10:41 Antivirus sandbox Introduction | |
| In the process of publishing the last part of article series "Lies, big lies and anti-virus" was found out catastrophic ignorance Habra audience of antivirus sandbox, what they are and how they work. What's the funniest thing in this situation, the web is almost completely absent credible information sources on the subject. Only a pile of marketoidnoy husks and do not get texts from someone in the style of "one grandmother said, listen syudy. I'll have to fill the gaps. Definitions. So, sandpit. The term came not from the children's sandboxes, as some may think, but from that used by firefighters. This tank is filled with sand, where you can work safely with flammable materials or leave there something already burning without fear singe anything else. Reflecting the analogy of the technical facilities at the software component, software can determine the sandbox as an isolated execution environment with controlled rights. " That's right, for example, works sandbox Java-machine. And any other sandbox, too, regardless of destination. Going to antiviral sandbox, the essence of which is the protection of the basic working of the system from potentially dangerous content, there are three basic models of isolation sandbox space from the rest of the system. 1. Isolation of full-virtualization. The use of any virtual machine as a protective layer over the guest operating system is installed the browser and other potentially unwanted programs, through which the user can get, gives a fairly high level of protection for the main production system. Disadvantages of this approach, but monstrous size distribution and heavy consumption of resources, rooted in the discomfort of data exchange between the main system and a sandbox. Moreover, we must always return the state of the file system and registry to the source to remove contamination from the sandbox. If you do not, then, for example, agents spambots will continue their work inside the sandbox as if nothing had happened. Block their sandbox nothing. In addition, it is unclear what to do with portable data carriers (USB drive, for example) or downloaded from the Internet games that may be malicious bookmarks. Example of approach-Invincea. 2. Insulation on the basis of partial virtualization file system and registry. It is not necessary to carry a virtual machine engine, you can podpihivat processes in a sandbox duplicate of the file system and registry, placing them in a sandbox application on the user's machine. Attempt to modify these objects will change only their copies within a sandbox, real data will not be affected. Control rights makes it impossible to attack the main system from within the sandbox by the operating system interface. Disadvantages of this approach are also evident, the exchange of data between virtual and real environments is difficult, requires constant cleaning of containers virtualization to return to the sandbox to the original, uninfected state. Also, possible breakdown or circumvention of this type of sand boxes and out of malicious software codes, mostly unprotected systems. Example of approach-SandboxIE, BufferZone, ZoneAlarm ForceField, isolated environment Kaspersky Internet Security, Comodo Internet Security sandbox, Avast Internet Security sandbox. 3. Isolation based on the rules. All attempts to change the file system objects and the registry is not virtualized, but are considered in terms of a set of internal rules of the remedy. The fuller and more accurate a set, the greater the protection against infection host system provides the program. That is, this approach represents a compromise between the convenience of exchanging data between processes within the sandbox and the real system and the level of protection against malicious modifications. Control rights makes it impossible to attack the main system from within the sandbox by the operating system interface. The advantages of this approach include, also, no need for a permanent rollback file system and registry to the original state. Disadvantages of this approach and software complexity of the most accurate and meaningful set of rules, the possibility of a partial rollback of changes in the sandbox. Just like any sandbox, running on the basis of a working system that can breakdown or circumvention of a secure environment in and out of malicious code in the main, non-secure execution environment. Example of approach-DefenseWall, Windows Software Restriction Policy, Limited User Account + ACL. There are a hybrid approach to isolate processes from the rest of the sandbox system, based on both rules, and on virtualization. They inherit the advantages of both methods as well as disadvantages. And the disadvantages prevail due to the nature of psychological perception of users. Examples of approach-GeSWall, Windows User Account Control (UAC). Methods for deciding on the placement under protection. We now turn to the methods of deciding on the placement of processes under the protection of the sandbox. There are three basic: 1. On the basis of the rules. That is, the decision module looks at the internal rule base running of certain applications or potentially dangerous files, and depending on it, runs the processes in the sandbox or outside it, on the main system. The advantages of this approach is the most highest level of protection. Closed as malicious software files that came out of potentially dangerous sites through the sandbox and the non-executable files that contain malicious scripts. Disadvantages-can be a problem when installing software that came through the sandbox (though white lists, and greatly facilitates this task), the need to manually run processes in the main, the trusted zone for software updates, updated only within themselves (eg, Mozilla FireFox , Utorrent or Opera). Examples of programs with such an approach-DefenseWall, SandboxIE, BufferZone, GeSWall. 2. Based on user rights. So running Windows Limited User Account and protection on the basis of SRP and the ACL. When you create a new user is granted rights of access to specific resources, as well as restrictions on access to the other. If necessary, the work program with restricted resources for the user to either re-login to the system as a user with an appropriate set of rights and start a program or run it under one such user, no major operating pereloginivaniya Users (Fast User Switch). The advantages of this approach is a relatively good level of overall security system. Disadvantages of non-trivial control and protection, the possibility of infection through authorized to modify the resources, since the module decision does not track such changes. 3. Based on heuristic approaches. In this case, the decision module "looks" to the executable file and tries to guess based on indirect evidence, to run it on the host system or in the sandbox. Sample-Kaspersky Internet Security HIPS, Comodo Internet Security sandbox. The advantages of this approach, it is more transparent to the user than on the basis of the rules. Easier to maintain and implement for the manufacturer. Disadvantages-inferiority of such protection. In addition, the heuristics module that decision may "miss" on an executable, such solutions exhibit virtually zero resistance to non-executable files containing malicious scripts. Well, plus a couple of problems (such as installing malicious extensions from within the browser from the body of an exploit). Separately, wanted to draw attention to the method of using the sandbox as a means of heuristics, ie launch the program in it at some period of time followed by analysis of action and the adoption of common solutions of malignancy-grade antivirus sandbox, this approach does not call. What kind of antivirus sandbox, which is installed only on a short period of time with the possibility of its complete withdrawal? Profiles of antiviral sandbox. There are only two main ones. 1. Continuous protection. When starting a process that could be a threat to the basic system, it is automatically placed in the sandbox. 2. Manual mode of protection. User himself decides to run a particular application within a sandbox. Sandbox, with the main mode of operation as "continuous protection" may also have a manual mode and the launcher. As well as vice versa. For a sandbox with insulation on the basis of the rules of typical use of real-time protection, since the exchange of data between primary system and processes within the sandbox is completely transparent. For heuristic sandpits are also characterized by using real-time protection, since the exchange of data between primary system and processes within the sandbox completely immaterial or reduced thereto. To neevristicheskih sandboxes with insulation on the basis of the partial nature of the regime virtualization hand protection. This is due to difficult communication between processes within the sandbox and the main working system. Examples: 1. DefenseWall (sandpit with insulation on the basis of the rules) has a native-mode 'permanent rule. " However, manual startup applications inside the sandbox, as well as outside it, are present. 2. SandboxIE (sandpit and exclusion on the basis of partial virtualization) is the main mode of operation "manual". But when purchasing a license you can activate a "permanent rule." 3. Comodo Internet Security sandbox (sandpit with insulation on the basis of partial virtualization) is the main mode of "constant heuristic. However, launch applications by hand inside the sandbox, as well as outside it, are present. That's basically the basic things that any self-respecting professional should know about anti-sandbox. In each program its implementation features that you already own will have to find, understand and assess the pros and cons, which it carries. | |
|
| |
| Total comments: 0 | |