matousec.com (site map)

Poll

On Windows 7 (or Vista) I use

  unlimited administrator's account (57.95%)

  limited administrator's account (16.51%)

  common user's account (13.64%)

  nothing (I do not use Win 7/Vista) (14.16%)

more

results

Articles

Features of Modern Security Suites – Part 1

Published: 2012/08/28

Today's desktop security products for Windows are very complex applications. For end-users, the number of offered proprietary features can be confusing. Each software vendor may use its own original names for the very same features that are available in other products under different names. The confusion might increase when we realize that it is not uncommon to see two different features having the same name in products of two different vendors.

This series of articles is intended to clarify the basics and the real functionality of the most common features of today's Windows desktop security suites. We are going to describe what can you expect from a product that, for example, implements Anti-Malware, Safe Web, or Intrusion Prevention. Using the information in this series you should be able to compare the offered feature sets of products of different vendors and better understand how security suites work.

In the first part of the series we will discuss two most common components – Anti-Virus Engine and Firewall.

Contents:


Back to contents

Anti-virus Engine

Also called: Real Time Malware Protection, Real Time Protection, File Monitoring, Anti-Malware, Anti-virus Guard, Real Time Guard

Anti-virus Engine is a basic component included in most of the security suites on the market. Its role is to scan data storage and data flows inside the computer in order to detect and remove malware. Malicious code can be stored in files on hard disks, removable storage, network drives, computer memory, disk boot sector, or come as a part of the network traffic.

Detection Methods

Anti-virus engine uses variety of strategies to reveal malware. Anti-virus software maintains a database of signatures (or patterns) of malware that it looks for during the scanning. Each signature can either identify a specific malware code or it can be more general and able to describe a whole family of malware. A common aspect of the signature-based detection is that it can detect known malicious samples and samples that were derived from them, but it may fail to detect new malware that does not match any known pattern.

The heuristic-based detection attempts to detect malicious samples for which there are no specific signatures in the anti-virus database yet. There are many different heuristics that anti-virus engines implement. The general principle is to identify pieces of code or data that are unlikely to be present in legitimate programs. This approach is inaccurate, however, and it may cause false positive alerts. A good heuristics is well balanced and so the number of false positives is kept low while a high number of malware samples is detected. The sensitivity of the heuristics can be configurable.

Virtualization and sandboxing are more advanced methods of detection. For a limited time the samples are executed in a virtual machine or another secured environment that the scanned sample can not escape from and from which the sample can not harm the real system. The behavior of the sample inside the sandbox is monitored and analyzed. This method becomes handy in case of malware that is packed with unknown algorithm (which is a common method used by malware to avoid detection) that the anti-virus engine can not unpack using other methods. Inside the virtual environment such a malware unpacks itself as it would have done on the real system and so the anti-virus engine is able to scan its unpacked code and data.

One of the newest approaches implemented in anti-virus engines is scanning in the cloud. This method is based on the fact that desktop machines are limited in their resources while anti-virus vendors have no problems to build large systems with great performance. Computing power is required for running complex heuristics, or analyzes using virtual machines. Vendors' servers can also work with much larger databases of signatures and other data than desktop machine can process in the real time. In case of cloud scanning, the only requirement on the client's desktop system is to have a fast and reliable Internet connection. When the client's system is about to scan a file it simply sends it to the vendor's cloud over the network and waits for the answer. In the meanwhile, the client's system can also perform its own scan.

Scan Types and Settings

From the user's point of view, there exist several types of anti-virus scans depending on the events that trigger the scanning process:

Most products allow its users to configure settings of each type of scan separately. Here are some of the most common settings that are related to anti-virus scans:

Many of these options can change the scanning speed. A set of automatic rules for a quick but still effective scan is sometimes called as Smart scan or Quick scan. The opposite is called Full scan (or Deep Scan). We can also see Removable media scan intended to check files on optical disks, floppy disks, USB memory sticks, flash cards, and similar devices. Custom scan can also be available which stands for a fully customizable scan.

Specialized Scans

Rootkit scan (or Anti-rootkit component) is a feature that some anti-virus vendors introduced in their products after rootkits become popular during the last decade. A rootkit is a special type of malware that implements tricky methods to become invisible to users and common methods of detection. It exploits internal mechanisms of operating system to hide itself. Fighting rootkits requires security researchers to develop special detection techniques. Rootkit scan attempts to find discrepancies in the system behavior that might prove the presence of a rootkit. Some implementations of anti-rootkit features rely on a permanent monitoring of the system while other implementations can be run on demand.

Microsoft Office scan (or Macro-virus scan) is a feature that protects users against malicious code inside Office documents. The internal principles of the scan are similar to common scanning methods, they are just specialized on detecting malicious code inside macros. This scanning feature may be implemented as a Microsoft Office plug-in.

The anti-virus engine is usually closely linked to other components of the security suite. Some of the products present additional features as an integral part of the anti-virus engine, other display them separately. The Web Control feature is a typical representative of this group. We will discuss these features separately.


Back to contents

Firewall

Also called: Personal Firewall, Network Control, Advanced Firewall, Two-way Firewall

The main role of the Firewall component is to control access from outside networks to the computer over available network interfaces, also known as the inbound traffic, and vice-versa – from the inside out, also known as the outbound traffic.

Filtering of the network traffic can happen on several levels (see layers in the TCP/IP model on Wikipedia). Most of firewalls in desktop security suites define rules on at least two layers – the low level Internet layer controlled by IP rules and the high level Application layer for which the product maintains a list of rules that allow or deny particular application to access the network. The terms such as Network Rules, Expert Rules, or IP Rule Setting are used for the rules on the lower level. On the higher level we can see terms such as Program Control or Application Rules.

Networks

Many modern products allows users to configure a level of trust for all networks their computer is connected to. Even if there is only one physical network interface a computer can be logically connected to more than one network – a common case is that the computer is connected to a local area network (LAN) which allows the user to access the Internet through a gateway. The security product will manage separately the traffic that goes to other computers in LAN and the Internet traffic. Each of the detected networks can either be trusted or untrusted and various system services, such as file or printer sharing, can be allowed or disallowed. Only the computers from trusted networks can access the protected computer by default. Connections established from machines from untrusted networks are blocked unless a specific rule permits the access. This is why the Internet connection is usually marked as untrusted. Some products, however, do not distinguish between networks on a single network interface and trusted or untrusted profiles can be set for each interface only. The term Network Zone or just Zone is sometimes used instead of a logical network.

For untrusted networks it may be possible to set up the machine into the stealth mode. This means to change the behavior of the system to act as if its address is unavailable in the network which may mislead attackers that try to find live computers on the network before they attempt to attack them. The default behavior of the system is to respond properly to all messages even if they are send to ports that are closed. The stealth mode (also known as the stealth ports feature) prevents revealing the machine is alive when scanned.

Intrusion Detection/Prevention

Also called: Attack Detection, Intrusion Detection System, IP Blocking, Malware ports

Although not all the mentioned terms are equivalent, they refer to a set of features that are all responsible to prevent or detect special kinds of attacks from remote computers. They include features such as detection of port scanning, detection of IP address spoofing, blocking access to well-known malware ports used by RATs, trojan horses, or botnet clients; some include mechanisms to protect against ARP Spoofing attacks (this particular feature can be called ARP protection, ARP Spoofing Defense, ARP Cache protection etc.). A common ability of this kind of protection is automatic blocking of the attacker's machine. This can be directly connected with the following feature.

IP Blacklist

Also called: IP Blocklist

Using this simple feature, the product maintains a list of network addresses of machines that are forbidden to communicate with the protected computer. This list can either be filled in manually by the user, as a reaction to a detected malicious behavior (see the Intrusion Detection/Prevention feature), or by security vendors that maintain worldwide lists of computer systems and networks misused for malicious attacks.

Block All Traffic

In case of a sudden malware infection of the system, some products offer to pull the emergency brake – to block all network traffic in both directions. This option may be available through a big red button as well as a part of firewall policy settings or through the product's taskbar icon. It is assumed that this feature is used when the user recognizes the computer is infected and want to avoid misusing the machine by malware, stealing personal information, and downloading more malware from the Internet. The block of the network traffic can be combined with termination of all unknown processes in the system. This feature, if available, should be used with caution.

Program Control

Also called: Application Control, Application Inspector

Filtering network traffic on the application layer allows security products to separately control network access of each program on the computer. The product maintains a database of application rules that control which application can access the network and which can not. These rules distinguish between client programs that initiate connections from the local computer to remote servers (the outbound direction) and server programs that can listen on a network port and accept connections from remote computers (the inbound direction). Modern products allow the user to define complex rules for each application.

The overall behavior of the Program Control feature is determined by the Firewall Policy settings that offer following modes of operation:

Program Control usually contains settings that help the product to decide unclear situations regardless the mode it operates in. This is sometimes known as Automatic rule creation. A typical setting in this context is an option to allow all actions of digitally signed applications of trusted vendors even if there is no corresponding rule in the rules database. This can be extended by an option that allows all known and trusted applications even if they are not digitally signed but they are recognized by the product.

The Program Control feature is usually very closely related to other features that we will cover later – especially to the Behavior Control feature.


Back to contents

Continue to Features of Modern Security Suites – Part 2