关于R100之后版本的监控体系

显示全部楼层 · 发表于 2023-5-17 22:38:36

本帖最后由 hansyu 于 2023-5-26 20:50 编辑

众所周知，咖啡的监控相较于友商是比较特立独行的，不用传统的实时读写扫描，而是执行时扫描。
本文是在此基础上更加深入的介绍即将推出新版的监控机制。希望能够解答部分用户关于咖啡监控的一些疑问。

另外，关于新版咖啡的neo引擎，原来库的名字叫yara。在一次搜索有关msi文件结构时发现一个名为yara-scanner的开源项目，
是VT（VirusTotal）开发的用来检测恶意软件的工具，有兴趣的可以看看。咖啡的这个neo引擎应该就是这个。
GitHub - VirusTotal/yara: The pattern matching swiss knife

根据在样本区的测试和日志，以及dll的内的字符串，目前可以知道咖啡监控分为下面几类，日志里称为sensor。
1、section execute
最主要的监控方式，即执行时扫描。执行或加载任何PE文件时都会扫描，文件扩展名并不影响监控判断PE文件。
此外，扩展名为BAT的批处理文件被分在此类，执行监控可以直接阻止已入库的BAT脚本文件运行。
2、process create
这个目前从测试样本观察的结果来看，是RealProtect的命令行规则检测，主要用来检查使用可疑命令行调用安全的系统应用。
3、IAntiMalware
通常所说的AMSI，使用Windows提供的AMSI接口扫描vbs、js脚本及其他文档。最常见是浏览器（edge、chrome）下载文件完成时以及使用系统自带解压器解压zip压缩包会使用AMSI接口扫描。
4、IOfficeAntivirus
使用微软office反病毒接口扫描word文档和其他office文档。
5、interpreter scan
运行msi文件时会触发这个，咖啡不会阻止带毒msi初始化，但是会检查msi在初始化过程中释放或者执行的文件。比如双击magniber的msi，咖啡不会干涉初始化，但是会在msiexec.exe释放带毒dll并加载的时候阻止。
6、RealProtect Dynamic
云主防

以上是在测试样本区样本中可以看到发挥作用的监控机制。从dll字符串来看还有一些并没见过，如下图中黑框框出来的。

RealProtect一些内置的命令行检测规则

显示全部楼层 · 发表于 2023-5-18 01:38:53

强啊，虽说看不太懂

显示全部楼层 · 发表于 2023-5-18 17:16:56

新架构很轻巧了，要是能把实时监控加回来就好了

显示全部楼层 · 发表于 2023-5-18 18:17:30

刚刚重新装上，是107，更新不上108，另外一台是108.
装上后安装kart华为汉化那个，报毒隔离了，关监控后安装并重启，再次进入kart文件夹（未双击kart），发现咖啡再次隔离了kart，并且同时隔离了另外一个b站大佬破解的华为助手安装文件夹下一个dll文件，进目录查看应该是破解的这个文件，就有点迷惑了，难道咖啡新版的实时监控回来了？
后来仔细想了下，应该是这个dll文件是被加载的，所以会被扫，至于未运行kart为啥会被隔离（再次重复进入文件夹并刷新发现不会重现），估计与同时安装的kart有关，也就是说kart在扫描这个文件，可能被读的时候咖啡也介入扫描了，那么也就是说咖啡虽然是执行监控，但是貌似还是有一定的读写监控能力

显示全部楼层 · 发表于 2023-5-18 18:43:11

ikochina1 发表于 2023-5-18 18:17
刚刚重新装上，是107，更新不上108，另外一台是108.
装上后安装kart华为汉化那个，报毒隔离了，关监控后安 ...

你看一下detection.log就知道哪个sensor杀的了。

显示全部楼层 · 发表于 2023-5-18 18:49:10

本帖最后由 ikochina1 于 2023-5-18 19:03 编辑

hansyu 发表于 2023-5-18 18:43
你看一下detection.log就知道哪个sensor杀的了。

找到日志看了下，全是sensor报的啊，包括扫描时报的也是这个报法

{"timestamp":"2023-05-18T09:50:52.378Z","target_name":"\\\\?\\D:\\常用软件\\杀毒软件\\KART_for_Business_6.2.0.135 cn.exe","initiator_name":"\\\\?\\C:\\Windows\\explorer.exe","sensor":"section execute","target_hash":"ebebd46e1dc28cfe3db9f002180c54fcc802c7aa","target_url":"","detection_name":"GenericRXTO-OP!56F062642096","final_result":"infection quarantined","all":[{"final_detection_source":"av","file_rep":0,"jcm_rep":1,"url_rep":0},{"detection_source":"cache","file_rep":0,"jcm_rep":0,"url_rep":0},{"detection_source":"signature","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"trust-dat","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"hti","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"rp-s","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"av","file_rep":0,"jcm_rep":1,"url_rep":0},{"detection_source":"neo","file_rep":0,"jcm_rep":1,"url_rep":0}]}

{"timestamp":"2023-05-18T10:01:30.435Z","target_name":"\\\\?\\D:\\常用软件\\杀毒软件\\KART_for_Home_6.2.0.135 cn.exe","initiator_name":"\\\\?\\C:\\Windows\\explorer.exe","sensor":"section execute","target_hash":"c9e655328cb7a3f2b27198a36081b9ba01ac5c5e","target_url":"","detection_name":"ti!2F8C1C8B9C1A","final_result":"infection quarantined","all":[{"final_detection_source":"rp-s","file_rep":4,"jcm_rep":1,"url_rep":0},{"detection_source":"cache","file_rep":0,"jcm_rep":0,"url_rep":0},{"detection_source":"signature","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"trust-dat","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"hti","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"rp-s","file_rep":4,"jcm_rep":1,"url_rep":0},{"detection_source":"av","file_rep":0,"jcm_rep":1,"url_rep":0},{"detection_source":"neo","file_rep":0,"jcm_rep":50,"url_rep":0}]}

{"timestamp":"2023-05-18T10:01:42.435Z","target_name":"\\\\?\\D:\\常用软件\\杀毒软件\\KART_for_Business_6.2.0.135 cn.exe","initiator_name":"\\\\?\\C:\\Windows\\explorer.exe","sensor":"section execute","target_hash":"ebebd46e1dc28cfe3db9f002180c54fcc802c7aa","target_url":"","detection_name":"GenericRXTO-OP!56F062642096","final_result":"infection quarantined","all":[{"final_detection_source":"av","file_rep":0,"jcm_rep":1,"url_rep":0},{"detection_source":"cache","file_rep":0,"jcm_rep":0,"url_rep":0},{"detection_source":"signature","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"trust-dat","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"hti","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"rp-s","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"av","file_rep":0,"jcm_rep":1,"url_rep":0},{"detection_source":"neo","file_rep":0,"jcm_rep":1,"url_rep":0}]}

{"timestamp":"2023-05-18T10:02:09.109Z","target_name":"\\\\?\\C:\\Program Files\\Huawei\\PCManager\\huawei_secure_c.dll","initiator_name":"\\\\?\\C:\\Windows\\explorer.exe","sensor":"section execute","target_hash":"db327c714fdf5ae051c1e2908fb62d2fcbb68a5b","target_url":"","detection_name":"hti!4bccab38","final_result":"unable to quarantine","all":[{"final_detection_source":"hti","file_rep":8,"jcm_rep":1,"url_rep":0},{"detection_source":"cache","file_rep":0,"jcm_rep":0,"url_rep":0},{"detection_source":"signature","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"trust-dat","file_rep":8,"jcm_rep":50,"url_rep":0},{"detection_source":"hti","file_rep":8,"jcm_rep":1,"url_rep":0},{"detection_source":"rp-s","file_rep":8,"jcm_rep":1,"url_rep":0},{"detection_source":"av","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"neo","file_rep":0,"jcm_rep":50,"url_rep":0}]}

{"timestamp":"2023-05-18T10:02:10.237Z","target_name":"\\\\?\\D:\\常用软件\\杀毒软件\\KART_for_Business_6.2.0.135 cn.exe","initiator_name":"","sensor":"ods","target_hash":"ebebd46e1dc28cfe3db9f002180c54fcc802c7aa","target_url":"","scan_id":"{B80BEA1D-AD16-4C10-84DF-663C7A91E1B8}","detection_name":"GenericRXTO-OP!56F062642096","final_result":"infection quarantined","all":[{"final_detection_source":"av","file_rep":0,"jcm_rep":1,"url_rep":0},{"detection_source":"cache","file_rep":0,"jcm_rep":0,"url_rep":0},{"detection_source":"signature","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"trust-dat","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"av","file_rep":0,"jcm_rep":1,"url_rep":0},{"detection_source":"hti","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"rp-s","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"neo","file_rep":0,"jcm_rep":1,"url_rep":0}]}

{"timestamp":"2023-05-18T10:02:13.078Z","target_name":"\\\\?\\D:\\常用软件\\杀毒软件\\KART_for_Home_6.2.0.135 cn.exe","initiator_name":"","sensor":"ods","target_hash":"c9e655328cb7a3f2b27198a36081b9ba01ac5c5e","target_url":"","scan_id":"{B80BEA1D-AD16-4C10-84DF-663C7A91E1B8}","detection_name":"GenericRXTO-OP!914544C4B014","final_result":"infection quarantined","all":[{"final_detection_source":"av","file_rep":0,"jcm_rep":1,"url_rep":0},{"detection_source":"cache","file_rep":0,"jcm_rep":0,"url_rep":0},{"detection_source":"signature","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"trust-dat","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"av","file_rep":0,"jcm_rep":1,"url_rep":0},{"detection_source":"hti","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"rp-s","file_rep":4,"jcm_rep":1,"url_rep":0},{"detection_source":"neo","file_rep":0,"jcm_rep":50,"url_rep":0}]}

{"timestamp":"2023-05-18T10:07:14.730Z","target_name":"\\\\?\\D:\\电子教材.exe","initiator_name":"","sensor":"ods","target_hash":"c2ffb6d2c3a11f89abdfaed1cda88e329266f326","target_url":"","scan_id":"67ec3f83-0760-4556-bf73-03edb19965eb","detection_name":"hti!3cffbd90","final_result":"infection quarantined","all":[{"final_detection_source":"hti","file_rep":8,"jcm_rep":1,"url_rep":0},{"detection_source":"cache","file_rep":0,"jcm_rep":0,"url_rep":0},{"detection_source":"signature","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"trust-dat","file_rep":8,"jcm_rep":50,"url_rep":0},{"detection_source":"av","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"hti","file_rep":8,"jcm_rep":1,"url_rep":0},{"detection_source":"rp-s","file_rep":8,"jcm_rep":1,"url_rep":0},{"detection_source":"neo","file_rep":0,"jcm_rep":50,"url_rep":0}]}

{"timestamp":"2023-05-18T10:07:14.747Z","target_name":"\\\\?\\D:\\学思教师用书专用平台-黄冈360试卷.exe","initiator_name":"","sensor":"ods","target_hash":"13e5fabac6d8317119b59b4036be5c18c2206256","target_url":"","scan_id":"67ec3f83-0760-4556-bf73-03edb19965eb","detection_name":"ti!54CEC8C07417","final_result":"infection quarantined","all":[{"final_detection_source":"rp-s","file_rep":4,"jcm_rep":1,"url_rep":0},{"detection_source":"cache","file_rep":0,"jcm_rep":0,"url_rep":0},{"detection_source":"signature","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"trust-dat","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"av","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"hti","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"rp-s","file_rep":4,"jcm_rep":1,"url_rep":0},{"detection_source":"neo","file_rep":0,"jcm_rep":50,"url_rep":0}]}

{"timestamp":"2023-05-18T10:07:14.797Z","target_name":"\\\\?\\D:\\学思试卷下载1.2.exe","initiator_name":"","sensor":"ods","target_hash":"1394cf8d13f0a3d05671eeb63df7762e9767ca65","target_url":"","scan_id":"67ec3f83-0760-4556-bf73-03edb19965eb","detection_name":"Real Protect-LS!b1982aa6b926","final_result":"infection quarantined","all":[{"final_detection_source":"rp-s","file_rep":4,"jcm_rep":1,"url_rep":0},{"detection_source":"cache","file_rep":0,"jcm_rep":0,"url_rep":0},{"detection_source":"signature","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"trust-dat","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"av","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"hti","file_rep":4,"jcm_rep":50,"url_rep":0},{"detection_source":"rp-s","file_rep":4,"jcm_rep":1,"url_rep":0},{"detection_source":"neo","file_rep":0,"jcm_rep":1,"url_rep":0}]}

{"timestamp":"2023-05-18T10:42:20.037Z","target_name":"\\\\?\\C:\\Program Files\\Huawei\\Hiview\\huawei_secure_c.dll","initiator_name":"\\\\?\\C:\\Program Files\\Huawei\\Hiview\\HiviewService.exe","sensor":"section execute","target_hash":"db327c714fdf5ae051c1e2908fb62d2fcbb68a5b","target_url":"","detection_name":"hti!4bccab38","final_result":"infection quarantined","all":[{"final_detection_source":"hti","file_rep":8,"jcm_rep":1,"url_rep":0},{"detection_source":"cache","file_rep":0,"jcm_rep":0,"url_rep":0},{"detection_source":"signature","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"trust-dat","file_rep":8,"jcm_rep":50,"url_rep":0},{"detection_source":"hti","file_rep":8,"jcm_rep":1,"url_rep":0},{"detection_source":"rp-s","file_rep":8,"jcm_rep":1,"url_rep":0},{"detection_source":"av","file_rep":0,"jcm_rep":50,"url_rep":0},{"detection_source":"neo","file_rep":0,"jcm_rep":50,"url_rep":0}]}

显示全部楼层 · 发表于 2023-5-18 19:19:32

ikochina1 发表于 2023-5-18 18:49
找到日志看了下，全是sensor报的啊，包括扫描时报的也是这个报法

kart除了一个手动扫描报的，其他都是执行扫描杀的呀。

显示全部楼层 · 发表于 2023-5-18 19:26:11

hansyu 发表于 2023-5-18 19:19
kart除了一个手动扫描报的，其他都是执行扫描杀的呀。

奇怪了，只执行安装了一次啊

显示全部楼层 · 发表于 2023-5-19 19:03:49

108也快一个月了，不知道啥时候109

显示全部楼层 · 发表于 2023-5-19 21:06:23

本帖最后由 hansyu 于 2023-5-19 21:07 编辑

真小读者发表于 2023-5-19 19:03
108也快一个月了，不知道啥时候109

有篇介绍R109的新功能文档已经上线，R109的arm安装包也上线了（猜地址大法版本号1.9.112，但尚未能从改arm方式获得，所以应该安装不出R109），但估计最快下周就能看到R109。

[讨论] 关于R100之后版本的监控体系

本帖子中包含更多资源

评分

评分