AMP

1. Advanced malware protection (AMP)
2. Spero
3. ThreatGrid
   1. Glovebox
4. File trajectory
5. Device trajectory
6. Tetra
7. ClamAV
8. Ethos
9. Exploit prevention
10. IOC
11. Device flow correlation (DFC)
12. Policy
13. Exclusion set

Advanced malware protection (AMP)

• calculates SHA256 of the file contents except filename
• file type is determined by scanning the header, not extension
• HTTPS for connection to Cloud (public or private ≡ appliance)
• disposition
  • malware: may be set as a result of local analysis
  • clean: set only by AMP Cloud
  • unknown
  • unreachable
• cache timeout = 12h
• connectors: Windows, MacOS, Linux, Android, iOS (= Clarity)
• private cloud: proxy to public or local copy
• kernel modules
  • immunet protect driver: intercept I/O
  • immunet network driver: match between traffic contents and source application
  • immunet self-protection driver
• sfc.exe – cloud communication
• client identification on AMP Connector ID (GUID)
• SHA dispositions are updated every 5 minutes within the cloud

Spero

• .exe files only
• analyzes headers and metadata of executable files to detect 0-day attack
• heuristic analysis with ML
• cannot be called manually
• part of AMP Cloud

ThreatGrid

• sandbox
• returns threat score for unknown disposition and IoCs
• form-factor: cloud, appliance
• file types: PDF, MS Office, EXE, archives, compressed files
• cycle length: 10-15 minutes
• files can be submitted with API or through portal
• analysis workarounds:
  • detect sandbox
    • uses unusual software for the endpoint (debugger, sysmon)
    • MAC address: OUI = VM vendor
    • domain resolution from capture analysis by Wireshark may tip off threat actor
    • no mouse movement
    • lower screen resolution
    • count
      • opened files
      • desktop items
      • active windows
      • CPU cores, RAM
  • attack delay (e.g. 12-14 days – sandboxes do not run that long)
    • modified sleep() and NtDelayExecution() required
• sandbox methods
  • external kernel monitor
  • dynamic disk analysis: attacks on MBR
  • user interaction monitor
  • video capture
  • process information
  • artifacts
  • network sniffing
• archive
  • up to 100 files, up to 25MB each
• interfaces:
  • clean:
    • webUI, API
    • TCP 443, 8443, 9443
    • must have access to rash.threatgrid.com:19143
  • admin:
    • setup, update, backup, logging
    • TCP 443, 8443
  • dirty: for sandbox

Glovebox

• interaction with sample in sandbox

File trajectory

• hosts that file was located on
• 30 days telemetry data

Device trajectory

• actions that file performed on the host
• retrospective security in AMP4e

Tetra

• offline AV engine, include remediation
• Windows only
• 1GB storage required
• conflicts with other AV

ClamAV

• offline AV engine, includes remediation
• MacOS, Linux

Ethos

• fuzzy fingerprinting engine
• detect malware family
• analyzes code structures, programming language, libraries, complilation features
• AMP4e only
• analysis
  • on copy/move – in separate thread
  • on execute/scan – synchronously

Exploit prevention

• memory spoof:
  • moves data and application to another memory region
  • tracks old memory region: if something accesses old region – marked as malicious

IOC

• OpenIOC framework for description
• manual scan

Device flow correlation (DFC)

• filtering on IP reputation, can be overriden by whitelist
• dropper detection
  • software that delivers malware in its body and unpacks it on the victim

Policy

• Cloud dashboard management, group-based
• components
  1. conviction mode
  2. engines
  3. exclusions: files
  4. custom detection list: files
  5. app control list: applications
  6. network allow/block list: in DFC
• stored locally in policy.xml

Exclusion set

• avoids conflicts with AV or performance hits (e.g. as a result of DB files scan)
• types:
  • threat
  • extension
  • wildcard
  • path