搜索
查看: 4113|回复: 13
收起左侧

[软件相关] 解密Microsoft AntiMalware 平台最新功能【传说中的网络行为实时监控功能】

[复制链接]
驭龙
发表于 2013-6-25 16:55:44 | 显示全部楼层 |阅读模式
本帖最后由 驭龙 于 2013-9-28 11:57 编辑

嗯,传说中的网络行为实时监控功能,就是依托网络检查系统NIS功能和行为监控BM功能的新功能,网络实时监控检测NRI功能,具体情况,看官网介绍吧。

PS:我正在下载和提取客户端,各位可以在国外区大区,敬候佳音

Behavior Monitoring, spotting suspicious malware since 2010

Behavior Monitoring (BM) has been a vital part of finding new malware through our telemetry and sample collection processes since 2010. It’s also a protection feature, which I’ll discuss below. Our recent antimalware platform update has introduced network real-time inspection (NRI) to BM, giving much-needed network behavior coverage. NRI uses the same components as another feature in the platform, Network Inspection System (NIS), but does so in a significantly different way.

Introducing network real-time inspection, this is not your Fathers’ NIS!

NRI works as another BM sensor, working in concert with file, process, registry, boot record, and other events to detect suspicious activity. BM triggers both telemetry and sample submissions on suspicious files for us to to analyze. This threat intelligence results in a better protected ecosystem for our users. While BM itself does not actively block, its telemetry can trigger real-time signatures from the Microsoft Antimalware Protection Service (MAPS) backend, delivered to the client, resulting in a removal of the threat. NRI has a low impact on system resources: instead of holding the connection and blocking, NRI makes a copy of the packet as it crosses the network and performs an asynchronous inspection. We’ve put this feature through rigorous scrutiny in our own labs, looking at network throughput and latency as well as CPU and memory utilization. This feature has already shipped in Microsoft Security Essentials in the October 2012 update, and is running on over 100 million machines. The results show that network inspection technology is suitable for a very wide range of machines, running a broad array of applications and services, without adversely affecting their performance.

Network Inspection System, stopping zero-day exploits in their tracks

NIS is our zero-day vulnerability shielding feature that can block network traffic matching known exploits against unpatched vulnerabilities. As you might imagine, this synchronous inspection carries a higher cost. Since network traffic must be held and analyzed for these exploits, it introduces latency, reduces throughput, and consumes additional memory and CPU cycles. NIS is not suitable for machines in high network intensive server roles such as IIS, Exchange, and SQL. Because of this, we provide a configuration option for administrators to adjust when the level of protection may be outweighed by the performance cost. By default, all server policies in our managed products have NIS disabled.

When a new zero-day unpatched vulnerability is widely found that affects Microsoft products, we can release a NIS signature to block that exploit on any machine with NIS enabled. This activates NIS to do synchronous inspection. After the vulnerability is patched, we can de-activate the signature, which ensures deterministic exploit coverage and performance control without leaving administrators and users wondering whether they are protected.

What does all this mean, how do I configure these features?

If you read this far, good for you! I promise to wrap up soon. Some of our customers have used an activated NIS service (nissvc.exe) as an indicator of unpatched vulnerabilities. Because NRI relies on the NIS service, it is now expected behavior to always observe it running, and it’s no longer a sign that something is unpatched. A running NIS service means that NIS has an active zero-day signature loaded (rare), or NRI BM has an active signature targeting suspicious activities at the network layer (common). At the time of this posting, there are 24 active NRI BM signatures and no active NIS zero-day signatures. Any machine with BM enabled should see the NIS service running.

By providing two distinct configuration features, we hope all machines will have NRI enabled, while still providing the option to enable NIS according to your performance requirements.
•Disable Network Inspection System – this will prevent all zero-day vulnerability shielding signatures from loading on the machine
•Disable Behavior Monitoring – this will prevent all NRI BM signatures from being loaded on the machine



必应机器翻译:
行为监测,自 2010 年以来发现可疑恶意软件

行为监测 (BM) 已自 2010 年寻找新的恶意软件,通过我们遥测和样品的收集过程的一个重要部分。它也是一项保护功能,我将在下面讨论。我们最近的反恶意软件平台更新推出了网络实时检验 (NRI) 到 BM,给急需的网络行为的覆盖范围。NRI 作为平台,网络检测系统 (NIS) 中的另一个功能使用相同的组件,但这样做大大不同的方式。

介绍网络实时检查,这不是你的 NIS !

NRI 工程作为另一个 BM 传感器,在音乐会中处理文件、 进程、 注册表、 启动记录和其他事件,以检测可疑活动。BM 触发遥测和样品意见书上为我们到分析可疑文件。这种威胁智能结果为我们的用户更好地保护生态系统。虽然 BM 本身不会积极阻止,其遥测可以触发实时签名从 Microsoft 反恶意软件保护服务 (图) 后端,传递给客户,造成威胁的清除。NRI 对系统资源的低影响: 举行连接,而不必和阻塞 NRI 的副本数据包作为它跨越网络并执行异步检查。我们把此功能通过严格的审查在我们自己的实验室,看网络吞吐量和延迟,以及 CPU 和内存利用率。此功能已经发运的 Microsoft 安全要点在 2012 年 10 月更新中,并在超过 1 亿的机器上运行。结果显示网络检测技术是适合非常广泛的机器,运行范围广泛的各种应用程序和服务,而不会产生不利影响其性能。

网络检测系统,停止他们的行踪在零天攻击

NIS 是屏蔽的功能,可以阻止网络流量匹配针对未修补漏洞的已知的攻击我们零日漏洞。你可以想象,这个同步检查运载成本较高。由于必须举行的针对这些漏洞分析网络流量,它引入了滞后时间、 减少了吞吐量,并会占用额外的内存和 CPU 周期。NIS 是不适合角色高网络密集的服务器角色,如 IIS、 交换和 SQL 中的机器。因此,我们提供了一个配置选项,管理员可以调整时的保护级别,可能性能成本所抵消。默认情况下,我们的托管产品中的所有服务器策略都有 NIS 禁用。

当一个新的零天未修补的漏洞广泛存在,影响到 Microsoft 产品时,我们可以释放一个 NIS 签名与 NIS 启用阻止在任何机器上的,利用此漏洞。这将激活 NIS 同步检验。该漏洞进行修补后,我们可以手部关闭该签名,确保确定性漏洞利用覆盖范围和性能控制无需离开管理员和用户想知道他们是否受保护。

这一切意味着什么,如何配置这些功能?

如果你为你读了这么远,好 !我保证会很快就把包起来。我们的一些客户已激活的 NIS 服务 (nissvc.exe) 用作未修补漏洞的一个指标。NRI 依靠 NIS 服务,因为它现在是预期的行为始终遵守它运行,和它不再是一个什么是未安装修补程序的标志。A 运行 NIS 服务意味着 NIS 都有积极的零天签名加载 (罕见),或 NRI BM 已针对可疑活动在网络层 (通用) 积极签名。在此发布内容时,有 24 积极 NRI BM 签名和不活跃的 NIS 零天签名。与已启用的 BM 的任何机器应该看到运行的 NIS 服务。

通过提供两个不同的配置功能,我们希望所有的机器会有 NRI 启用,同时仍提供用于启用 NIS 根据您的性能要求的选项。
•禁用网络检查系统 — — 这将防止屏蔽签名从机器上加载的所有零天漏洞
•禁用行为监测 — — 这将阻止所有 NRI BM 签名在机器上加载

评分

参与人数 1人气 +1 收起 理由
88865ff + 1 版区有你更精彩: )

查看全部评分

bluewormlee
头像被屏蔽
发表于 2013-6-25 19:10:23 | 显示全部楼层
坐等win X
烟花雨
头像被屏蔽
发表于 2013-6-25 19:33:29 | 显示全部楼层
这不是你父亲的 NIS
是你的nis
驭龙
 楼主| 发表于 2013-6-25 19:35:04 | 显示全部楼层
烟花雨 发表于 2013-6-25 19:33
这不是你父亲的 NIS
是你的nis

没办法,机器翻译,都这个德行,太长了,我可不想人工翻译,哈哈
烟花雨
头像被屏蔽
发表于 2013-6-25 19:38:44 | 显示全部楼层
驭龙 发表于 2013-6-25 19:35
没办法,机器翻译,都这个德行,太长了,我可不想人工翻译,哈哈

呃 大谷歌的翻译
介绍网络实时检测,这是不是你的父亲'NIS!
驭龙
 楼主| 发表于 2013-6-25 19:42:46 | 显示全部楼层
烟花雨 发表于 2013-6-25 19:38
呃 大谷歌的翻译
介绍网络实时检测,这是不是你的父亲'NIS!

我的经验是谷歌有时候还不如必应,只是个别语句有问题,不像谷歌那样意思都不对了
飞霜流华
发表于 2013-6-26 01:49:23 | 显示全部楼层
仔细看了下,似乎是通过BM来检测行为,但并不拦截,而是与云端对比触发动态签名,然后来进行清除威胁,属于功能加强吧。

机器翻译真是……惨不忍睹
LLJ杰
发表于 2013-6-26 02:58:02 | 显示全部楼层
楼主都策划组荣誉成员了...
驭龙
 楼主| 发表于 2013-6-26 07:31:06 | 显示全部楼层
飞霜流华 发表于 2013-6-26 01:49
仔细看了下,似乎是通过BM来检测行为,但并不拦截,而是与云端对比触发动态签名,然后来进行清除威胁,属于 ...

嗯,确实依然不是拦截,看上去像是诺顿那类的联动,就是在BM和NIS之间加了个NRI,相互联动一下,这个我有一点失望,哈
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛|卡饭乐购| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 苏ICP备07004770号 ) GMT+8, 2019-10-22 17:26 , Processed in 0.085952 second(s), 18 queries .

快速回复 返回顶部 返回列表