kav 7.0 overview of technologies nikolay grebennikov department of innovative technologies, deputy...
TRANSCRIPT
![Page 1: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/1.jpg)
KAV 7.0
Overview of technologies
Nikolay Grebennikov
Department of Innovative Technologies, Deputy Director,
![Page 2: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/2.jpg)
We’ll talk about new protection technologies
Plan of presentation
• New heuristic based engine based on emulator
• Greatly improved Anti-root kit
• Outbound protection improvements (anti-leaks)
• New Privacy control concept
• Protection against new type of key loggers
• Improved PDM detection
• Improved self-protection
![Page 3: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/3.jpg)
New heuristic engine (1)
• KAV 3.0, 4.0, 5.0: best detection rate and fastest reaction time: signature-based detection
• KAV 6.0: + Proactive Defense Module – based on analyses of applications behavior
• KAV 7.0: + new Heuristic engine based on emulator
Now KL’s 7.0 products contain a full set of most effective technologies which give our users the unique level of protection against all types of modern threats.
Triple shield of protection
![Page 4: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/4.jpg)
New heuristic engine (2)1. Heuristic engine uses the same decision making
logic (set of rules) as Proactive defense module.
2. But events for heuristic engine and PDM are generated by different modules: emulator and kernel mode driver.
Windows kernel mode drivers Emulator
Decision making logic
Proactive defense module Heuristic engine
Events providers
The driver intercepts operations on real file system and system registry, network and other activities of all processes
The emulator gets the same information during emulation of the execution of application’s program code
![Page 5: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/5.jpg)
New heuristic engine (3)
Signature based engine
Heuristic engineProactive defense module
Real time protection
Scan tasks
Signature based engine
+ +
Influence on system performanceNew emulator won’t increase system slowdown caused by AV because KAV 7.0 uses the power of triple shield:• With default settings PDM and signature engine work in
real-time,• Heuristic engine and signature engine work for scan
tasks.
![Page 6: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/6.jpg)
New heuristic engine (5)Demo: scan of emul.zip archive with 4 test viruses
1. Heuristic is disabled: no threats detected
![Page 7: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/7.jpg)
New heuristic engine (6)2. Heuristic is enabled
Аll threats are detected with 3 different behavior-based verdicts
![Page 8: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/8.jpg)
Greatly improved Anti-rootkit (1)
Anti-root technologies
1. During installation of rootkit• Interception of rootkit’s drivers and
services registration• Interception of injection of rootkit’s code
in trusted processes + self-protection of KAV
• Detect of active rootkits• Detect of hidden processes in memory• Active threats disinfection technology• Detect and removal of hidden files on
disk
New in 7.0!
![Page 9: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/9.jpg)
Greatly improved Anti-rootkit (2)
Detection of hidden files
• Main idea is a cross-scan – get the list of the files using Window API, get the same list using direct disk access and compare!
• Rootkit scan• Direct disk access for all files and NTFS
Alternative Data Streams of folders
• Advanced rootkit scan• The same as basic plus scan of ADS for all
files (much more slowly but necessary in some cases)
![Page 10: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/10.jpg)
Greatly improved Anti-rootkit (3)
Materials
• Fighting Rootkits with Kaspersky Internet Security 6.0/Kaspersky Antivirus 6.0 (http://www.kaspersky.com/fighting_rootkits_version_6_products)
• In the nearest future we’ll publish the second part of the article about Anti-rootkit in KIS 7.0• But right now you can make a demo using
3 rootkits described on the next slides (Costrat, Unreal, Elite Keylogger)
![Page 11: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/11.jpg)
Greatly improved Anti-rootkit (4)
• Costrat (Rustock.B; Spambot)http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-
99&tabid=2
• family of back door programs with advanced user and kernel mode rootkit capabilities,
• very powerful rootkit, described in VB in August 2006,
• Elite Keylogger http://www.elitekeylogger.com/
• very powerful keylogger and rootkit, uses 3 kernel mode drivers
• detected by KAV 6.0 during installation; Rescue CD was needed to remove it.
• Unreal.A by MP_ART & EP_X0FF • proof of concept nonmalicious stealth rootkit• designed to be invisible to all current rootkit
detection technologies
![Page 12: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/12.jpg)
Greatly improved Anti-rootkit (5)
Trojan-Clicker.Win32.Costrat.ab (Rustock)
Driver is hidden in NTFS Alternate Data Stream of System32 folder
![Page 13: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/13.jpg)
Greatly improved Anti-rootkit (6)
not-a-virus:Monitor.Win32.EliteKeylogger
![Page 14: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/14.jpg)
Greatly improved Anti-rootkit (7)
Exploit.Win32.Unreal.a1. Driver is hidden in NTFS Alternate Data Stream of the root C:\ folder
2. This Alternate Data Stream is hidden itself by rootkit’s driver!
![Page 15: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/15.jpg)
Firewall outbound protection improvements (1)
Leaktests failed in KIS 6.0 MP2
BITStester Using of BITS service
Breakout Windows Messages to IE
Breakout2 changing of ActiveDesktop with URL
CPILSuite3 SetWinEventHook function
DNStester DnsQuery from Dnsapi.dll
OSfwbypass ShowHTMLDialog from Mshtml.dll
Surfer DDE communication with IE
* http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php
![Page 16: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/16.jpg)
Firewall outbound protection improvements (2)
![Page 17: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/17.jpg)
Firewall outbound protection improvements (3)
1. BITSAdmin
2. Breakout
![Page 18: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/18.jpg)
Firewall outbound protection improvements (4)
4. CPILSuite (3)3. Breakout2
![Page 19: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/19.jpg)
Firewall outbound protection improvements (5)
6. OSFwBypass5. Surfer
![Page 20: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/20.jpg)
Firewall outbound protection improvements (6)
1. KIS 7.0 should improve its result by 650+(300-600 points - I am not sure about FPR tests)
• In any case KIS will surpass ZoneAlarm and SSM in the result table.
We will consider our 3-rd place as the best possible result because we are not going to fight against specific solutions from Comodo and Jetico (the only difference will be in the default settings - we think that our settings is the best balance for 95% of Internet users).
![Page 21: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/21.jpg)
New Privacy control concept (1)
1. Concept of Privacy Control component implemented in the most Security Suites:
“enter all your private data – PINs, Passwords, …” “we will analyze outgoing traffic and if some of your
private data will be found – it will be replaced by “***”
Cool idea but it DOES NOT work in real world.
Why? Because almost all of the trojans encrypt all sending data and Security Suite will found nothing in such encrypted traffic!
1. And how we can protect user’s private data?
1) we can block access to password’s storages for many well-known programs and Windows Protected storage,
2) we can block all attempts of data sending in hidden ways (used by most of the trojans).
![Page 22: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/22.jpg)
New Privacy control concept (2)
Real life example - Trojan-PSW.Win32.LdPinch Test sample - passview utility which try to get
information from the Windows Protected storage
![Page 23: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/23.jpg)
Protection against new type of keyloggers (1)
Protection against all types of keyloggers
User-mode SetWindowHook (global keyboad hook) GetAsyncKeyState/GetKeyState (keyboard
polling) GetMessage/PeekMessage interception Using of Raw Input model
Kernel-mode Kbdclass driver filter Device\KeyboardClass0 driver filter Kbdclass’s dispatch table patch KeServiceDescriptorTableShadow patch
New in 7.0!
![Page 24: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/24.jpg)
Protection against new type of keyloggers (2)
Protection against new technique to intercept keyboard input: using model of Raw Input via DirectX functions
Unique!
![Page 25: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/25.jpg)
Improved PDM detection (1)
Protection against new technique to install drivers in hidden way: save/restore registry hive for Services part of System
registry
Unique!
![Page 26: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/26.jpg)
Improved PDM detection (2)
Protection against new technique to install drivers in hidden way: using kernel function ZwLoadDriver (can be used by
ring3-applications)
Unique!
![Page 27: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/27.jpg)
Improved self-protection (1)
Self-protection technologies
• Protection of product’s files on disk
• Protection of product’s registry keys
• Protection of product’s processes in memory
• Protection of product’s folders against changes of permissions
• Protection of product’s registry keys against changes of permissions
New in 7.0!
New in 7.0!
![Page 28: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/28.jpg)
Improved self-protection (2)
Protection against changes of permissions on KAV foldersUnique!
![Page 29: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/29.jpg)
Improved self-protection (3)
Protection against changes of permissions on KAV registry keys
Unique!
![Page 30: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/30.jpg)
Last point – network perfomance
Influence on system performance• Some users complained about decreasing of network
performance after installing of KIS 6.0 (eMule, games, …)• And we’ve completely rewritten our network driver• Let’s see the result:Test standWindows Vista and XP SP2 32bit. KIS 7.0 with Firewall and IDS enabled. Аbout 200 rules are added for different network applications. Network throughput is being measured by using the netcps.exe utility
7,93
2,84
8,03
In (MPS)
99,25
48,38
100
In (%)
98,757,94KIS 7.0
35,373,87KIS 6.0
1008,00w/o KIS
Out (%)
In (MPS)
MPS = Mb per second
![Page 31: KAV 7.0 Overview of technologies Nikolay Grebennikov Department of Innovative Technologies, Deputy Director, Nikolay.Grebennikov@kaspersky.com](https://reader033.vdocuments.mx/reader033/viewer/2022051401/56649ccb5503460f94994332/html5/thumbnails/31.jpg)
Thank you!
Questions?