29 May 2016
Application virtualization is a great means to deal with malware. In particular ransomware cannot create massive damage if the malicious program is executed in an isolated virtual container which prevents any interaction with the computing environment.
Unfortunately, most vendors of next generation endpoint protection solutions are directed on the protection of large private businesses and administrative bodies. End-user protection is falling increasingly by the wayside. Consumers must rely on inherently weak anti-malware solutions.
By now some products are available which overcome of the most severe deficits of anti-malware solutions. They offer protection e.g. against drive-by downloads, zero-day malware or file-less malware, for private businesses, administrative bodies and end-users alike.
The winners and finalists of the 2015 Homeland Security Awards in subcategory Best Anti-Malware Platform are :
- Blue Ridge Networks (Winner)
- Cylance (Finalist)
- Malwarebytes (Finalist)
The products of these companies are available for end-users. During the next weeks and posts I will discuss my experience with this products, with special regards to their ability to block zero-day malware and usability.
Today I will share my first experiences with Blue Ridge Networks ‘AppGuard Zero Day Malware Protection‘.
AppGuard is installed on top of an anti-malware solution, in my case Windows Defender. In the AppGuard users guide one reads:
‘Conventional “detect and respond” approaches available are not enough in today’s cyber world. AppGuard is a breach prevention defense that stops breaches at the earliest stages. AppGuard delivers a multi-layered defense, protecting the endpoint at multiple points, including launch control, run-time application control, and memory protection to prevent one application from reading or writing to the memory of another. AppGuard protects your computer against certain applications with the greatest risk of malware, such as Microsoft and Adobe products. AppGuard stops the cyber attacks that traditional security products often miss, even zero-day and fileless malware. AppGuard prevents suspicious applications from running and stops even allowed applications such as your browser from performing high-risk activities that might result in an infected computer.’
Great zero-day malware is available from Malwr.com. Let’s get to work.
I used the following sample (zero-day malware, delivered by Microsoft Word document in zip file) for my first test:
|Timestamp||MD5||File Name||File Type||Antivirus|
|May 24, 2016,
|60a59b324f63621a1e2577e87db4439f||Security Notification3.zip||Zip archive data||5/57|
Security Notification3.zip is delivered by email. The zip file contains a Word Document which loads a file called harakiri.pfx from the attacker’s command and control server and executes this file afterwards.
At May 24, 2016, 6:46 p.m. only 6 of 57 anti-malware solutions on VirusTotal identified the malware:
With this, Security Notification3.zip is a perfect zero-day malware sample.
After running a standard installation, I customized AppGuard slightly only. I set the protection level to “Locked Down”:
I downloaded the sample file to my test environment and opened the file in word. AppGuard made a great job. The AutoOpen macro downloaded Harakiri.exe to the local temp folder and AppGuard blocked the execution:
I checked some more samples and got the same results in any case: AppGuard blocks the execution of the downloaded files.
With this, AppGuard fully meets my expectations about zero-day malware delivered by Word-documents.
By now Security Notification3.zip is detected by 35 of 56 anti-malware solutions on VirusTotal.com, e.g. as Trojan:O97M/Madeba.A!det by Windows Defender or as W2KM_DRIDEX.YYSVD by TrendMicro.
Have a good weekend.