1)File State Detection:You must do “File State Detection” (FSD)…(Identify if a file is in Good, bad, Unknown states)
2)Virtualize Unknown: For all unknowns you find during FSD, run them with Hard Drive, Registry and COM virtualization on. (malware can only be inside unknown files and now they are all virtualized and can’t touch the real stuff)
3)Verdict Unknown while in Virtualization: what you find…(analyze the unknown files while being virtualized)
Imagine how we find the criminals…we first figure out which vicinity or building they are hiding in…this is the File State Detection step…it allows us to focus on only on the unknown executable files…its like finding the building the criminals are hiding it… malware/ransomware will be an “unknown executable” file. Hiding as an executable file…this is like finding the building they are hiding in…
once we identified these unknown files…we say, hang on a minute…we don’t know you …so we will be cautious and run you in a virtualized environment so that you can’t do any damage…this is like the FBI surrounding / containing the building the criminals hiding in before they move in…so we turn the virtualization on to virtualize the hard drive, registry and COM interface. This pretty much guarantees that this unknown file running in virtualization cannot cause any change/modification to any of the files you have in hard drive or registry…or can’t try to communicate via COM interface to other legit applications…now the malware is contained and cannot cause damage…
then we send this file to our Valkyrie…to determine what that code really does…a through colonoscopy and open heart surgery later, we know exactly what this file does and it gets a verdict whether its a good file or a bad file…If it turns to be a bad file…Valkyrie will issue a death warrant and will be killed inside virtualization…if its good, Valkyrie will show mercy and won’t be virtualized next time its run…
But what if this unknown file is a good file? No problem, it will still operate without the user even noticing as its still running virtualized, and next time it won’t run inside virtualization…
and just in case if you are wondering how this death angel called Valkyrie looks like…here it is…
Imagine…this will be the last image the malware will be seeing as its executed inside containment!!!
Melih you say COM interface access is virtualized, but in my testing I noticed some Windows services and COM objects are not visible to contained apps or some are blocked with access denied error messages. e.g. BITS (Background Intelligent Transfer Service) does not exists as an installed service to applications running in containment and thus they can’t access the Background Intelligent Transfer Control Class COM CLSID or any other COM Interface hosted by the BITS service. While the Task Scheduler 2.0 interface is denied access to contained applications.
So does only certain COM Interfaces get virutalized and accessible to contained applications, while others are just blocked from being accessed at all?
Yup. It’s basically what I said in a previous post. To be fair, Melih is using concepts.
Compared to design, real experience is not always a straight line.
Let me answer this: Yes. COM is a big area. For some interfaces, we can virtualize wihtout breking compatibility but for some we need to either block for security reasons or do partial support. Overall IPC is handled specially.
All that is ok
But why don’t try the simplest way:
kill or quarantine for further analysis all executable mail attachments also if hided under zip/rar etc…
(i prefer the kill option, we receive thousands of email with that attachments per week)
lock your pdf reader to the safe reading status (no java scripts activated) or use a pdf reader without java scripts function
(pdf are for reading docs not for executing scripts)
DO NOT CLICK ON LINKS THAT YOU’RE NOT FAMILIAR WITH… EVEN FROM EMAILS FROM KNOWN CONTACTS! UNDERSTAND A URL ADDRESS.
Ransomware does not happen on it’s own.
Ransomware requires users interaction.
Ransomware discriminates.
Ransomware takes on people who do NOT read.
Ransomware takes on people who just click and NOT read.
Ransomware happens with that naive secretary who loves to just click and CANNOT READ, who in fact ends up infecting an entirely unprotected network which in fact was setup by naive IT staff who also CANNOT READ and CANNOT at the forefront set a network rule to block all traffic, then allow specific traffic for known and required resources.
:-TU :110: (:CLP)