- Advanced malware protection (AMP)
- Spero
- ThreatGrid
- File trajectory
- Device trajectory
- Tetra
- ClamAV
- Ethos
- Exploit prevention
- IOC
- Device flow correlation (DFC)
- Policy
- Exclusion set
Advanced malware protection (AMP)
- calculates SHA256 of the file contents except filename
- file type is determined by scanning the header, not extension
- HTTPS for connection to Cloud (public or private ≡ appliance)
- disposition
- malware: may be set as a result of local analysis
- clean: set only by AMP Cloud
- unknown
- unreachable
- cache timeout = 12h
- connectors: Windows, MacOS, Linux, Android, iOS (= Clarity)
- private cloud: proxy to public or local copy
- kernel modules
- immunet protect driver: intercept I/O
- immunet network driver: match between traffic contents and source application
- immunet self-protection driver
- sfc.exe – cloud communication
- client identification on AMP Connector ID (GUID)
- SHA dispositions are updated every 5 minutes within the cloud
Spero
- .exe files only
- analyzes headers and metadata of executable files to detect 0-day attack
- heuristic analysis with ML
- cannot be called manually
- part of AMP Cloud
ThreatGrid
- sandbox
- returns threat score for unknown disposition and IoCs
- form-factor: cloud, appliance
- file types: PDF, MS Office, EXE, archives, compressed files
- cycle length: 10-15 minutes
- files can be submitted with API or through portal
- analysis workarounds:
- detect sandbox
- uses unusual software for the endpoint (debugger, sysmon)
- MAC address: OUI = VM vendor
- domain resolution from capture analysis by Wireshark may tip off threat actor
- no mouse movement
- lower screen resolution
- count
- opened files
- desktop items
- active windows
- CPU cores, RAM
- attack delay (e.g. 12-14 days – sandboxes do not run that long)
- modified sleep() and NtDelayExecution() required
- detect sandbox
- sandbox methods
- external kernel monitor
- dynamic disk analysis: attacks on MBR
- user interaction monitor
- video capture
- process information
- artifacts
- network sniffing
- archive
- up to 100 files, up to 25MB each
- interfaces:
- clean:
- webUI, API
- TCP 443, 8443, 9443
- must have access to rash.threatgrid.com:19143
- admin:
- setup, update, backup, logging
- TCP 443, 8443
- dirty: for sandbox
- clean:
Glovebox
- interaction with sample in sandbox
File trajectory
- hosts that file was located on
- 30 days telemetry data
Device trajectory
- actions that file performed on the host
- retrospective security in AMP4e
Tetra
- offline AV engine, include remediation
- Windows only
- 1GB storage required
- conflicts with other AV
ClamAV
- offline AV engine, includes remediation
- MacOS, Linux
Ethos
- fuzzy fingerprinting engine
- detect malware family
- analyzes code structures, programming language, libraries, complilation features
- AMP4e only
- analysis
- on copy/move – in separate thread
- on execute/scan – synchronously
Exploit prevention
- memory spoof:
- moves data and application to another memory region
- tracks old memory region: if something accesses old region – marked as malicious
IOC
- OpenIOC framework for description
- manual scan
Device flow correlation (DFC)
- filtering on IP reputation, can be overriden by whitelist
- dropper detection
- software that delivers malware in its body and unpacks it on the victim
Policy
- Cloud dashboard management, group-based
- components
- conviction mode
- engines
- exclusions: files
- custom detection list: files
- app control list: applications
- network allow/block list: in DFC
- stored locally in policy.xml
Exclusion set
- avoids conflicts with AV or performance hits (e.g. as a result of DB files scan)
- types:
- threat
- extension
- wildcard
- path