Antivirus sandboxes. Introduction
In the process of publishing the last part of the series of articles “Lies, Big Lies and Antiviruses”, the catastrophic lack of education of the habr-audience in the field of anti-virus sandboxes was revealed, what they are and how they work. What is funny in this situation is that there are almost no reliable sources of information on this issue on the Web. Only a bunch of market-like husks and texts from do not understand someone in the style of "one grandmother said, listen to the syudy." I'll have to fill in the gaps.
Definitions
')
So, the sandbox. The term itself did not originate from the children's sandbox, as some might think, but from the one used by firefighters. This is a tank with sand, where you can safely work with flammable objects or throw something already burning there without fear of burning something else. Reflecting the analogy of this technical structure to the software component, the software sandbox can be defined as an “isolated execution environment with controlled rights”. This is how, for example, the Java machine sandbox works. And any other sandbox, too, regardless of destination.
Turning to anti-virus sandboxes, the essence of which is to protect the main working system from potentially dangerous content, we can distinguish three basic models of sandbox space isolation from the rest of the system.
1. Isolation based on full virtualization. Using any virtual machine as a protective layer over the guest operating system, where the browser and other potentially dangerous programs are installed, through which the user can get infected, gives a sufficiently high level of protection of the main working system.
The disadvantages of this approach, in addition to the monstrous size of the distribution kit and the strong consumption of resources, lie in the inconvenience of data exchange between the main system and the sandbox. Moreover, you need to constantly return the state of the file system and registry to the original to remove the infection from the sandbox. If you do not do this, for example, spam bots agents will continue their work inside the sandbox as if nothing had happened. There is nothing to block their sandbox. In addition, it is not clear what to do with portable storage media (flash drives, for example) or games downloaded from the Internet, in which malicious bookmarks are possible.
An example approach is Invincea.
2. Isolation based on partial file system and registry virtualization. It is not necessary to carry the virtual machine engine with you; you can push duplicate file system and registry objects to sandbox processes by sandboxing applications on the user's work machine. Attempting to modify these objects will only change their copies inside the sandbox, real data will not be affected. Rights control does not allow to attack the main system from within the sandbox through the interfaces of the operating system.
The disadvantages of this approach are also obvious - the exchange of data between the virtual and real environments is difficult; constant cleaning of the virtualization containers is necessary to return the sandbox to its original, uninfected state. Also, there may be breakdowns or bypassing this type of sandbox and the release of malicious software codes to the main, unprotected system.
An example approach is SandboxIE, BufferZone, ZoneAlarm ForceField, isolated environment, Kaspersky Internet Security, Comodo Internet Security sandbox, Avast Internet Security sandbox.
3. Insulation based on the rules. All attempts to change file system and registry objects are not virtualized, but are considered from the point of view of a set of internal rules of protection. The fuller and more accurate such a set, the greater the protection against infection of the main system by the program. That is, this approach represents a certain compromise between the convenience of data exchange between the processes inside the sandbox and the real system and the level of protection against malicious modifications. Rights control does not allow to attack the main system from within the sandbox through the interfaces of the operating system.
The advantages of this approach also include the absence of the need to permanently roll back the file system and registry to the original state.
The disadvantages of this approach are the software complexity of implementing the most accurate and complete set of rules, the possibility of only a partial rollback of changes within the sandbox. Just like any sandbox that works on the basis of a working system, it is possible to breakdown or bypass the protected environment and the output of malicious codes to the main, unprotected execution environment.
An example approach is DefenseWall, Windows Software Restriction Policy, Limited User Account + ACL.
There are also mixed approaches to isolating sandbox processes from the rest of the system, based on both rules and virtualization. They inherit both advantages of both methods and disadvantages. And the disadvantages prevail because of the peculiarities of the psychological perception of users.
Examples of the approach are GeSWall, Windows User Account Control (UAC).
Methods for deciding on placement under protection.
Let us turn to the methods of decision-making about placing processes under the protection of the sandbox. There are three basic ones:
1. Based on the rules. That is, the decision module looks at the internal base of rules for launching certain applications or potentially dangerous files and, depending on this, runs processes in the sandbox or outside it, on the main system.
The advantages of this approach are the highest level of protection. Both malicious program files coming from potentially dangerous places through the sandbox and non-executable files containing malicious scripts are closed.
Disadvantages - there may be problems when installing programs that come through the sandbox (although white lists greatly facilitate this task), the need to manually start processes in the main, trusted zone to update programs that are updated only within themselves (for example, Mozilla FireFox, Utorrent or Opera ).
Examples of programs with this approach are DefenseWall, SandboxIE, BufferZone, GeSWall.
2. Based on user rights. This is how the Windows Limited User Account and SRP and ACL based protection work. When creating a new user, he is granted access rights to certain resources, as well as restrictions on access to others. If necessary, the program for working with resources prohibited for a given user must either be logged in as a user with a suitable set of permissions and run the program, or run it alone with such a user, without redesigning the main user (Fast User Switch).
The advantages of this approach are a relatively good level of overall system security.
The disadvantages are the non-triviality of protection management, the possibility of infection through resources allowed for modification, since the decision module does not track such changes.
3. Based on heuristic approaches. In this case, the decision module “looks” at the executable file and tries to guess from indirect data whether to run it on the main system or in the sandbox. Examples - Kaspersky Internet Security HIPS, Comodo Internet Security sandbox.
The advantages of this approach are that they are more transparent to the user than they are based on rules. Easier to maintain and implement for the manufacturer.
Disadvantages - inferiority of such protection. In addition to the fact that the heuristics of the decision module can “miss” on the executable module, such solutions demonstrate almost zero resistance to non-executable files containing malicious scripts. Well, plus a couple more problems (for example, installing malicious extensions from inside the browser itself, from the body of the exploit).
Separately, I wanted to draw attention to the method of using the sandbox as a means of heuristics, i.e. launching a program in it for a certain period of time, followed by an analysis of the actions and the adoption of a general decision on malware, cannot be called a full-fledged anti-virus sandbox. What kind of antivirus sandbox, which is installed only for a short period of time with the possibility of its complete removal?
Modes of use of anti-virus sandboxes.
There are only two of them.
1. Real-time protection mode. When you start a process that may be a threat to the main system, it is automatically placed in the sandbox.
2. Manual protection mode. The user independently makes the decision to launch this or that application inside the sandbox.
Sandboxes that have a primary mode of operation as “real-time protection” may also have a manual launch mode. As well as vice versa.
For sandboxes with rule-based isolation, the use of real-time protection is typical, since the exchange of data between the main system and the processes inside the sandbox is completely transparent.
For heuristic sandboxes, the use of the real-time protection mode is also characteristic, since the exchange of data between the main system and the processes inside the sandbox is absolutely insignificant or comes down to it.
For non-heuristic sandboxes with isolation based on partial virtualization, manual protection is typical. This is due to the difficult exchange of data between the processes inside the sandbox and the main working system.
Examples:
1. DefenseWall (sandbox with isolation on the basis of rules) has the main mode of operation “constant on rules”. However, manually launching applications inside the sandbox, as well as outside it, are present.
2. SandboxIE (sandbox and isolation based on partial virtualization) has the main mode of operation "manual". But when you buy a license, you can activate the "permanent rules" mode.
3. Comodo Internet Security sandbox (sandbox with isolation based on partial virtualization) has the main mode of operation “permanent heuristic”. However, manually launching applications inside the sandbox, as well as outside it, are present.
Here, basically, the basic things, any self-respecting professional should know about anti-virus sandboxes. Each individual program has its own implementation features, which you yourself will already need to find, understand, and evaluate the pros and cons that it carries.
Definitions
')
So, the sandbox. The term itself did not originate from the children's sandbox, as some might think, but from the one used by firefighters. This is a tank with sand, where you can safely work with flammable objects or throw something already burning there without fear of burning something else. Reflecting the analogy of this technical structure to the software component, the software sandbox can be defined as an “isolated execution environment with controlled rights”. This is how, for example, the Java machine sandbox works. And any other sandbox, too, regardless of destination.
Turning to anti-virus sandboxes, the essence of which is to protect the main working system from potentially dangerous content, we can distinguish three basic models of sandbox space isolation from the rest of the system.
1. Isolation based on full virtualization. Using any virtual machine as a protective layer over the guest operating system, where the browser and other potentially dangerous programs are installed, through which the user can get infected, gives a sufficiently high level of protection of the main working system.
The disadvantages of this approach, in addition to the monstrous size of the distribution kit and the strong consumption of resources, lie in the inconvenience of data exchange between the main system and the sandbox. Moreover, you need to constantly return the state of the file system and registry to the original to remove the infection from the sandbox. If you do not do this, for example, spam bots agents will continue their work inside the sandbox as if nothing had happened. There is nothing to block their sandbox. In addition, it is not clear what to do with portable storage media (flash drives, for example) or games downloaded from the Internet, in which malicious bookmarks are possible.
An example approach is Invincea.
2. Isolation based on partial file system and registry virtualization. It is not necessary to carry the virtual machine engine with you; you can push duplicate file system and registry objects to sandbox processes by sandboxing applications on the user's work machine. Attempting to modify these objects will only change their copies inside the sandbox, real data will not be affected. Rights control does not allow to attack the main system from within the sandbox through the interfaces of the operating system.
The disadvantages of this approach are also obvious - the exchange of data between the virtual and real environments is difficult; constant cleaning of the virtualization containers is necessary to return the sandbox to its original, uninfected state. Also, there may be breakdowns or bypassing this type of sandbox and the release of malicious software codes to the main, unprotected system.
An example approach is SandboxIE, BufferZone, ZoneAlarm ForceField, isolated environment, Kaspersky Internet Security, Comodo Internet Security sandbox, Avast Internet Security sandbox.
3. Insulation based on the rules. All attempts to change file system and registry objects are not virtualized, but are considered from the point of view of a set of internal rules of protection. The fuller and more accurate such a set, the greater the protection against infection of the main system by the program. That is, this approach represents a certain compromise between the convenience of data exchange between the processes inside the sandbox and the real system and the level of protection against malicious modifications. Rights control does not allow to attack the main system from within the sandbox through the interfaces of the operating system.
The advantages of this approach also include the absence of the need to permanently roll back the file system and registry to the original state.
The disadvantages of this approach are the software complexity of implementing the most accurate and complete set of rules, the possibility of only a partial rollback of changes within the sandbox. Just like any sandbox that works on the basis of a working system, it is possible to breakdown or bypass the protected environment and the output of malicious codes to the main, unprotected execution environment.
An example approach is DefenseWall, Windows Software Restriction Policy, Limited User Account + ACL.
There are also mixed approaches to isolating sandbox processes from the rest of the system, based on both rules and virtualization. They inherit both advantages of both methods and disadvantages. And the disadvantages prevail because of the peculiarities of the psychological perception of users.
Examples of the approach are GeSWall, Windows User Account Control (UAC).
Methods for deciding on placement under protection.
Let us turn to the methods of decision-making about placing processes under the protection of the sandbox. There are three basic ones:
1. Based on the rules. That is, the decision module looks at the internal base of rules for launching certain applications or potentially dangerous files and, depending on this, runs processes in the sandbox or outside it, on the main system.
The advantages of this approach are the highest level of protection. Both malicious program files coming from potentially dangerous places through the sandbox and non-executable files containing malicious scripts are closed.
Disadvantages - there may be problems when installing programs that come through the sandbox (although white lists greatly facilitate this task), the need to manually start processes in the main, trusted zone to update programs that are updated only within themselves (for example, Mozilla FireFox, Utorrent or Opera ).
Examples of programs with this approach are DefenseWall, SandboxIE, BufferZone, GeSWall.
2. Based on user rights. This is how the Windows Limited User Account and SRP and ACL based protection work. When creating a new user, he is granted access rights to certain resources, as well as restrictions on access to others. If necessary, the program for working with resources prohibited for a given user must either be logged in as a user with a suitable set of permissions and run the program, or run it alone with such a user, without redesigning the main user (Fast User Switch).
The advantages of this approach are a relatively good level of overall system security.
The disadvantages are the non-triviality of protection management, the possibility of infection through resources allowed for modification, since the decision module does not track such changes.
3. Based on heuristic approaches. In this case, the decision module “looks” at the executable file and tries to guess from indirect data whether to run it on the main system or in the sandbox. Examples - Kaspersky Internet Security HIPS, Comodo Internet Security sandbox.
The advantages of this approach are that they are more transparent to the user than they are based on rules. Easier to maintain and implement for the manufacturer.
Disadvantages - inferiority of such protection. In addition to the fact that the heuristics of the decision module can “miss” on the executable module, such solutions demonstrate almost zero resistance to non-executable files containing malicious scripts. Well, plus a couple more problems (for example, installing malicious extensions from inside the browser itself, from the body of the exploit).
Separately, I wanted to draw attention to the method of using the sandbox as a means of heuristics, i.e. launching a program in it for a certain period of time, followed by an analysis of the actions and the adoption of a general decision on malware, cannot be called a full-fledged anti-virus sandbox. What kind of antivirus sandbox, which is installed only for a short period of time with the possibility of its complete removal?
Modes of use of anti-virus sandboxes.
There are only two of them.
1. Real-time protection mode. When you start a process that may be a threat to the main system, it is automatically placed in the sandbox.
2. Manual protection mode. The user independently makes the decision to launch this or that application inside the sandbox.
Sandboxes that have a primary mode of operation as “real-time protection” may also have a manual launch mode. As well as vice versa.
For sandboxes with rule-based isolation, the use of real-time protection is typical, since the exchange of data between the main system and the processes inside the sandbox is completely transparent.
For heuristic sandboxes, the use of the real-time protection mode is also characteristic, since the exchange of data between the main system and the processes inside the sandbox is absolutely insignificant or comes down to it.
For non-heuristic sandboxes with isolation based on partial virtualization, manual protection is typical. This is due to the difficult exchange of data between the processes inside the sandbox and the main working system.
Examples:
1. DefenseWall (sandbox with isolation on the basis of rules) has the main mode of operation “constant on rules”. However, manually launching applications inside the sandbox, as well as outside it, are present.
2. SandboxIE (sandbox and isolation based on partial virtualization) has the main mode of operation "manual". But when you buy a license, you can activate the "permanent rules" mode.
3. Comodo Internet Security sandbox (sandbox with isolation based on partial virtualization) has the main mode of operation “permanent heuristic”. However, manually launching applications inside the sandbox, as well as outside it, are present.
Here, basically, the basic things, any self-respecting professional should know about anti-virus sandboxes. Each individual program has its own implementation features, which you yourself will already need to find, understand, and evaluate the pros and cons that it carries.
Source: https://habr.com/ru/post/105581/
All Articles