偶然看到这篇文章,是关于f-secure的deepguard的,也就是system control的HIPS,大家有兴趣的可以看一下。相信看过後,你会更好的了解f-secure的hips,呵呵!
Closing the ring of fire
Host-based Intrusion Prevention System or HIPS as it is known is a relatively new weapon in F-Secure's toolbox against malware intrusion. HIPS is a behaviour blocker - effectively acting as a firewall the operating system and applications. So if an application gets through barrierother defenses and tries to do something potentially harmful to a computer, HIPS will react and isolate the problem.
Aside from its industry acronym, F-Secure has named its own HIPS concept as F-Secure DeepGuardTM. In F-Secure Internet Security 2007, DeepGuard™ functionality can be accessed through "System Control" - a feature that has been visible in the in F-Secure Internet Security 2006's graphic user interface for a year already. NeverthelessHowever, the old System Control has been completely revised since its first appearance to implement the F-Secure DeepGuard™ concept, offering even more effective and accurate intrusion prevention in F-Secure Internet Security 2007.
The need for intrusion prevention
Virus researchers are fighting a constant battle against viruses which are created or modified to computersbypass existing antivirus definitions. While each virus signature is identified and neutralized, the real problem is the reactive nature of the definition-based protection model.
Indeed, antivirus as a defense is almost wholly dependent on user awareness - unless users recognize infections, virus labs are unable to receive virus samples, which impedes the whole process of virus definition building. This is further compounded by the fact that a large number of malware today relies on rootkits and similar techniques to hide from the user and remain undetected for as long as possible. Furthermore, very few users have the necessary knowledge to recognize when an infection is in course, which lowers the chances of virus labs receiving a virus sample even further.
Timing is also critical - the more time elapses between the time when malware is released and when virus labs receive the virus samples, the bigger the number of infected computers will be.
For its part, F-Secure has combined several protection mechanisms with the conventional definition-based scanning system including system monitoring, blocking of code injections, heuristic scanning, rootkit scanning and controlling of code manipulations. But in a scenario in which zero-day malware and targeted attacks are the every-day reality, all of this is becoming insufficient.
The failing of antivirus is therefore its inability to provide protection against new and unknown threats. Its success is of course its ability to identify and neutralize the large body of malware floating in the Internet ready to latch on to unprotected machines. Also, definition-based antivirus is very precise, easy to understand, and not prone to false positives.
F-Secure DeepGuard™ - The perfect complement to antivirus
Host Based Intrusion Prevention offers an important complement to antivirus software to reflect a modern malware trend. As antivirus software has evolved, criminally-motivated malware authors have also adapted by using targeted attacks as the weapon of choice. Specific to this, there are numerous variants of backdoors and bots to achieve their aim of penetrating a system. Some of these variants are only sent to a single organization or in some cases, even to a single user. In these cases the attack includes social engineering tricks (targeted emails etc.) that make it more likely for the malware to get installed. And the attack you cannot predict is not one you can defend against, unless you have HIPS software in its place. Together, antivirus and HIPS complement each other perfectly to create a solid defence against malware.
Behaviour blocker software nevertheless, does have its own problems, specifically 'noise': ie the fact that many harmless applications have the same behavioural patterns as malware causing them to be blocked in the same manner a piece of malware. For example, a trojan downloader installed on a machine connects to the Internet and downloads executable files onto the host which is exactly what any installer does to load legitimate software.
F-Secure DeepGuard has eliminated reduced the noise-problem of legitimate installer software significantly by using advanced heuristics to accurately differentiate between malware and harmless applications. In addition, the 0DeepGuard™ concept beenis designed to be very easy to use and to work in tandem with the whole F-Secure battery of checks and guards to minimize zero day threats.
The last line of protection
-Secure DeepGuard™ is an unique blend of advanced heuristics and behaviour blocking. It is designed to be the last line of protection in your computer. prevents system compromise by blocking the danger posed by the intruder even if the malware remains undetected by the antivirus. ControlDeepGuard™ monitors potentially dangerous activities in the computer. If an application performs a potentially dangerous activity, it will be checked for trust. Trusted applications are allowed to operate, while actions by untrusted applications are blocked and then reported to the user.
User can submit samples of reported suspected malware to F-Secure where are analyzed at F-Secure security labs and antivirus detection is added to the database. This effectively ensures that only very few users actually see the DeepGuard™ alert; once defused, subsequent users that encounter the malware will only see an antivirus alert.
F-Secure DeepGuard features three different user control levels to satisfy the needs of different users:
Expert mode - where users have the power to decide, which applications can be trusted and which applications are monitored for dangerous behaviour and blocked if they jeopardize user security.
Normal mode - where users are asked only when DeepGuard™ cannot automatically calculate the trustworthiness of an application. Most applications are automatically allowed to operate after being recognized as harmless by System Control's advanced heuristic engine.
Automatic mode - where System ControlDeepGuard™'s heuristic engine automatically allows or blocks applications, without the need for user intervention.
F-Secure DeepGuard is launched every time the computer is booted and starts monitoring operating system processes. Each program needs to go through it and receive its approval, or the approval of the user to reach the operating system and perform the desired actions.
In detail, F-Secure DeepGuard™ monitors those sections of the operating system that malicious programs may use to perform possible dangerous operations. F-Secure DeepGuard™ activates and analyzes the program when it attempts to execute any monitored code.
When a program alerts the attention of F-Secure DeepGuard™, advanced artificial intelligence checks whether the offending program is malicious and acts accordingly. Any decisions the user makes about applications is remembered.
This minimizes the number of analysis that F-Secure DeepGuard™ needs to perform and results in a transparent computer experience for the user.
If there are no previous user decision for the program and F-Secure DeepGuard™ does not recognize the program, the artificial intelligence first runs a scan using the Gemini heuristic scanning engine and the Pegasus sandbox and then interprets the results. The Gemini heuristic scanning engine performs an in-depth analysis of the target program, looking for anomalies and signs of dangerous intent of the scanned program. The Pegasus engine, on the other side, is a sandbox -based heuristic antivirus engine.
Based on the results of the heuristic scanning, the advanced artificial intelligence classifies the target program into one of the three four categories according to its danger level:
Malware - Clearly malicious. The user will be presented with an antivirus alert
Red - programs that are clearly trying to perform dangerous operations are automatically blocked to ensure the safety of the user.
Yellow - for programs that are not clearly malicious or clearly legitimate F-Secure DeepGuard™ requires a one-time user intervention to decide what action to take
Green - all legitimate programs that are automatically allowed to perform their operations.
The powerful artificial intelligence combined with an advanced heuristic engine and user intervention allows F-Secure DeepGuard™ to protect the user even against unknown malware and zero-day exploits. In addition, most components of F-Secure DeepGuard™ including the artificial intelligence and the Gemini scanning engine are completely updatable thus ensuring that users will always have the latest configuration to tackle whatever hackers can invent to intrude into a computer.
F-Secure DeepGuard is an updatable, artificial intelligence -driven behavior blocker. It is a very complex software system and it is designed to be the state-of-the-art solution in host-based intrusion prevention systems. |
发表于 2007-6-21 16:32:22
