Beat the Security System Series(0)before the statement
Recently more and more feel this stage all kinds of security system design there are some shortcomings, not the various possible security threats into account, in Cever Hackers front can not do anything. In order to help all kinds of security software design and more perfect, I decided to write this series of articles, the content involves the firewall, antivirus, HIPS, NIDS, etc., to the major mainstream products, for example, by describing the deal with their methods, and how to improve their security design. In fact, Information System Designer more should stand in the Attacker's angle to the design of the product~
In fact, leading the development direction of feel very good. Very much hope to early see a very comprehensive security product to rescue the majority of all kinds of popular information/network security threats of the people, huh.
Beat the Security System Series(1)Kaspersky Internet Security / Kaspersky AntiVirus 6.0
2 0 0 6 year 5 month 1 5 day, the famous anti-virus security software vendors KasperskyLab released a landmark security software set Kaspersky Internet Security 6, which is referred to as KIS6 and Kaspersky AntiVirus 6.0 as KAV6 is. KIS6/KAV6 than card strike previous product with quality improvement. KIS6 contains file antivirus, mail antivirus, web antivirus, advance defence, including the process behavior monitoring, the monitoring of various types of code injection, install a global hook, driver loading/service and other acts; file integrity check; check all kinds of use of the RK art document/process/port/registry hide; Office macro protection; anti-spyware software, firewall, anti-spam and other functions. KAV6 than KIS6 lack of a firewall module.
Overall, KIS6 very powerful. Руткит discussion group, we unanimously agreed that KIS6 is currently the strongest human condom outfit. Kabbah lab indeed are Elite, strong, many things are the use of Undocumented techniques, resulting in my previous version of WinDbg A to enter the kernel debug state of collapse~ KIS6 registry monitoring is very full: NoWinodwsApp, the ShellServiceObjectDelayLoad,ShellExcuteHooks,SharedTaskScheduler,SafeBoot,\Winlogon\Notify,AppInit_DLLs, switch scripts, and other security software less monitoring since the start of the key values he have monitoring; in addition KIS6 monitoring of various types of code injection, including the SetThreadContext; a method of monitoring a load driven, service loading, through\the\ \ Device\\PhysicalMemory object into Ring0, etc.; monitoring global hook installation; file integrity check; anti-Rootkit, detecting hidden file hidden process hidden port hidden Registry; the value of a mention is the altered PspIdTable method to hide the process of the method KIS6 also be investigated. In addition KIS6 firewall control rule is relatively thin, unlike domestic personal firewall is a process of minimum control units, KIS6 as abroad some other firewall control policies refined to specific process of a port, for example, by default only allows Explorer. exe access HTTP80 port, rather than completely allow Explorer. exe process access to the network.
Boast KIS6 boast over, now to talk about his weaknesses. Oh, I don't know Kabbah laboratory that help people how to ideas, I don't know them mentally, that they are careless of it: on KIS6 monitoring using remote thread code injection behavior, he only injected into the IE process has to reflect, and he Firewall the default control pipe in the rules but allow Svchost and other processes from accessing the HTTP and other ports that Trojans as long as with a remote thread method injected into the svchost process, you can completely escape through the bar, alas, is really sad! At the time the study here when I really want to hit a tofu give it a try can kill....）~
Then look at the KIS6 how to achieve from the start. KIS6 monitoring registry does monitoring very full, but also the monitoring service and the like, early to see you in from the start is nowhere to start. But the cute Kaspersky is acting up again let me sad the lower the error, the Start menu in the Startup folder he didn't monitor.... Lest be said to do so too wretched, then say, because of the cute card bar on the monitor of the remote thread code injection when only IE and other processes to be prompt, so we can be injected into Winlogon, injected into Winlogon, we can Defeat the SFP,then the infected file to achieve from the start, although the Kabbah there is a file integrity check, but the problem is not that you yourself tried to understand why, huh.
Besides, the point of the bottom, KIS6 monitoring the load of the driving monitor is not full, Hey, use the ZwSetSystemInformation we can still load drivers to be able to load the driver the world is not our? Restore the SSDT table it, DKOM, the Miniport NDIS Hook, either we play, Oh...
Ha, ridicule Kabbah on this stop of the pen, there continue to ridicule other security products, Oh, next time:）