征库都很难更新,别说云带来的安全体验了
驭龙
 楼主| 发表于 2014-9-23 19:17:16 | 显示全部楼层
HEMM 发表于 2014-9-23 19:06
网络不好就只有愁的份~特征库都很难更新,别说云带来的安全体验了
= =我把必应输入法都卸载了,偶素X版用 ...

已经不错了,起码MA还有强健的本地特征库,瞧瞧隔壁的NS 22,一旦网络不畅通,就基本上废了一大半
mfj0613
发表于 2014-9-23 19:17:42 | 显示全部楼层
是微软的云查杀吗?
HEMM
发表于 2014-9-23 19:24:33 | 显示全部楼层
驭龙 发表于 2014-9-23 19:17
已经不错了,起码MA还有强健的本地特征库,瞧瞧隔壁的NS 22,一旦网络不畅通,就基本上废了一大半

别忘记我还素X版啊,有BUG~报错报错还是报错~双双叠加我就只有崩了~
wudiwusuowei
头像被屏蔽
发表于 2014-9-23 19:30:11 | 显示全部楼层
驭龙 发表于 2014-9-23 19:17
已经不错了,起码MA还有强健的本地特征库,瞧瞧隔壁的NS 22,一旦网络不畅通,就基本上废了一大半

我想问下win8.1下的WD没有右键扫描,会不会影响安全性,毕竟有的东西感觉还是有右键扫描一下感觉放心点。
驭龙
 楼主| 发表于 2014-9-23 19:32:59 | 显示全部楼层
wudiwusuowei 发表于 2014-9-23 19:30
我想问下win8.1下的WD没有右键扫描,会不会影响安全性,毕竟有的东西感觉还是有右键扫描一下感觉放心点。

不会有安全影响,WD的监控还可以的
wudiwusuowei
头像被屏蔽
发表于 2014-9-23 19:39:05 | 显示全部楼层
驭龙 发表于 2014-9-23 19:17
已经不错了,起码MA还有强健的本地特征库,瞧瞧隔壁的NS 22,一旦网络不畅通,就基本上废了一大半

诺顿2015完全变成一款云杀软了?如果没有联网的话,那防护力度会不会大大下降?
诺顿不是有sonar吗?断网下的能力如何?
ELOHIM
发表于 2014-9-23 19:51:16 | 显示全部楼层
HEMM 发表于 2014-9-23 19:24
别忘记我还素X版啊,有BUG~报错报错还是报错~双双叠加我就只有崩了~

MM ,你是什么系统的盗版?
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-1-27 22:07 , Processed in 0.128582 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表