Antivirus, IDS/IPS, and Honeypot Quiz

Questions and Answers

Anomalies analysis monitors process, traffic, and ______ actions.

user

A virtual machine on which malware is executed is called a ______.

Sandbox

Only applications on the "______" are allowed.

whitelist

Intrusion detection methods are based on the assumption that the behavior of a hacker is different from that of ______ users.

legal

The choice of the optimal interpretation of illegal activities is the main problem of any method of detecting ______.

intrusions

An ______ identifies, neutralizes, or eliminates malware.

antivirus

Current antiviruses protect against a lot of ______.

malware

A virus ______ is a malware search mechanism.

scanner

One method of detecting malware is the ______-based method.

signature

In a signature method, the signatures are based on manual ______.

creation

A disadvantage of the signature method is that it does not see new or ______ malware.

polymorphic

______ can dublicate each other.

Antiviruses / firewalls / IDS

______ makes the virus think that the file is already infected

Vaccinators

The script checks for the existence of various antivirus programs by looking for their ______ files.

executable

The registry key that is read to determine the program files directory is 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion______'.

ProgramFilesDir

The script attempts to delete files related to ______ antivirus programs.

installed

The script creates a text file named '______.vbs'.

mail

The script uses the Outlook 'GetNameSpace' method with the parameter '______' to access mail information.

MAPI

The email subject is set to '______ Game'.

Legion

The ______ object is used to create the email.

leg

The script uses the filesystem object to create and ______ the mail.vbs.

write

Snort is an example of a ______-based intrusion detection method.

rules

In anomaly-based intrusion detection, the initial stage involves collecting information about the typical behavior of legal ______ / resources.

users

Data collected for anomaly detection is statistically processed, and criteria are established that characterize the normal state, such as ______ criteria and profiles.

threshold

[Blank] can be set up for users, groups, or resources in anomaly-based detection.

Profiles

Examples of profiles used in anomaly detection include the number of events in a time interval, time interval, and ______ usage measure.

resource

Intrusion ______ systems are software that implement intrusion detection techniques.

detection

Intrusion detection systems record attack ______ and collect data to prepare security reports.

attempts

Intrusion prevention systems perform the same functions as IDS, but additionally use automated tools to stop possible ______.

attacks

The script uses 'C.Attachments.______' to add the file.

Add

The statement 'C.DeleteAfterSubmit = ______' indicates that the attachment should be deleted after submission

True

A signature for Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro contains the string 66696c656578697374732028{-25}202620225c6b6173706572736b79206c61625c6b61737065______...

72736b7920616e7469766972757320706572736f6e616c

The antiviral toolkit pro signature contains 66696c6565786973747328{-25}202620225c616e7469766972616c20______...

746f6f6c6b69742070726f

The signature for AVPersonal contains 66696c656578697374732028{-25}202620225c______...

6176706572736f6e616c

The signature for Trend PC-cillin 98 includes the string 66696c656578697374732028{-25}202620225c7472656e64______...

2070632d63696c6c696e

The code contains a loop using '666f7220{-10}203d203120746f20{-10}2e______...'

61646472657373656e74726965732e636f756e74

The code uses ' ______ {-300}2e6174746163686d656e74732e616464{-150}2e73656e64'

6578697420666f72

A heuristic method is used to detect malware when a signature does not ______ 100%.

match

Heuristic methods can be unreliable and generate ______ positives.

false

Flashcards

Antivirus

Software that identifies, neutralizes, or eliminates malware. It evolved from protecting against computer viruses to safeguarding against various types of malware.

Signature-based method

A method used by antivirus software to detect malware by identifying specific patterns or code segments known as 'signatures'.

Heuristic method

A method that analyzes the behavior of a program to determine if it is malicious. It looks for suspicious patterns or actions that are not typical of legitimate software.

Sandbox

A specialized environment where suspicious software can be executed safely. It provides an isolated space to monitor the software's activities without risking damage to the main system.

Whitelist method

A list of trusted programs or files that are allowed to run on a system. Everything else is blocked.

False-positive

A situation where antivirus software incorrectly identifies a harmless file as malicious and blocks or deletes it.

False-negative

A situation where antivirus software fails to detect and block malicious software.

Anomalies Analysis

A technique that monitors system processes, network traffic, and user actions to detect suspicious activities that might indicate malware presence.

Whitelist

A security approach that only allows applications explicitly listed on a predefined list to run, blocking any others.

Intrusion Detection

The process of identifying and alerting about unauthorized access or malicious activities within a computer system.

Intrusion Detection Assumption

The assumption that malicious attackers behave differently from legitimate users, allowing detection based on activity patterns.

On Error Resume Next

A programming technique used in malicious scripts to handle potential errors without interrupting the script execution. It allows the script to continue running even if an error occurs, such as a file not being found.

For ... Next

A programming construct used in the script to iterate through a collection of elements and perform actions on each element. It helps in automating tasks for multiple entries.

legions.regread

A programming technique used to access and manipulate the registry, a central database that stores system and application settings on Windows.

FileExists()

A function that checks if a file exists in the specified path. It is crucial for ensuring a script works properly on different systems.

DeleteFile()

A function used to delete files in a specific path. It is often used in malicious scripts to remove antivirus software or other critical files.

Set ... = CreateObject()

A technique used to work with objects in a scripting language. It provides a structured way to create and access components like files, network connections, and more.

CreateTextFile()

A function used to create a new text file in the specified location. It is often used to generate malicious scripts or spread malware.

Mass-mailer

The act of sending a large number of emails, often unsolicited and containing malicious content. This is a common tactic used to spread malware.

Morphic Virus

A type of malicious software designed to change its own code to avoid detection by antivirus programs.

Antivirus Signature

An antivirus signature is a unique pattern of code used to identify a specific virus or malware. It's used by antivirus software to detect and remove threats.

Code Modification

A technique used to deceive antivirus software by modifying the internal code of a virus, making it difficult to recognize with signature-based detection methods.

Virus Emulation

Emulating the behavior of a virus allows antivirus software to observe its actions and identify potentially harmful behavior without actually executing it.

Decompilation

Decompilation is the process of converting a program's compiled code back into a human-readable form, which can help in studying the behavior of the virus.

Code Coincidences

Code coincidences can be used to identify a virus by looking at similarities between its code and known malicious programs.

Signature-Less Detection

The detection of malicious software without the need for signatures. It relies on analyzing behavior and identifying patterns.

Signature-Based Antivirus

A type of antivirus software that relies on signature-based detection methods, where it compares the code of a program to known malware signatures.

Rules-based Intrusion Detection

These methods use predefined rules to identify suspicious activity. They look for patterns and signatures that match known attacks.

What is Snort?

Snort is a popular open-source intrusion detection system that utilizes rules to identify and block attacks.

Anomalous-based Intrusion Detection

These methods analyze network traffic and user behavior to identify anomalies or deviations from typical patterns. They establish baseline profiles and flag anything outside the norm.

Initial Stage of Anomalous-based Detection

This phase in anomalous-based detection involves gathering and analyzing data to establish typical behavior and patterns. It helps define what's considered 'normal' for users and resources.

Threshold Criteria and Profiles

These criteria, based on statistical analysis, define what is considered normal or abnormal behavior for users and resources. They act as boundaries for acceptable activity.

Intrusion Detection Systems (IDS)

These tools are designed to detect intrusion attempts, potential security policy violations, and threats to network integrity.

Intrusion Prevention Systems (IPS)

IPS systems share the same functions as IDS, but they go a step further by taking active measures to block or prevent attacks.

Rules-based vs. Anomalous-based Methods

Both rules-based and anomalous-based methods have their advantages and weaknesses. Choosing the right method depends on the specific security needs and environment.

Study Notes

Antivirus, IDS/IPS, Honeypot

• Antivirus software identifies, neutralizes, or eliminates malware.
• Early antivirus programs focused on protecting against computer viruses.
• Modern antivirus programs now protect against various types of malware.
• Virus scanners are a core mechanism within antivirus software to identify malware.
• Antivirus, firewalls, and intrusion detection systems (IDS) can sometimes overlap in function.
• Commercial aspects of antivirus software are significant.

Definitions

• False-positive: A result indicating a threat when no threat exists.
• False-negative: A result indicating no threat when a threat exists.

Antiviruses

• Antivirus software identifies, neutralizes, or eliminates malware.
• Used to protect against computer viruses at the start of the 20th century.
• Now protect against a wide range of malware.
• Virus scanners are the key search mechanism.
• Antiviruses, firewalls, and intrusion detection systems (IDS) sometimes have overlapping functionalities.
• Antiviruses are commercially available.

Types of Antiviruses

• Scanners use signature and heuristic methods.
• Revisionists capture the current state of the file system (FS).
• Monitors observe potentially dangerous actions.
• Vaccinators trick viruses into thinking files are already infected.
• Classification is based on functionality.

Actions

• Removing infected files.
• Blocking access to infected files.
• Quarantine (blocking execution) of infected files.
• Removing the virus from the file.
• Actions are performed after moving infected files.

Malware Detection Techniques

• Signature-based.
• Heuristic methods.
• Anomaly analysis.
• Sandboxing.
• Whitelisting.
• Multi-core/combined methods.

Signature Method

• Based on unique malware code lines.
• Improves false-positive detection.
• Signatures are manually created.
• Advantages include high accuracy and reliability.
• Disadvantages: Doesn't detect new malware (polymorphic), updates are slow, and increases the signature base and speed of scanning; much manual work needed in creating signatures.

Signature Formats

• ClamAV: Specific to .ndb files stored in .Idb files.
• Signature format with details such as the signature's name, description block, logical expression, and sub-signatures.

Example: Worm.Godog - 1

• Application (API) related to mass mailers, AV killers, and VB-script.
• Specific registry entries and file actions.

Example: Worm.Godog - 2

• VBScript code, creating and sending emails with infected files (mail.vbs).

Example of Creating a Signature- 1

• Specific codes or hash values linked to different software like Kaspersky Antivirus or Anti-viral Toolkit Pro.

Example of Creating a Signature- 2

• Specific codes or hash values linked to different software like Trend PC-cillin 98.

Example of Creating a Signature- 3

• Examples of codes or hash values linked to Worm.Godog.

Heuristic Method

• Designed to detect malware when signatures don't fully match.
• Useful in detecting a class of malware ('morphic' viruses), but may result in false positives and generally not considered reliable.
• Detection techniques include monitoring actions, emulating virus behavior, and analyzing code discrepancies.

Anomalies Analysis

• Detects unusual or unexpected behavior of processes, traffic, or user actions.
• High potential of false-positives detecting normal, legitimate programs as malicious.

"Sandbox"

• Executes malware on a virtual machine.
• Tracks changes to analyze malicious behavior.
• Advantage: efficient for professional analysis.
• Disadvantage: significant time consumption of system resources.

"Whitelist"

• Allows only pre-approved applications to run.
• Advantages: no need to update signatures, more effective for organizations with security policies.
• Disadvantages: Not flexible or user-friendly; requiring administrator time and resources to configure.

Intrusion Detection

• Importance: Protecting against intrusions
• Problems: distinguishing between actual attacks and legal activities.

Assumptions of Intrusion Detection

• Intrusion detection systems are based on the idea that attacker behavior differs from normal user behavior.
• Difficulty distinguishing legal from illegal activity can lead to false positives.
• Intrusion detection systems may warn of possible attacks but cannot definitively confirm.

Rules-Based Intrusion Detection Methods

• Example using Snort to monitor network traffic for specific rules and patterns of attacks.

Anomalous-Based Intrusion Detection Methods

• Records typical behavior of users and resources.
• Analyzes data statistically to create profiles of normal behavior.
• Compares observed activity with established profiles to look for unusual behavior.

Methods +/-

• Rules-based methods
• Anomaly-based methods

IDS/IPS

• This is a system designed for monitoring and detecting intrusion attempts.
• Implementation of intrusion detection techniques for potential security violations.
• These systems can record attacks and prepare reports.
• Intrusion prevention systems can stop attacks, terminate sessions, block access, change security device configurations, and remove infected files.

IDS/IPS Components

• Sensors/agents
• Management server
• Database
• Dedicated Secure Management Network

NIDS - Network-Based

• Uses software/hardware to detect network-based intrusions.
• Limitation: Cannot interpret or process encrypted traffic.
• Attacks on sensors can make this method ineffective in highly complex environments.
• Example of intrusion detection using Snort to monitor and detect attacks.

HIDS/FIM - Host-Based

• Tracks activity on individual hosts.
• Uses software solutions, active/passive agents, and real-time/delayed detection techniques.

Honeypot/Honeynet

• Honeypot systems are designed as decoys for cybercriminals.
• There are also different levels of interactivity for these systems.
• These systems can be used for monitoring, analyzing, testing, and learning.

Description

Test your knowledge on antivirus software, intrusion detection systems, and honeypots. This quiz covers their functions, definitions, and interactions. Dive into the details of malware protection and learn about false positives and negatives.