Detection and protection of a computer over a network. Network protection. Program for protecting computer networks. O Bad: Vulnerability of shared administrative resources

Some people spend their entire lives working to improve security for corporations and individuals. And they spend a considerable part of this time patching holes in Windows. Windows system is the main channel for malware, which create zombies (robots), as discussed in Chapter 5, and this is just the tip of the iceberg. To be fair, Windows' massive popularity is largely to blame, but there are so many holes in Windows 7 that it's unclear whether anyone at Microsoft is bothered by it.

There are three main types of threats. First, a specially targeted attack by a person trying to hack your computer through a network connection. Secondly, an attack from a person sitting at your computer keyboard. Finally, there may be an automatic attack carried out by a worm or other type of malware.

Windows 7, and even earlier Vista, includes User Account Control, which should help stem the tide of unintended and unwanted software installations - more on that, as well as passwords and encryption

says in Chapter 7. However, most junk comes through your network connection, so that's where you should start protecting your computer. The Windows 7 operating system includes several features that make it possible to provide a certain level of security without having to purchase additional programs or equipment.

Unfortunately, not many of these features are enabled by default. The following factors are loopholes that should not be ignored.

O Bad: UPnP protocol vulnerability

Another feature called UPnP (Universal Plug-and-Play) can open up additional vulnerabilities in your network. A more appropriate name for UPnP would be Network Plug and Play, since this feature only deals with network devices. UPnP is a set of standards that allows recently connected devices to advertise

about your presence UPnP servers on your network, much in the same way that USB devices announce their presence to a Windows-owned system

Externally, the UPnP function looks good. But in practice, the lack of authentication in the UPnP standard and the ease with which malware can use UPnP to punch holes in the firewall and create port forwarding rules in the router are nothing but trouble. UPnP is currently used for some games, most media extenders, instant messaging, remote assistance, etc., which explains why it is enabled by default in Windows 7 and many network devices. But if you don't need it, then it's better to turn it off.

If you select Public network when you first connect to new network or through the Network and Sharing Center

^j Sharing Center), then UPnP is disabled by default.

To disable UPnP, open the 01usb (services.msc) window. Find the SSDP Discovery Service service in the list and click the Stop service box button on the Toolbar. At the same time, the UPnP Device Host should also stop. If it's not, stop that too. Now test any applications or devices that you suspect may be using network discovery, such as media servers or extenders. If you don't have any of these, you can disable UPnP altogether by double-clicking each service and selecting Disabled from the Startup type list. Otherwise, the next time you boot Windows, these services will start again.

Now open the router configuration page (described earlier in this chapter) and disable the UPnP service. This is required to prevent applications from establishing new port forwarding rules. If your router doesn't allow you to change UPnP settings, consider upgrading to more new version firmware, as described in the section “Upgrading to a newer version of the router.”

O Bad: Open Ports Vulnerability

Look for vulnerabilities in your system using open port scanning, as outlined later in this chapter.

O Good: remote workspace, but only when needed

The remote desktop feature described in the " Remote control computer" is enabled by default in Windows 7 Professional and Ultimate. Unless you specifically need this feature, you should turn it off. In Control Panel, open System and then select the Remote Access Settings link. On the page Remote access In the System Properties window, turn off the Allow Remote Assistance connections to this computer checkbox and check the Do not allow connections to this computer checkbox below.

O Ok: account password

In theory general access to files does not work for accounts that do not have a password, which is the default setting when creating a new user account. But a passwordless account does not provide any protection against anyone sitting at your keyboard, and if it is a user account with administrator rights, then the door is open to any other user of this computer. Refer to Chapter 7 for a discussion of user accounts and passwords.

About Homegroups and file sharing

Every shared folder is potentially an open door. Therefore, open access should be provided only to those folders that are really necessary. Please note that file permissions and sharing permissions are different things in Windows 7. This is discussed in more detail in Chapter 7.

O Bad: Sharing Wizard vulnerability

One of the main reasons for creating a workgroup is to share files and printers. But it's prudent to share only the folders that need to be shared and turn off sharing for all others. A feature called Use Sharing Wizard, described in Chapter 2 and discussed in detail in Chapter 7, does not give you complete control over who can view and change your files.

O Bad: Vulnerability of shared administrative resources

The sharing feature, discussed in Chapter 7, gives access to all drives on your computer, regardless of whether you share folders on those drives.

O Good: Firewall

Configure the firewall discussed below to strictly control network flow to and from your computer, but don't rely on Windows' built-in firewall software to provide sufficient protection.

A Good: The support center is good, but you should not rely entirely on it. The support center shown in Fig. 6.28 is the central page in Control Panel used to manage Windows Firewall, Windows Defender, UserAccount Control, and automatic updates. He also controls antivirus programs, but, purely for political reasons, Windows 7 does not have its own antivirus programs.

The most important thing is that Action Center is only a viewer. If it sees that a given protection measure is enabled, regardless of whether it is actively running, Action Center will be happy and you will not receive any notifications.

Tired of messages from the Support Center? Click the Change Action Center settings link on the left side and choose which issues are worth reporting and which you can ignore. You can disable all messages from the Action Center by turning off all the checkboxes on this page, but to completely deactivate the entire feature, you must open the Services window (services.msc) and turn off the Action Center. This will not disable any firewall, antivirus, or automatic updates you may be using, only the monitoring tools for these tools and the messages that accompany them.

You can't change your firewall or anti-malware settings here. To do this, you need to return to the Control Panel and open the appropriate program there.

The problem of the network worm epidemic is relevant for any local network. Sooner or later, a situation may arise when a network or email worm penetrates the LAN and is not detected by the antivirus being used. A network virus spreads across a LAN through operating system vulnerabilities that were not closed at the time of infection or through writable shared resources. Mail virus, as the name suggests, is distributed via email, provided that it is not blocked by client antivirus and antivirus on mail server. In addition, an epidemic on a LAN can be organized from within as a result of the activities of an insider. In this article we will look at practical methods for the operational analysis of LAN computers using various tools, in particular using the author's AVZ utility.

Formulation of the problem

If an epidemic or some abnormal activity is detected on the network, the administrator must quickly solve at least three tasks:

• detect infected PCs on the network;
• find samples of malware to send to an anti-virus laboratory and develop a counteraction strategy;
• take measures to block the spread of the virus on the LAN and destroy it on infected computers.

In the case of insider activity, the main steps of analysis are identical and most often boil down to the need to detect third-party software installed by the insider on LAN computers. Examples of such software include remote administration utilities, keyloggers and various Trojan bookmarks.

Let us consider in more detail the solution to each of the tasks.

Search for infected PCs

To search for infected PCs on the network, you can use at least three methods:

• automatic remote PC analysis - obtaining information about running processes, loaded libraries and drivers, searching for characteristic patterns - for example, processes or files with given names;
• PC traffic analysis using a sniffer - this method very effective for catching spam bots, email and network worms, however, the main difficulty in using a sniffer is due to the fact that a modern LAN is built on the basis of switches and, as a result, the administrator cannot monitor the traffic of the entire network. The problem can be solved in two ways: by running a sniffer on the router (which allows you to monitor the exchange of PC data with the Internet) and by using the monitoring functions of switches (many modern switches allow you to assign a monitoring port to which the traffic of one or more switch ports specified by the administrator is duplicated);
• study of network load - in this case, it is very convenient to use smart switches, which allow you not only to assess the load, but also to remotely disable ports specified by the administrator. This operation is greatly simplified if the administrator has a network map, which contains information about which PCs are connected to the corresponding switch ports and where they are located;
• use of honeypots - it is strongly recommended to create several honeypots on the local network that will allow the administrator to timely detect an epidemic.

Automatic analysis of PCs on the network

Automatic PC analysis can be reduced to three main stages:

• conducting a complete PC scan - running processes, loaded libraries and drivers, autostart;
• conducting operational research - for example, searching for characteristic processes or files;
• quarantine of objects according to certain criteria.

All of the above problems can be solved using the author's AVZ utility, which is designed to be launched from a network folder on the server and supports a scripting language for automatic PC inspection. To run AVZ on user computers you must:

1. Place AVZ in a network folder on the server that is open for reading.
2. Create LOG and Qurantine subdirectories in this folder and allow users to write to them.
3. Launch AVZ on LAN computers using the rexec utility or logon script.

Launching AVZ in step 3 should be done with the following parameters:

\\my_server\AVZ\avz.exe Priority=-1 nw=Y nq=Y HiddenMode=2 Script=\\my_server\AVZ\my_script.txt

In this case, the Priority=-1 parameter lowers the priority of the AVZ process, the nw=Y and nq=Y parameters switch the quarantine to the “network run” mode (in this case, a subdirectory is created in the quarantine folder for each computer, the name of which matches the network name of the PC) , HiddenMode=2 instructs to deny the user access to the GUI and AVZ controls, and finally, the most important Script parameter specifies the full name of the script with the commands that AVZ will execute on the user's computer. The AVZ scripting language is quite simple to use and is focused exclusively on solving problems of computer examination and treatment. To simplify the process of writing scripts, you can use a specialized script editor, which contains an online prompt, a wizard for creating standard scripts, and tools for checking the correctness of the written script without running it (Fig. 1).

Rice. 1. AVZ script editor

Let's look at three typical scripts that may be useful in the fight against the epidemic. First, we need a PC research script. The task of the script is to examine the system and create a protocol with the results in a given network folder. The script looks like this:

ActivateWatchDog(60 * 10);

// Start scanning and analysis

// System exploration

ExecuteSysCheck(GetAVZDirectory+

‘\LOG\’+GetComputerName+’_log.htm’);

//Shutdown AVZ

During the execution of this script, HTML files with the results of the study of network computers will be created in the LOG folder (assuming that it is created in the AVZ directory on the server and is available for users to write), and to ensure uniqueness, the name of the computer being examined is included in the protocol name. At the beginning of the script there is a command to enable a watchdog timer, which will forcefully terminate the AVZ process after 10 minutes if failures occur during script execution.

The AVZ protocol is convenient for manual study, but it is of little use for automated analysis. In addition, the administrator often knows the name of the malware file and only needs to check the presence or absence this file, and if available, quarantine for analysis. In this case, you can use the following script:

// Enable watchdog timer for 10 minutes

ActivateWatchDog(60 * 10);

// Search for malware by name

QuarantineFile('%WinDir%\smss.exe', 'Suspicious about LdPinch.gen');

QuarantineFile('%WinDir%\csrss.exe', 'Suspicion of LdPinch.gen');

//Shutdown AVZ

This script uses the QuarantineFile function to attempt to quarantine the specified files. The administrator can only analyze the contents of the quarantine (folder Quarantine\network_name_PC\quarantine_date\) for the presence of quarantined files. Please note that the QuarantineFile function automatically blocks quarantine of files identified by the secure AVZ database or the Microsoft digital signature database. For practical application this script can be improved - organize the loading of file names from an external text file, check the found files against the AVZ databases and generate a text protocol with the results of the work:

// Search for a file with the specified name

function CheckByName(Fname: string) : boolean;

Result:= FileExists(FName) ;

if Result then begin

case CheckFile(FName) of

1: S:= ‘, access to the file is blocked’;

1: S:= ‘, detected as Malware (‘+GetLastCheckTxt+’)’;

2: S:= ‘, suspected by the file scanner (‘+GetLastCheckTxt+’)’;

3: exit; // Safe files are ignored

AddToLog(‘The file ‘+NormalFileName(FName)+’ has a suspicious name’+S);

//Add the specified file to quarantine

QuarantineFile(FName,’suspicious file’+S);

SuspNames: TStringList; // List of names of suspicious files

// Checking files against the updated database

if FileExists(GetAVZDirectory + ‘files.db’) then begin

SuspNames:= TStringList.Create;

SuspNames.LoadFromFile('files.db');

AddToLog('Name database loaded - number of records = '+inttostr(SuspNames.Count));

// Search loop

for i:= 0 to SuspNames.Count - 1 do

CheckByName(SuspNames[i]);

AddToLog('Error loading list of file names');

SaveLog(GetAVZDirectory+’\LOG\’+

GetComputerName+’_files.txt’);

For this script to work, you must create the Quarantine and LOG directories in the AVZ folder, accessible to users for writing, as well as text file files.db - each line of this file will contain the name of the suspicious file. File names may include macros, the most useful of which are %WinDir% (path to Windows folder) and %SystemRoot% (path to the System32 folder). Another direction of analysis could be an automatic examination of the list of processes running on user computers. Information about running processes is in the system research protocol, but for automatic analysis it is more convenient to use the following script fragment:

procedure ScanProcess;

S:= ''; S1:= '';

//Updating the list of processes

RefreshProcessList;

AddToLog(‘Number of processes = ‘+IntToStr(GetProcessCount));

// Cycle of analysis of the received list

for i:= 0 to GetProcessCount - 1 do begin

S1:= S1 + ‘,’ + ExtractFileName(GetProcessName(i));

// Search for process by name

if pos(‘trojan.exe’, LowerCase(GetProcessName(i))) > 0 then

S:= S + GetProcessName(i)+’,’;

if S<>''then

AddLineToTxtFile(GetAVZDirectory+’\LOG\_alarm.txt’, DateTimeToStr(Now)+’ ‘+GetComputerName+’ : ‘+S);

AddLineToTxtFile(GetAVZDirectory+’\LOG\_all_process.txt’, DateTimeToStr(Now)+’ ‘+GetComputerName+’ : ‘+S1);

The study of processes in this script is performed as a separate ScanProcess procedure, so it is easy to place it in its own script. The ScanProcess procedure builds two lists of processes: full list processes (for subsequent analysis) and a list of processes that, from the administrator’s point of view, are considered dangerous. In this case, for demonstration purposes, a process named ‘trojan.exe’ is considered dangerous. Information about dangerous processes is added to the text file _alarm.txt, data about all processes is added to the file _all_process.txt. It is easy to see that you can complicate the script by adding to it, for example, checking process files against a database of safe files or checking names executable files processes on an external basis. A similar procedure is used in AVZ scripts used in Smolenskenergo: the administrator periodically studies the collected information and modifies the script, adding to it the name of the processes of programs prohibited by the security policy, for example ICQ and MailRu.Agent, which allows you to quickly check the presence of prohibited software on the PCs being studied . Another use for the process list is to find PCs that are missing a required process, such as an antivirus.

In conclusion, let’s look at the last of the useful analysis scripts - a script for automatic quarantine of all files that are not recognized by the safe AVZ database and the Microsoft digital signature database:

// Perform autoquarantine

ExecuteAutoQuarantine;

Automatic quarantine examines running processes and loaded libraries, services and drivers, about 45 autostart methods, browser and explorer extension modules, SPI/LSP handlers, scheduler jobs, print system handlers, etc. A special feature of quarantine is that files are added to it with repetition control, so the autoquarantine function can be called repeatedly.

The advantage of automatic quarantine is that with its help, the administrator can quickly collect potentially suspicious files from all computers on the network for examination. The simplest (but very effective in practice) form of studying files can be checking the resulting quarantine with several popular antiviruses in maximum heuristic mode. It should be noted that simultaneous launch of auto-quarantine on several hundred computers can create a high load on the network and the file server.

Traffic Research

Traffic research can be carried out in three ways:

• manually using sniffers;
• in semi-automatic mode - in this case, the sniffer collects information, and then its protocols are processed either manually or by some software;
• automatically using intrusion detection systems (IDS) such as Snort (http://www.snort.org/) or their software or hardware analogues. In the simplest case, an IDS consists of a sniffer and a system that analyzes the information collected by the sniffer.

An intrusion detection system is an optimal tool because it allows you to create sets of rules to detect anomalies in network activity. Its second advantage is the following: most modern IDS allow traffic monitoring agents to be placed on several network nodes - the agents collect information and transmit it. In case of using a sniffer, it is very convenient to use the console UNIX sniffer tcpdump. For example, to monitor activity on port 25 ( SMTP protocol) just run the sniffer with command line type:

tcpdump -i em0 -l tcp port 25 > smtp_log.txt

In this case, packets are captured via the em0 interface; information about captured packets will be stored in the smtp_log.txt file. The protocol is relatively easy to analyze manually; in this example, analyzing activity on port 25 allows you to identify PCs with active spam bots.

Application of Honeypot

An outdated computer whose performance does not allow it to be used for solving can be used as a trap (Honeypot). production tasks. For example, a Pentium Pro with 64 MB is successfully used as a trap in the author’s network random access memory. On this PC you should install the most common operating system on the LAN and choose one of the strategies:

• Install an operating system without update packages - it will be an indicator of the appearance of an active network worm on the network, exploiting any of the known vulnerabilities for this operating system;
• install an operating system with updates that are installed on other PCs on the network - the Honeypot will be analogous to any of the workstations.

Each strategy has both its pros and cons; The author mainly uses the option without updates. After creating the Honeypot, you should create a disk image for quick recovery system after it has been damaged by malware. As an alternative to a disk image, you can use change rollback systems such as ShadowUser and its analogues. Having built a Honeypot, you should take into account that a number of network worms search for infected computers by scanning the IP range, calculated from the IP address of the infected PC (common typical strategies are X.X.X.*, X.X.X+1.*, X.X.X-1.*), - therefore, Ideally, there should be a Honeypot on each subnet. As additional preparation elements, you should definitely open access to several folders on the Honeypot system, and in these folders you should put several sample files of various formats, the minimum set is EXE, JPG, MP3.

Naturally, having created a Honeypot, the administrator must monitor its operation and respond to any anomalies detected on this computer. Auditors can be used as a means of recording changes; a sniffer can be used to record network activity. An important point is that most sniffers provide the ability to configure sending an alert to the administrator if a specified network activity is detected. For example, in the CommView sniffer, a rule involves specifying a “formula” that describes a network packet, or specifying quantitative criteria (sending more than a specified number of packets or bytes per second, sending packets to unidentified IP or MAC addresses) - Fig. 2.

Rice. 2. Create and configure a network activity alert

As a warning, it is most convenient to use email messages sent to Mailbox administrator - in this case, you can receive prompt alerts from all traps in the network. In addition, if the sniffer allows you to create multiple alerts, it makes sense to differentiate network activity by highlighting the work with by email, FTP/HTTP, TFTP, Telnet, MS Net, increased traffic of more than 20-30 packets per second for any protocol (Fig. 3).

Rice. 3. Notification letter sent
if packets matching the specified criteria are detected

When organizing a trap, it is a good idea to place on it several vulnerable network services used on the network or install an emulator for them. The simplest (and free) is the proprietary APS utility, which works without installation. The operating principle of APS comes down to listening to many TCP and UDP ports described in its database and issuing a predetermined or randomly generated response at the moment of connection (Fig. 4).

Rice. 4. Main window of the APS utility

The figure shows a screenshot taken during a real APS activation on the Smolenskenergo LAN. As can be seen in the figure, an attempt was recorded to connect one of the client computers on port 21. Analysis of the protocols showed that the attempts are periodic and are recorded by several traps on the network, which allows us to conclude that the network is being scanned in order to search for and hack FTP servers by guessing passwords. APS keeps logs and can send messages to administrators with reports of registered connections to monitored ports, which is convenient for quickly detecting network scans.

When creating a Honeypot, it is also helpful to familiarize yourself with online resources on the topic, in particular http://www.honeynet.org/. In the Tools section of this site (http://www.honeynet.org/tools/index.html) you can find a number of tools for recording and analyzing attacks.

Remote malware removal

Ideally, after detecting malware samples, the administrator sends them to the anti-virus laboratory, where they are promptly studied by analysts and the corresponding signatures are added to the anti-virus database. These signatures through automatic update get onto the user's PC, and the antivirus automatically removes malware without administrator intervention. However, this chain does not always work as expected; in particular, the following reasons for failure are possible:

• for a number of reasons independent of the network administrator, the images may not reach the anti-virus laboratory;
• insufficient efficiency of the anti-virus laboratory - ideally, it takes no more than 1-2 hours to study samples and enter them into the database, which means that updated signature databases can be obtained within a working day. However, not all antivirus laboratories work so quickly, and you can wait several days for updates (in rare cases, even weeks);
• high performance of the antivirus - a number of malicious programs, after activation, destroy antiviruses or otherwise disrupt their operation. Classic examples include making entries in the hosts file that block normal work antivirus auto-update systems, deletion of processes, services and antivirus drivers, damage to their settings, etc.

Therefore, in the above situations, you will have to deal with malware manually. In most cases, this is not difficult, since the results of the computer examination reveal the infected PCs, as well as the full names of the malware files. All that remains is to remove them remotely. If the malicious program is not protected from deletion, then it can be destroyed using the following AVZ script:

// Deleting a file

DeleteFile('filename');

ExecuteSysClean;

This script deletes one specified file (or several files, since there can be an unlimited number of DeleteFile commands in a script) and then automatically cleans the registry. In a more complex case, the malware can protect itself from being deleted (for example, by re-creating its files and registry keys) or disguise itself using rootkit technology. In this case, the script becomes more complicated and will look like this:

// Anti-rootkit

SearchRootkit(true, true);

// Control AVZGuard

SetAVZGuardStatus(true);

// Deleting a file

DeleteFile('filename');

// Enable BootCleaner logging

BC_LogFile(GetAVZDirectory + 'boot_clr.log');

// Import into the BootCleaner task a list of files deleted by the script

BC_ImportDeletedList;

// Activate BootCleaner

// Heuristic system cleaning

ExecuteSysClean;

RebootWindows(true);

This script includes active counteraction to rootkits, the use of the AVZGuard system (this is a malware activity blocker) and the BootCleaner system. BootCleaner is a driver that removes specified objects from KernelMode during a reboot, at an early stage of system boot. Practice shows that such a script is able to destroy the vast majority of existing malware. The exception is malware that changes the names of its executable files with each reboot - in this case, files discovered during system scanning can be renamed. In this case, you will need to disinfect your computer manually or create your own malware signatures (an example of a script that implements a signature search is described in the AVZ help).

Conclusion

In this article, we looked at some practical techniques for combating a LAN epidemic manually, without the use of antivirus products. Most of the described techniques can also be used to search for foreign PCs and Trojan bookmarks on user computers. If you have any difficulties finding malware or creating treatment scripts, the administrator can use the “Help” section of the forum http://virusinfo.info or the “Fighting Viruses” section of the forum http://forum.kaspersky.com/index.php?showforum= 18. Study of protocols and assistance in treatment are carried out on both forums free of charge, PC analysis is carried out according to AVZ protocols, and in most cases treatment comes down to executing an AVZ script on infected PCs, compiled by experienced specialists from these forums.

Which are forced to wait for the creation of a physical file on the user's computer, network protection begins to analyze incoming data streams entering the user's computer through the network and blocks threats before they enter the system.

The main areas of network protection provided by Symantec technologies are:

Drive-by downloads, web attacks;
- “Social Engineering” attacks: FakeAV (fake antiviruses) and codecs;
- Attacks through social media like Facebook;
- Detection of malware, rootkits and systems infected with bots;
- Protection against advanced threats;
- Zero-day threats;
- Protection against unpatched software vulnerabilities;
- Protection from malicious domains and IP addresses.

Network Protection Technologies

The "Network Protection" level includes 3 different technologies.

Network Intrusion Prevention Solution (Network IPS)

Network IPS technology understands and scans over 200 different protocols. It intelligently and accurately cuts through binary and network protocol, simultaneously looking for signs of malicious traffic. This intelligence allows for more accurate network scanning while still providing reliable protection. At its “heart” is an exploit blocking engine that provides open vulnerabilities with virtually impenetrable protection. A unique feature of Symantec IPS is that this component does not require any configuration. All its functions work, as they say, “out of the box”. Every Norton consumer product, and every Symantec Endpoint Protection product version 12.1 and later, has this critical technology enabled by default.

Browser Protection

This security engine is located inside the browser. It is capable of detecting the most complex threats that neither traditional antivirus nor Network IPS are able to detect. Nowadays, many network attacks use obfuscation techniques to avoid detection. Because Browser Protection runs inside the browser, it is able to examine not-yet-hidden (obfuscated) code as it runs. This allows you to detect and block an attack if it was missed at lower levels of program protection.

Un-Authorized Download Protection (UXP)

Located within the network defense layer, the last line of defense helps cover and mitigate the effects of unknown and unpatched vulnerabilities, without the use of signatures. This provides an additional layer of protection against Zero Day attacks.

Focusing on problems

Working together, network security technologies solve the following problems.

Drive-by downloads and web attack kits

Using Network IPS, Browser Protection, and UXP technology, Symantec's network protection technologies block Drive-by downloads and essentially prevent malware from even reaching the user's system. Various preventive methods are practiced that include the use of these same technologies, including Generic Exploit Blocking technology and web attack detection tools. A general web attack detection tool analyzes the characteristics of a common web attack, regardless of the specific vulnerability that the attack targets. This allows you to provide additional protection for new and unknown vulnerabilities. The best thing about this type of protection is that if a malicious file were to “silently” infect a system, it would still be proactively stopped and removed from the system: this is precisely the behavior that traditional antivirus products usually miss. But Symantec continues to block tens of millions of variants of malware that typically cannot be detected by other means.

Social Engineering Attacks

Because Symantec's technology monitors network and browser traffic as it travels, it detects "Social Engineering" attacks such as FakeAV or fake codecs. Technologies are designed to block such attacks before they appear on the user's screen. Most other competing solutions do not include this powerful capability.

Symantec blocks hundreds of millions of these types of attacks with online threat protection technology.

Attacks targeting social media applications

Social media applications have recently become widely popular as they allow you to instantly share various messages, interesting videos and information with thousands of friends and users. The wide distribution and potential of such programs make them the No. 1 target for hackers. Some common hacker tricks include creating fake accounts and sending spam.

Symantec IPS technology can protect against these types of deception methods, often preventing them before the user even clicks on them. Symantec stops fraudulent and spoofed URLs, applications, and other deception techniques with online threat protection technology.

Detection of malware, rootkits and bot-infected systems

Wouldn’t it be nice to know exactly where on the network the infected computer is located? Symantec's IPS solutions provide this capability, also including detection and recovery of threats that may have evaded other layers of protection. Symantec solutions detect malware and bots that attempt to make auto-dialers or download “updates” to increase their activity on the system. This allows IT managers, who have a clear list of systems to review, to have assurance that their enterprise is secure. Polymorphic and complex stealth threats using rootkit techniques like Tidserv, ZeroAccess, Koobface and Zbot can be stopped and removed using this method.

Protection against obfuscated threats

Today's web attacks use complex techniques to increase the complexity of their attacks. Symantec's Browser Protection sits inside the browser and can detect very complex threats that traditional methods often cannot detect.

Zero-day threats and unpatched vulnerabilities

One of the past security additions the company has added is an additional layer of protection against zero-day threats and unpatched vulnerabilities. Using signatureless protection, the program intercepts System API calls and protects against malware downloads. This technology is called Un-Authorized Download Protection (UXP). It is the last line of support within the network threat protection ecosystem. This allows the product to “cover” unknown and unpatched vulnerabilities without using signatures. This technology is enabled by default and has been found in every product released since Norton 2010 debuted.

Protection against unpatched software vulnerabilities

Malicious programs are often installed without the user's knowledge, using vulnerabilities in the software. Symantec network security provides an additional layer of protection called Generic Exploit Blocking (GEB). Regardless of whether Latest updates or not, GEB "mostly" protects underlying vulnerabilities from exploitation. Vulnerabilities in Oracle Sun Java, Adobe Acrobat Reader, Adobe Flash, Internet Explorer, ActiveX controls, or QuickTime are now ubiquitous. Generic Exploit Protection was created by "reverse engineering" by figuring out how the vulnerability could be exploited on the network, while providing a special patch for network level. A single GEB, or vulnerability signature, can provide protection against thousands of malware variants, new and unknown.

Malicious IPs and domain blocking

Symantec's network protection also includes the ability to block malicious domains and IP addresses while stopping malware and traffic from known malicious sites. Through STAR's rigorous website analysis and updating, Symantec provides real-time protection against ever-changing threats.

Improved Evasion Resistance

Support for additional encodings has been added to improve the effectiveness of attack detection using encryption techniques such as base64 and gzip.

Network audit detection to enforce usage policies and identify data leakage

Network IPS can be used to identify applications and tools that may violate corporate usage policies, or to prevent data leakage across the network. It is possible to detect, warn or prevent traffic like IM, P2P, social media, or other "interesting" types of traffic.

STAR Intelligence Communication Protocol

Network security technology does not work on its own. The engine communicates with other security services using the STAR Intelligence Communication (STAR ​​ICB) protocol. The Network IPS engine connects to the Symantec Sonar engine, and then to the Insight Reputation engine. This allows you to provide more informative and accurate protection.

In the next article we will look at the Behavior Analyzer level.

Based on materials from Symantec

An antivirus must be installed on every Windows PC. For a long time this was considered the golden rule, but today IT security experts debate the effectiveness of security software. Critics argue that antiviruses do not always protect, and sometimes even the opposite - due to careless implementation, they can create gaps in the security of the system. The developers of such solutions contrast this opinion impressive numbers of blocked attacks, and marketing departments continue to swear by the comprehensive protection their products provide.

The truth lies somewhere in the middle. Antiviruses do not work flawlessly, but all of them cannot be called useless. They warn about a variety of threats, but they are not enough to keep Windows as protected as possible. For you as a user, this means the following: you can either throw the antivirus in the trash, or blindly trust it. But one way or another, it is just one of the blocks (albeit a large one) in the security strategy. We will provide you with nine more of these “bricks”.

Security Threat: Antiviruses

> What critics are saying The current controversy over virus scanners was sparked by former Firefox developer Robert O'Callaghan. He argues: antiviruses threaten the security of Windows and should be removed. The only exception is Microsoft's Windows Defender.

> What developers say Creators of antiviruses, including Kaspersky Lab, as an argument, they cite impressive figures. Thus, in 2016, software from this laboratory registered and prevented about 760 million Internet attacks on user computers.

> What CHIP thinks Antiviruses should not be considered either a relic or a panacea. They are just a brick in the building of security. We recommend using compact antiviruses. But don't worry too much: Windows Defender is fine. You can even use simple third-party scanners.

Choose the right antivirus

We are, as before, convinced that Windows is unthinkable without antivirus protection. You only need to choose the right product. For Tens users, this could even be the built-in Windows Defender. Despite the fact that during our tests it did not show the best degree of recognition, it is perfectly integrated into the system and, most importantly, without any security problems. In addition, Microsoft has improved its product in the Creators Update for Windows 10 and simplified its management.

Antivirus packages from other developers often have a higher recognition rate than Defender. We stand for a compact solution. The leader of our rating on this moment is Kaspersky Internet Security 2017. Those who can refuse such additional options as parental control and password manager, should turn their attention to a more budget-friendly option from Kaspersky Lab.

Follow updates

If we had to choose only one measure to keep Windows secure, we would definitely go with updates. In this case, of course, we are talking primarily about updates for Windows, but not only. Installed software, including Office, Firefox and iTunes, should also be updated regularly. On Windows, getting system updates is relatively easy. In both the “seven” and “ten”, patches are installed automatically using the default settings.

In the case of programs, the situation becomes more difficult, since not all of them are as easy to update as Firefox and Chrome, which have a built-in automatic update function. The SUMo (Software Update Monitor) utility will support you in solving this task and notify you about the availability of updates. A related program, DUMo (Driver Update Monitor), will do the same job for drivers. Both free assistants, however, only inform you about new versions - you will have to download and install them yourself.

Set up a firewall

The built-in firewall in Windows does its job well and reliably blocks all incoming requests. However, it is capable of more - its potential is not limited by the default configuration: all installed programs have the right to open ports in the firewall without asking. The free Windows Firewall Control utility will give you more features.

Launch it and in the “Profiles” menu set the filter to “Medium Filtering”. Thanks to this, the firewall will also control outgoing traffic according to a given set of rules. You decide for yourself what measures will be included. To do this, in the lower left corner of the program screen, click on the note icon. This way you can view the rules and grant permission with one click separate program or block it.

Use special protection

Updates, antivirus and firewall - you've already taken care of this great trinity of security measures. It's time fine tuning. The problem with additional programs for Windows is often that they do not take advantage of all the security features the system offers. An anti-exploit utility such as EMET (Enhanced Mitigation Experience Toolkit) further strengthens the installed software. To do this, click on “Use Recommended Settings” and let the program run automatically.

Strengthen encryption

You can significantly enhance the protection of personal data by encrypting it. Even if your information falls into the wrong hands, a hacker will not be able to remove good coding, at least not right away. In professional Windows versions The BitLocker utility is already provided, configured through the Control Panel.

VeraCrypt will be an alternative for all users. This open source program is the unofficial successor to TrueCrypt, which was discontinued a couple of years ago. If we're talking about Only about protecting personal information, you can create an encrypted container through the “Create Volume” item. Select the “Create an encrypted file container” option and follow the Wizard’s instructions. The ready-made data safe is accessed through Windows Explorer, just like a regular disk.

Protect user accounts

Many vulnerabilities remain unexploited by hackers simply because work on the computer is carried out under a standard account with limited rights. So for everyday tasks you should also set up one like this account. In Windows 7, this is done through the Control Panel and the “Add and Remove User Accounts” item. In the “top ten”, click on “Settings” and “Accounts”, and then select “Family and other people”.

Activate VPN outside of home

At home in wireless network Your level of security is high because you control who has access to the local network and are responsible for encryption and access codes. Everything is different in the case of hotspots, for example,
in hotels. Here Wi-Fi is distributed among third-party users, and you are not able to have any influence on the security of network access. For protection, we recommend using a VPN (Virtual Private Network). If you just need to browse sites through an access point, the built-in VPN in latest version Opera browser. Install the browser and in “Settings” click on “Security”. In the "VPN" section, check the box for "Enable VPN."

Cut off unused wireless connections

ok

Even the details can decide the outcome of a situation. If you don't use connections like Wi-Fi and Bluetooth, simply turn them off to close potential loopholes. In Windows 10, the easiest way to do this is through the Action Center. “Seven” offers the “Network Connections” section in the Control Panel for this purpose.

Manage passwords

Each password must be used only once and must contain special characters, numbers, uppercase and lowercase letters. And also be as long as possible - preferably ten or more characters. The principle of password security has reached its limits today because users have to remember too much. Therefore, where possible, such protection should be replaced by other methods. Take signing into Windows for example: If you have a camera that supports Windows Hello, use facial recognition to sign in. For other codes, we recommend using password managers such as KeePass, which should be protected with a strong master password.

Secure your privacy in the browser

There are many ways to protect your privacy online. The Privacy Settings extension is ideal for Firefox. Install it and set it to "Full Privacy". After this, the browser will not provide any information about your behavior on the Internet.

Lifebuoy: backup

> Backups are extremely important Backup justifies
yourself not only after infection with the virus. It also works well when problems with hardware arise. Our advice: make a copy of all Windows once, and then additionally and regularly make backups of all important data.

> Full archiving of Windows Windows 10 inherited from the “seven” the “Archiving and Restore” module. With it you will create backup copy systems. You can also use special utilities, for example True Image or Macrium Reflect.

> True Image file protection and the paid version of Macrium Reflect can make copies certain files and folders. Free alternative for archiving important information will become the Personal Backup program.

PHOTO: manufacturing companies; NicoElNino/Fotolia.com

How can you protect your computer from remote access? How to block access to a computer through a browser?

How to protect your computer from remote access, they usually think when something has already happened. But naturally, this is the wrong decision for a person who is engaged in at least some of his own activities. And it is advisable for all users to limit access to their computer to strangers. And in this article we will not discuss the method of setting a password for logging into a computer, but will look at an option on how to deny access to a computer from a local network, or from another computer if they are connected to the same network. This information will be especially useful for new PC users.

And so, in operating system Windows has a feature called “Remote Access”. And if it is not disabled, other users can take advantage of this to gain control of your computer. Even if you are a manager and you need to monitor your employees, then naturally you need access to their PC, but you need to close yours so that these same employees do not look at your correspondence with your secretary - this is fraught with...

March 2020

Mon	W	Wed	Thu	Fri	Sat	Sun
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

ADVERTISING

As usual, online projects are promoted. Typically, SEO copywriters try to put as much into the text as possible search queries, inclining them to

Understanding the main nuances that distinguish fake iPhones from real products will help you save money and avoid buying from careless sellers. For what