本帖最后由 欧阳宣 于 2015-11-24 13:50 编辑
3. More about DeepGuard DG更多细节
Put simply, DeepGuard observes an application’s behavior and prevents any potentially harmful action from successfully completing. The apparently simple nature of this task belies its importance however, as this proactive, onthe-fly monitoring and interception serves as the final and most critical line of defense against new threats, even those targeting previously unknown vulnerabilities.
简而言之,DG观察一个程序的行为,防止任何潜在有害的动作的发生。这个事情本身听起来十分自然,但是作为一项主动的实时监控技术,又是整个体系中针对未知新威胁的最后一道关卡,它的重要性不言而喻。
Behavior-based analysis addresses the Achilles’ heel of signature-based scanning: the need for analysts to have an actual sample of the malware in order to create the signature to identify it. Given the huge numbers of malware constantly being created and distributed, new threats will often be able to successfully infect at least one victim in the wild before most antivirus labs are able to acquire a sample, analyze it and issue a detection.
基于行为的分析检测主要弥补的是特征检测的阿喀琉斯之踵——分析师需要得到样本本身才能针对性编写签名。考虑到每天都有大量的样本产生和分发,每一个新样本在被捕捉到之前往往都能幸运地感染到一两个用户,然后再被分析,对应的检测才发布。
Behavior-based detection covers that crucial gap between the first appearance of new malware and the first signature detection being issued for the threat. By moving the focus from unique physical characteristics to patterns of malicious behavior, DeepGuard can identify and block programs performing harmful actions, even before an actual sample has been acquired and examined.
行为检测主要是弥补了从新病毒出现到首先被特征库检测中间的关键时间差。通过把注意力转移到检测恶意行为的特征上,Deepguard能够识别并阻挡程序的有害动作,即便在对应的样本被获取并分析之前。
For example, out of all Zeus crimeware infection attempts reported in April 2013, 80% involved previously unseen variants. In those cases, DeepGuard successfully prevented infection by recognizing the file’s malicious behavior and blocking the attack. Subsequently, signature databases were updated to identify these samples, but for users facing new threats, DeepGuard’s proactive analysis provides immediate protection against infection.
举个例子,在2013年四月份中间所有已探明的宙斯家族的攻击中,80%的样本都是以前未曾见过的。在这些情况下,DG通过识别恶意行为并阻挡攻击顺利预防了感染。紧接着,特征库的更新也新增了这类的检测,但是对用户来说,DG的前瞻性分析提供了提前的防护。
In 2011, an entirely rewritten DeepGuard engine was introduced that included (among numerous other improvements) a switch from using hard-coded scanning logic to an updateable detections database. Response Labs analysts constantly monitor the threat landscape and analyze the latest threats in order to determine the best way to identify malicious behavior. Being able to update the scanning engine with the results of this research keeps DeepGuard consistently effective against the latest threats.
在2011年,DG的引擎被完全重写,从原来的本地代码式的检测逻辑转向了一个不停更新的检测数据库。响应实验室的分析师不断观察威胁趋势并分析最新样本,并为检测恶意程序行为的最佳方式做出决策。这类研究的结果是扫描引擎的内容得以不断更新,从而对最新的威胁能够保证持续的效果。
Given the short-lived nature of most malware variants, signature detections tend to have narrow windows of effectiveness before the malware they detect ‘expire’. In contrast, DeepGuard detections can effectively identify malware over a much longer time period, as malware behavior is much less mutable. For example, on 12 July 2012, DeepGuard was updated with one new detection, while the signature database received 600 new additions. Nine months on in March 2013, tests run using the same database set against a random collection of more recent malicious samples showed the DeepGuard detection blocking 12 times more infections of the newer malware than the ‘aged’ set of signature detections.
如今大部分的病毒变种持续时间都不长,特征库检测一般希望能够在这类样本失效之前保证足够的检测效率。但与此相反的是,DG对恶意软件的检测能够持续相当长的一段时间,因为病毒的行为所产生的变化一般很少。比如,在2012年6月12日,DG更新了1条新的检测定义,特征库则更新了600条。九个月后的2013年7月,再用同样的老特征库去检测当时最新的流行样本,结果表明DG即便在未更新的情况下所检测的流行样本也比未更新的特征库多出12倍。
The proactiveness and longevity of DeepGuard detections is illustrated in Chart 2 (above), which is based on detection statistics from F-Secure’s internal systems for Urausy ransomware variants. The DeepGuard detection was able to identify variants (and therefore block attempted infections) earlier and continued to do so for longer, while the equivalent signature detection peaked and then declined rapidly, as newer Urausy variants appeared. (The reason for the signature detection’s higher peak is due to it being a previous defense layer to DeepGuard. Had those signature detections been missed, it would have been DeepGuard with the high peak.)
DG检测的前瞻性和持久性在上面的图表上展现无遗:这是根据f-secure内部对Urausy勒索软件家族检测的统计结果。DG能够提前并且持续检测样本的变种并阻挡恶意行为,而同时对应的特征库检测率先大幅上升又在新变种出现后大幅下降。(每次特征库检测率飙升的原因是因为它是防御体系中相比DG更靠前的一层,每当这些特征失效后,DG的检测率就会上升。)
DeepGuard’s updateable detection logic is especially useful in countering attacks that exploit vulnerabilities in installed programs in order to run malware on a machine. In such cases, the dropped malware itself can be spotted and blocked by signature or behavior-based scanning. To halt the attack at an even earlier stage however - that is, at the point of exploitation - Response Labs analysts examine the exploit mechanism for tell-tale actions or behavior patterns, and then incorporate the research results into DeepGuard’s scanning engine. It is then able to pinpoint and block suspicious actions that bear the hallmarks of a vulnerability exploit attempt, preventing malware from being dropped on the machine at all.
DG可更新的检测机制在应对漏洞类攻击时特别有效。在这类情况下,被释放的恶意软件会被特征库杀掉,或者被行为分析阻挡。但是要想在阻拦这类攻击时更进一步——比如在漏洞第一次出现的时候的话,响应分析师需要分析漏洞出现的形式,特征,再将研究所得结合到DG的扫描引擎中。这样DG能够挑出并阻挡那些符合漏洞标准的行为,同时阻挡衍生物被释放到机器上。
By taking into account characteristic exploitation mechanisms as well as the features and behavior of malware being dropped on the system, DeepGuard can effectively identify and block threats on the fly, even when faced with totally new malware targeting zeroday vulnerabilities.
通过考量有固定特征的漏洞攻击的机制以及恶意软件释放的方式,DG能够实时识别并阻挡威胁,即便是面对完全新鲜的针对零日攻击的威胁。
4. How DeepGuard works DG的工作方式
DeepGuard’s behavioral analysis is activated by two events. When a program is launched for the first time, DeepGuard analyses it to determine if it is safe to run. Subsequently, DeepGuard continues to monitor the program while running.
DG的行为分析通过两种方式触发。当一个程序被首次启动,DG开始分析以决定是否安全。同时DG会在程序运行过程中持续监控程序。
4.1 Pre-launch analysis 启动前分析
When a program is first executed, regardless of how it is launched (the user clicks the file icon, an e-mail attachment or program initiates it, etc.), DeepGuard temporarily delays it from executing in order to perform the following checks:
当程序首次运行时,无论它是通过什么方式被运行(直接运行,通过邮件附件,或者被其他程序调用),DG都将暂缓其运行并进行如下检查:
File reputation check 文件信誉检查
If an Internet connection is available, DeepGuard sends a query to the Security Cloud (see page 4) to check for the latest information on the program’s reputation in the clean file database, which contains the latest security evaluations for a vast catalog of commonly used applications. This database is maintained and constantly updated by Response Labs analysts. Programs that have been rated as clean in the database are allowed to bypass additional checks and launch immediately, whereas known malicious files are blocked at once.
如果网络连接可用,DG会发送请求至Security Cloud,查看程序在白名单数据库中的信誉信息。数据库中则包含针对一个巨大的常见软件库的最新安全评估信息。数据库本身也是由分析师一直维护的。被分类为干净的程序被允许立即跳过其它检查,直接启动,但已知的危险文件则会被阻挡。
For the user, the clean file cloud lookup functionality offers a number of advantages. Being able to use the security verdict for a known file from the clean file database not only removes the burden of identifying unknown or unfamiliar programs as legitimate or malicious from the user, it also means unnecessary security checks on clean files can be avoided. At the same time, by reducing to a manageable level the volume of software that needs to be individually evaluated, the ability to still white- or black-list selected programs becomes more meaningful. And finally, even when the product’s signature databases are outdated or rarely updated, DeepGuard can still use the most up-to-date file reputation information to fine-tune its analysis.
对用户来说,白文件查询有很多好处。通过和已知白文件的数据库进行比对,用户不仅不再需要自己去识别未知或者是不熟悉的程序,对白文件所不需要的安全检查也被省掉了。同时,由于将需要单独分辨的软件数量降低到一个合理的范围,把程序拉白或者拉黑的行为也有了更多的意义。而且最终,即便特征库并不是最新或者很少更新,DG仍然能够通过最新的文件信誉库来调整对程序的分析。
Behavioral analysis 行为分析
If the program is flagged as suspicious during the file reputation check, or if Internet access is unavailable, DeepGuard executes it in a virtual environment and observes its behavior for malicious actions, such as attempting to self-replicate, edit or delete critical system files, and so on.
如果程序在文件信誉中被判定为可疑,或者网络不可用时,DG将在虚拟环境中运行此程序,并观察其是否有恶意行为,比如尝试自我复制,编辑或者删除关键系统文件等。
Response Labs analysts continually research and update DeepGuard’s scanning logic with detections for the most effective behavior patterns needed to spot malware. These detections may identify specific malware families (which typically share similar features or behavior) or they may more generally identify suspect actions, such as attempting to hide from process enumeration programs, which are indicative of malicious intent. The analyst’s ability to tweak DeepGuard’s engine in this manner permits an element of human discretion and flexibility, to provide a more fine-grained and ultimately more accurate analysis.
响应实验室的分析师不停在研究和更新DG的扫描逻辑,确保DG包含针对恶意软件的最有效率的检测。这些检测可以识别特定的病毒家族(它们通常具有相似的特征或是行为),或者是识别更广谱的恶意行为,比如躲避进程列举软件,这也是一个恶意行为的常见标志。分析师不停优化DG的引擎,确保达到如同真人分析一样的细致性和可变性,提供更加完善而精准的分析效果。
Prevalence rate check 共用率检测
DeepGuard includes a module that focuses on a file’s prevalence rate. Clean files typically have thousands or millions of users, making them highly prevalent. In contrast, malware samples are comparatively rare. According to statistics generated from F-Secure’s internal systems monitoring known threats, in a random sample of malicious programs found in the first four months of 2013, 99.7% of the threats were rarely seen in our user base. Rare or new files are automatically considered more suspect and subjected to greater scrutiny during the subsequent process monitoring stage.
DG还包含一个检测文件共用率的模块。白文件往往拥有大量用户,这使得它们的共用率非常高。而恶意样本则相反,会显得很稀有。根据F-secure监测已知威胁的统计数据,在2013年前四个月的随机恶意样本中,有99.7%的威胁在我们的用户中都很少看到。稀有或者是新的文件会被自动看作更加可疑,在接下来的进程监控中会受到更大的关注。
Judgement on execution 运行时的决策
Based on the file’s reputation and behavior during emulation, DeepGuard makes one of four possible judgements:
根据文件信誉,以及模拟运行的结果,DG会做出以下四种判断:
a) The file is malicious and blocked -程序有害,拦截
b) The user is given the option to allow or deny the launch -用户会收到提示,并选择允许或阻止运行
c) The file is clean and allowed to execute -文件安全,允许运行
d) The file’s status as clean or malicious is still unknown -文件的状态仍然未知
If the file is blocked from launching, a notification message is displayed (see Image 1, previous page) providing additional details and an option to whitelist the program, if so desired.
如果程序被阻止运行,会显示一个通知。通知给出了阻挡操作的细节,以及将此程序加入白名单的选项。
If the status of the file is still unknown, DeepGuard allows the file to execute but continues to monitor it during the subsequent process monitoring stage.
如果文件的状态仍然未知,DG将允许文件运行,但会在接下来的运行过程中继续监控进程。
4.2 During application execution 程序运行中
Even after a program has successfully passed pre-launch analysis and is executed, DeepGuard continues to monitor its behavior as a precaution against delayed malicious routines, a common tactic used by malware to circumvent runtime checks. This form of quiet vigilance also allows DeepGuard to provide constant protection for the user without visibly intruding on their experience by displaying excessive prompts.
即便是程序突破了启动前分析,开始运行,DG将继续检测其行为,这是为了预防一些被恶意软件常常用到的延后策略。这种安静但警戒的方式还允许DG在不通过超多弹窗来打扰用户体验的同时确保持续的防护。
Process monitoring Applications are monitored for a number of suspicious actions, including (but not limited to):
程序进程监测会监控包含但不限于以下的可疑行为:
• Modifying the Windows registry -修改注册表
• Editing files in certain critical system directories -在关键系统目录编辑文件
• Injecting code in another process’s space -在另一个进程的内存空间插入代码
• Attempting to hide processes or replicate themselves -尝试隐藏自身,或复制自身
As legitimate programs will also perform such actions from time to time, DeepGuard does not red-flag a program on the basis of a single action but instead watches for multiple suspicious operations. Once a critical threshold of suspect actions is reached, DeepGuard will block the process from continuing.
由于安全程序也会多次执行这类操作,DG并非根据单次行为就直接对程序报警。只要可疑活动超过了一个关键阙值,DG就会阻拦程序继续进行。
If available, file reputation and prevalence rating information from the Security Cloud is taken into account to determine this critical threshold. For example, DeepGuard treats files with a low-prevalence rating more aggressively by lowering the critical threshold of suspicious actions that can be performed before the file is blocked.
如果可能的话,文件信誉和共用率检测的结果都会纳入对这个关键阙值的确定过程。比如,对共用率较低的文件,DG就会在阻拦之前将阙值调低。 |