Following on from my previous blog post I wanted to explore in a little more detail precisely how GravityZone protects the end-points it is installed upon.
Before I start I want to briefly look at the different versions of GravityZone that are available currently, in this blog post I will be mainly exploring the protection mechanisms that are common to all of the products, later posts will explore functionality that is specific to the more advanced versions of the product, namely the Elite and Ultra versions of GravityZone. This said, there is some feature-crossover and I’ll try to make it as clear as possible where additional functionality is a part of an Advanced product.
Currently there are 5 GravityZone products and all share the same core GravityZone virtual appliance – meaning that you can start with the base level Business Security Product and then subsequently upgrade to one of the more advanced versions without having to rip and replace your AV solution, similarly the solution is highly scalable so again if your organisation grows or your needs change the solution can be adapted without having to re-imagine the architecture.
The table below gives an overview of the functionality that each of the products provide, note that certain functionality (e.g. Patch Management) is subscription based and so spans the product range.
GravityZone Basic End-Point Protection Principles
If you read my previous post then you will recognise the image below from that post, for clarity I have ringed in red the features that form the Basic or core end-point protection for the GravityZone products.
As I have mentioned previously Bitdefender use a tiered approach to end-point security, the principle being that we are not relying on one detection mechanism being completely ‘bullet-proof’ with regards to detecting anything nasty – with all the will in the world no single security solution can claim to be completely bullet-proof in terms of protection because new 0-Day threats emerge constantly in response to the exploit techniques and new vulnerabilities being uncovered and publicised.
Bitdefender take this a step further by having tiers within tiers to provide protection, I outlined each of the tiers in my previous post so let’s explore each of these tiers in more detail. It is worth noting that each tier has built-in
Hardening and Control Tier
This tier is aimed at making it harder for malicious code to actually run and to lock-down ways that malware can potentially get onto the end-points. The hardening tier is a mechanism to implement controls and best practices to close off avenues of approach and to reduce the number of attack vectors available to malware on an end-point.
- Application Control – There are two types of Application Control available Black listing and White listing. Black listing is included in all products whilst White Listing is only available the Gravity Elite and Ultra products.
Blacklisting an application will prevent it from running, this is handy for enforcing restrictions on certain applications being run but the true power of Application Control comes with White Listing – that is, creating a policy containing a list of applications that are permitted to run on an end-point and anything else is simply prevented from running and is an excellent way to stop self-extracting and executable malware dead in its tracks – it cannot run let alone infect end-points.
Enforcing application control can be a very effective way to prevent certain infections taking hold, blacklisting is useful for preventing known executables from running and known malware executables are blocked from running by default. White listing takes this to the next level and enforces very rigorous application control.
- Content Control and Anti-Phishing – these elements of protection are aimed at the web browser environment of the end-points, content control can be used to block access to web pages containing certain key words to prevent access to undesirable content being displayed on the end-points but also since such sites often play host to malware.
The Anti-phishing prevents the release of sensitive company or financial data by ensuring that such data is not contained in emails or entered into web forms and alerting the user if it is.
- Firewall - The firewall included in the Bitdefender end-point security solution is a firewall for desktop OS and is full configurable as you would expect with host based intrusion and protection controls.
- Device Control – The device control module is used to control and lock down the types of devices that can or can’t be connected to the end-points to close off USB and Bluetooth connectivity as potential ways for malware to enter a system.
Pre-Execution Multi-Stage Detection Tier
This tier is aimed at identifying malware once it has gotten onto the end-point despite our best-efforts to prevent that happening via the hardening tier but doing so before the malware can actually begin to cause any harm at pre-execution. The intelligence behind this tier is derived in part from the information and knowledge gathered from the Bitdefender Global Protective Network in conjunction with Bitdefender’s own research and development. In the event that malware is detected by any of these stages the files are quarantined and the administrators alerted to the issue.
- Signatures and Cloud Lookup - As with most AV solutions one of the easiest way to detect and prevent the vast majority of malware infections is using the database of known threats that have already been uncovered, studied and understood.
Bitdefender use their vast end-point deployment that I mentioned in my previous post, (the Global Protective Network), to constantly keep up-to-date with the various threats that end-points are being exposed to and in-turn to update that end-point network with intelligence gathered across it – meaning that the virus definition database used by Bitdefender to catalogue known-threats and their component parts is not only vast but is constantly evolving.
- Machine Learning - Algorithms are used to identify malware that is not currently known about and so does not appear in the Signatures, it does this by looking at the behaviour the code will exhibit when executed and compares the behaviour to known malicious software to identify potential malware prior to the code being executed by looking for known malware behaviours within the code prior to execution.
This tier continuously monitors the code as it runs on the end-point to ensure any aberrant and/or potential malware behaviour is captured and acted upon.
- Anti-Exploit - The Anti-Exploit module looks to identify unknown malware on execution by examining the code for known behaviours associated with taking advantage of exploits within the operating system or applications.
There are 3 main areas that the Anti Exploit Protection focuses on:
- Blocks drive by downloads/exploit hosting sites
- Scanning of incoming traffic
- On-Execution detection
It protects commonly used End User Applications from Exploit-based attacks such as Browsers, Browser Components, PDF readers and Microsoft Applications. It protects against exploitation techniques including protection against OS security bypass. The tool uses advanced memory techniques to prevent exploit shellcode from executing. Malicious memory caller protection incorporates multiple 32- and 64-bit memory exploit mitigation techniques to prevent exploits from executing payload code from malicious memory areas.
- Process Inspector - Acts as a second stage to the Machine Learning algorithms and uses heuristics to constantly analyse the behaviour of the code looking for and tracking process behaviour - that on its own may be benign but when performed in conjunction with other actions that may not have been apparent during the machine learning phase. When such behaviours are observed concurrently by the same underlying malware code the Process Inspector halts execution and quarantines the potential malware.
Automatic Action tier
When malware is detected in an environment it is vital to have a robust response to the malware, the Automatic Action tier provides this.
- Access Blocking – When threats are detected their access to the end-points resources are automatically blocked to prevent the malware propagating in the environment.
- Quarantine – The malware is quarantined to prevent further execution without administrative approval.
- Disinfection/Removal – where appropriate anything that the malware has installed is automatically removed and any files that the malware has written itself into are dis-infected where possible, when not possible infected files are moved to quarantine for further remediation.
- Process Termination – Any and all processes that are spawned by the malware when it executes are forcibly terminated to prevent them from running and causing further harm, some forms of malware will automatically spawn new processes if their processes are terminated much faster than a human can keep up, by terminating the entire malware process thread Bitdefender ensures that this cannot happen.
- Rollback – BD can rollback malicious changes the malware may make, this could include created registry keys, start-up items, additionally downloaded or installed files.
The final tier is Visibility and Reporting and will be covered in a subsequent post around the GravityZone Elite and Ultra products.