On Windows 7 (or Vista) I use
- Features of Modern Security Suites – Part 3
- Features of Modern Security Suites – Part 2
- Features of Modern Security Suites – Part 1
- KHOBE – 8.0 earthquake for Windows desktop security software
- Plague in (security) software drivers
- Introduction to Firewall Leak-testing
- Comparison of top five personal firewalls
- More about personal firewalls
- Design of ideal personal firewall
Features of Modern Security Suites – Part 1
Today's desktop security products for Windows are very complex applications. For end-users, the number of offered proprietary features can be confusing. Each software vendor may use its own original names for the very same features that are available in other products under different names. The confusion might increase when we realize that it is not uncommon to see two different features having the same name in products of two different vendors.
This series of articles is intended to clarify the basics and the real functionality of the most common features
of today's Windows desktop security suites. We are going to describe what can you expect from a product that, for example,
In the first part of the series we will discuss two most common components – Anti-Virus Engine and Firewall.
- Anti-virus Engine
Also called: Real Time Malware Protection, Real Time Protection, File Monitoring, Anti-Malware, Anti-virus Guard, Real Time Guard
Anti-virus Engine is a basic component included in most of the security suites on the market. Its role is to scan data storage and data flows inside the computer in order to detect and remove malware. Malicious code can be stored in files on hard disks, removable storage, network drives, computer memory, disk boot sector, or come as a part of the network traffic.
Anti-virus engine uses variety of strategies to reveal malware. Anti-virus software maintains a database of signatures (or patterns) of malware that it looks for during the scanning. Each signature can either identify a specific malware code or it can be more general and able to describe a whole family of malware. A common aspect of the signature-based detection is that it can detect known malicious samples and samples that were derived from them, but it may fail to detect new malware that does not match any known pattern.
The heuristic-based detection attempts to detect malicious samples for which there are no specific signatures in the anti-virus database yet. There are many different heuristics that anti-virus engines implement. The general principle is to identify pieces of code or data that are unlikely to be present in legitimate programs. This approach is inaccurate, however, and it may cause false positive alerts. A good heuristics is well balanced and so the number of false positives is kept low while a high number of malware samples is detected. The sensitivity of the heuristics can be configurable.
Virtualization and sandboxing are more advanced methods of detection. For a limited time the samples are executed in a virtual machine or another secured environment that the scanned sample can not escape from and from which the sample can not harm the real system. The behavior of the sample inside the sandbox is monitored and analyzed. This method becomes handy in case of malware that is packed with unknown algorithm (which is a common method used by malware to avoid detection) that the anti-virus engine can not unpack using other methods. Inside the virtual environment such a malware unpacks itself as it would have done on the real system and so the anti-virus engine is able to scan its unpacked code and data.
One of the newest approaches implemented in anti-virus engines is scanning in the cloud. This method is based on the fact that desktop machines are limited in their resources while anti-virus vendors have no problems to build large systems with great performance. Computing power is required for running complex heuristics, or analyzes using virtual machines. Vendors' servers can also work with much larger databases of signatures and other data than desktop machine can process in the real time. In case of cloud scanning, the only requirement on the client's desktop system is to have a fast and reliable Internet connection. When the client's system is about to scan a file it simply sends it to the vendor's cloud over the network and waits for the answer. In the meanwhile, the client's system can also perform its own scan.
Scan Types and Settings
From the user's point of view, there exist several types of anti-virus scans depending on the events that trigger the scanning process:
- On access scan is a scan that occurs when a resource is accessed. For example, when a file is copied to the hard drive, or when an executable is launched (the scan triggered by this particular event is sometimes called On execution scan). Only the resource being accessed and objects closely related to it are checked during this scan.
- On demand scan is initiated by the user – for example, when the user clicks the appropriate context menu item in the Windows Explorer. This scan is also called Manual scan. The selected folders or drivers are scanned during this operation.
- Scheduled scan is usually a repeated task that should ensure regular check of the system for malware. The user is able to set up the scanning time and the frequency of the scan. This scan is usually intended to scan the whole system.
- Startup scan is initiated by the anti-virus software after the computer was started. This scan is fast and may check startup locations, running processes, system memory, system services, and/or boot sector.
Most products allow its users to configure settings of each type of scan separately. Here are some of the most common settings that are related to anti-virus scans:
- Files extensions to scan – whether to scan all files or just those having specific extensions, such as executable extensions (.exe, .dll, .vbs, .cmd etc.).
- File size limit – files larger than the limit are not scanned.
- Scan files within archives – whether or not to scan files within file archives, such as .zip, .rar, .7z etc.
- Using heuristics – whether or not to use heuristics and possibly set up their sensitivity.
- Which types of programs to alert about – there exist many programs that can not be clearly classified as malicious. Some vendors use terms such as Potentially unwanted programs, Riskware, or Low risk items.
- Types of drives to scan – whether or not to scan files on network drives or removal storage.
- Action to take when an infection is found – this can be set to attempt to disinfect (cure) the sample if possible, if not possible then to delete the sample, put it into a quarantine (a special folder to store infected files from which programs can not be run but they can be examined further or sent to the vendor's server for analysis), block access to it, or to ask the user for a decision.
Many of these options can change the scanning speed. A set of automatic rules for a quick but still effective scan is sometimes called as Smart scan or Quick scan. The opposite is called Full scan (or Deep Scan). We can also see Removable media scan intended to check files on optical disks, floppy disks, USB memory sticks, flash cards, and similar devices. Custom scan can also be available which stands for a fully customizable scan.
Rootkit scan (or Anti-rootkit component) is a feature that some anti-virus vendors introduced in their products after rootkits become popular during the last decade. A rootkit is a special type of malware that implements tricky methods to become invisible to users and common methods of detection. It exploits internal mechanisms of operating system to hide itself. Fighting rootkits requires security researchers to develop special detection techniques. Rootkit scan attempts to find discrepancies in the system behavior that might prove the presence of a rootkit. Some implementations of anti-rootkit features rely on a permanent monitoring of the system while other implementations can be run on demand.
Microsoft Office scan (or Macro-virus scan) is a feature that protects users against malicious code inside Office documents. The internal principles of the scan are similar to common scanning methods, they are just specialized on detecting malicious code inside macros. This scanning feature may be implemented as a Microsoft Office plug-in.
Additional Related Features
The anti-virus engine is usually closely linked to other components of the security suite. Some of the products present additional features as an integral part of the anti-virus engine, other display them separately. The Web Control feature is a typical representative of this group. We will discuss these features separately.
Also called: Personal Firewall, Network Control, Advanced Firewall, Two-way Firewall
The main role of the Firewall component is to control access from outside networks to the computer over available network interfaces, also known as the inbound traffic, and vice-versa – from the inside out, also known as the outbound traffic.
Filtering of the network traffic can happen on several levels (see layers in the TCP/IP model on Wikipedia). Most of firewalls in desktop security suites define rules on at least two layers – the low level Internet layer controlled by IP rules and the high level Application layer for which the product maintains a list of rules that allow or deny particular application to access the network. The terms such as Network Rules, Expert Rules, or IP Rule Setting are used for the rules on the lower level. On the higher level we can see terms such as Program Control or Application Rules.
Many modern products allows users to configure a level of trust for all networks their computer is connected to. Even if there is only one physical network interface a computer can be logically connected to more than one network – a common case is that the computer is connected to a local area network (LAN) which allows the user to access the Internet through a gateway. The security product will manage separately the traffic that goes to other computers in LAN and the Internet traffic. Each of the detected networks can either be trusted or untrusted and various system services, such as file or printer sharing, can be allowed or disallowed. Only the computers from trusted networks can access the protected computer by default. Connections established from machines from untrusted networks are blocked unless a specific rule permits the access. This is why the Internet connection is usually marked as untrusted. Some products, however, do not distinguish between networks on a single network interface and trusted or untrusted profiles can be set for each interface only. The term Network Zone or just Zone is sometimes used instead of a logical network.
For untrusted networks it may be possible to set up the machine into the stealth mode. This means to change the behavior of the system to act as if its address is unavailable in the network which may mislead attackers that try to find live computers on the network before they attempt to attack them. The default behavior of the system is to respond properly to all messages even if they are send to ports that are closed. The stealth mode (also known as the stealth ports feature) prevents revealing the machine is alive when scanned.
Also called: Attack Detection, Intrusion Detection System, IP Blocking, Malware ports
Although not all the mentioned terms are equivalent, they refer to a set of features that are all responsible to prevent or detect special kinds of attacks from remote computers. They include features such as detection of port scanning, detection of IP address spoofing, blocking access to well-known malware ports used by RATs, trojan horses, or botnet clients; some include mechanisms to protect against ARP Spoofing attacks (this particular feature can be called ARP protection, ARP Spoofing Defense, ARP Cache protection etc.). A common ability of this kind of protection is automatic blocking of the attacker's machine. This can be directly connected with the following feature.
Also called: IP Blocklist
Using this simple feature, the product maintains a list of network addresses of machines that are forbidden to communicate with the protected computer. This list can either be filled in manually by the user, as a reaction to a detected malicious behavior (see the Intrusion Detection/Prevention feature), or by security vendors that maintain worldwide lists of computer systems and networks misused for malicious attacks.
Block All Traffic
In case of a sudden malware infection of the system, some products offer to pull the emergency brake – to block all network traffic in both directions. This option may be available through a big red button as well as a part of firewall policy settings or through the product's taskbar icon. It is assumed that this feature is used when the user recognizes the computer is infected and want to avoid misusing the machine by malware, stealing personal information, and downloading more malware from the Internet. The block of the network traffic can be combined with termination of all unknown processes in the system. This feature, if available, should be used with caution.
Also called: Application Control, Application Inspector
Filtering network traffic on the application layer allows security products to separately control network access of each program on the computer. The product maintains a database of application rules that control which application can access the network and which can not. These rules distinguish between client programs that initiate connections from the local computer to remote servers (the outbound direction) and server programs that can listen on a network port and accept connections from remote computers (the inbound direction). Modern products allow the user to define complex rules for each application.
The overall behavior of the Program Control feature is determined by the Firewall Policy settings that offer following modes of operation:
- Silent mode (Automatic mode) works without any interaction with the user. All decisions to be made are made automatically using the database of rules the product maintains. If there is no explicit rule for a program that wants to access the network it can either be always allowed (which is also known as Allow All mode or Allow Most mode), or always blocked (known as Block All mode or Block Most mode) or special heuristics can be run to determine whether or not the program should be allowed to access the network. The decision algorithm may be very complex and depend on additional features, such as a community network whose members share their product settings. Some products, however, use terms Allow All mode and Block All mode for settings that ignore the existing database rules completely and just simple allow or block network access of any application in the system.
- Advanced mode (Custom mode, Interactive mode) is intended for advanced and expert users who want to have everything under their own control. In this mode the product handles automatically only those situations for which there are explicit rules in the rules database. In case of all other actions the user is asked to make a decision. Some products offer to set what policy should be applied when the conditions do not allow to ask the user – for example, this can happen when the computer is starting or being shutdown and the graphic interface of the product is not running, or when the system is operating under a special condition, such as a full screen game is running and the user does not want to be interrupted (this is sometimes called the Gaming mode). Usually two options are available for such conditions – Allow All (Allow Most) or Block All (Block Most) – in which all actions without defined rules are allowed or blocked respectively.
- Normal mode (Safe mode) allows the product to handle most of the situation itself. Even if there is no explicit rule in the rules database an action of a program can be allowed if the product considers the program to be safe. Similarly to the Silent mode, the decision can rely on various heuristics. In case the product is not able to decide whether the application is safe, it alerts the user just as in the Advanced mode.
- Learning mode (Training mode, Installation mode) is commonly used just after the product's installation or in case the user installs new software on the computer. In this mode the product is told to allow all actions for which there are no rules in its rules database and to add new rules that would allow such actions in the future after the policy mode is changed. Using the Learning mode can thus significantly reduce the number of alerts the user sees after the new software is installed.
Program Control usually contains settings that help the product to decide unclear situations regardless the mode it operates in. This is sometimes known as Automatic rule creation. A typical setting in this context is an option to allow all actions of digitally signed applications of trusted vendors even if there is no corresponding rule in the rules database. This can be extended by an option that allows all known and trusted applications even if they are not digitally signed but they are recognized by the product.
The Program Control feature is usually very closely related to other features that we will cover later – especially to the Behavior Control feature.
Continue to Features of Modern Security Suites – Part 2