Anti-Malware Protection
Note 38: Binary whitelisting convenience costs #1
download and install new software on your machine and get approval before you could download and install any new software.
Note 28: Antivirus is not ideal
It has some pretty large drawbacks. It is not ideal but it protects against the most common attacks out there on the internet. The really obvious stuff that still poses a threat to your systems still needs to be defended against.
Note 22: Antivirus software has two issues #1
The first is that they depend on antivirus signatures distributed by the antivirus software vendor.
Note 40: binary whitelisting software can trust software using a couple of different mechanisms #1
The first is using the unique cryptographic hash of binaries which are used to identify unique binaries. This is used to whitelist individual executables.
Note 24: Antivirus software has two issues #2
The second is that they depend on the antivirus vendor discovering new malware and writing new signatures for newly discovered threats.
Note 48: Binary whitelisting systems can be configured to trust specific vendors' code signing certificates.
They permit all binary sign with that certificate to run. This is helpful for automatically trusting content like system updates along with software in common use that comes from reputable and trusted vendors.
Note 36: Binary whitelisting applied
Typically only applies to executable binaries, not arbitrary files like PDF documents or text files. This would naturally defend against any unknown threats but at the cost of convenience.
Note 48: Binary whitelisting systems configured to trust specific vendors issue
An attacker can compromise the code signing certificate of a software vendor that your company trusts and use that to sign malware that targets your company. That would bypass any binary whitelisting defenses in place.
Note 30: Antivirus filter against basic attack
Antivirus is an easy solution to provide that protection. It doesn't matter how much you user education you instill in your employees. There will still be some folks who will click on an e-mail that has an infected attachment.
Note 16: Antivirus software blocks
If it detects activity that matches the signature, depending on the signature type, it will attempt to block the malware from harming the system.
Note 20: Antivirus software alerts and logs
If that's not possible, it will just log and alert the detection event. At a high level, this is how all antivirus products work.
Note 46: binary whitelisting mechanism 2 process step #2
If the hash matches and the public key is trusted, then the software can be verified that it came from someone with the software vendor's code signing private key.
Note 34: Binary whitelisting
It is software that operates off a white list. It's a list of known good and trusted software and only things that are on the list are permitted to run. Everything else is blocked. Only things explicitly allowed to execute are able to.
Note 12: Antivirus software is signature based
Or it could be that network traffic characteristics that malware uses to communicate with a command and control server.
Note 26: Antivirus software issues #2 consequence
Until the vendor is able to write new signatures and publish and disseminate them, your antivirus software can't protect you from these emerging threats which then provides an additional attack surface.
Note 18: Antivirus software quantartines
Some signatures might only be able to detect the malware after the infection has occurred. In that case, it may attempt to quarantine the infected files.
Note 42: binary whitelisting software can trust software using a couple of different mechanisms #2
The other trust mechanism is a software-signing certificate. A software vendor can cryptographically sign binaries they distribute using a private key.
Note 44: binary whitelisting mechanism 2 process step #1
The signature can be verified at execution time by checking the signature using the public key embedded in the certificate and verifying the trust chain of the public key.
Note 10: Antivirus software is signature based.
This means that it has a database of signatures that identify known malware like the unique file hash of a malicious binary or the file associated with an infection.
Note 38: Binary whitelisting convenience costs #2
every system update had to be whitelisted before it could be applied. Obviously, not trusting everything wouldn't be very sustainable.
Note 32: Overall Defense strategy
our defense in depth concept involves multiple layers of protection. Antivirus software is just one piece of our anti malware defenses.
Note 14: Antivirus software monitors and analyzes
will monitor and analyze things like new files being created or being modified on the system in order to watch for any behavior that matches a known malware signature.