Adaptive Defense Guide

Transcription

1
Table of Contents
Table of Contents................................................................................................. 2
1. Prologue ............................................................................................................ 6
1.1. Who is this guide for? ......................................................................................... 6
1.2. Icons ..................................................................................................................... 6
2. Introduction ...................................................................................................... 8
2.1. Main features of Adaptive Defense. ............................................................... 8
2.2. Adaptive Defense User Profile .......................................................................... 9
2.3. General architecture of the Adaptive Defense service ............................... 9
2.3.1. Adaptive Defense server ......................................................................................... 10
2.3.2. Administration console Web server ....................................................................... 11
2.3.3. Computers protected with Adaptive Defense ................................................... 11
2.3.4. Logtrust accumulated knowledge server ............................................................ 11
2.3.5. Customer SIEM servers compatible with Adaptive Defense ............................ 12
3. Basic concepts of Adaptive Defense. ....................................................... 14
3.1. Features of the endpoint protection service ............................................... 14
3.1.1. The detection ratio ................................................................................................... 14
3.1.2. The classification ratio .............................................................................................. 14
3.1.3. Classification reliability ............................................................................................. 14
3.2. Adaptive Defense model................................................................................ 14
3.3. Process clasification in Adaptive Defense.................................................... 15
3.3.1. Known processes ....................................................................................................... 15
3.3.2. Unknown processes .................................................................................................. 15
3.3.3. Types of known processes ....................................................................................... 15
3.4. Event analysis .................................................................................................... 16
3.5. Customer data confidentiality ....................................................................... 17
3.5.1. Guidelines on data collected by the service...................................................... 17
3.5.2. Information collected from machines. ................................................................. 17
3.5.3. Privacy of information collected ........................................................................... 18
4. Installation and start-up of Adaptive Defense service ............................ 21
4.1. Checklist of steps and necessary requirements........................................... 21
4.2. Learning phase ................................................................................................. 28
4.3. Malware blocking phase (hardening) .......................................................... 29
5. Security status and computer visibility ........................................................ 31
5.1. Adaptive Defense service status ................................................................... 31
5.2. Security status of the IT infrastructure ............................................................ 31
5.2.1. Malicious programs .................................................................................................. 32
5.2.2. Under investigation at our lab ................................................................................ 32
5.2.3. Vulnerable programs ............................................................................................... 33
5.2.4. Potentially Unwanted Programs ............................................................................. 34
5.2.5. Top Risk Users .............................................................................................................. 34
5.2.6. Top Risk Computers................................................................................................... 35
5.3. Detailed activity reports of threats ................................................................ 36
5.3.1. Malicious programs .................................................................................................. 36
2
5.3.2. Under investigation at our lab ................................................................................ 37
5.3.3. Vulnerable programs ............................................................................................... 39
5.3.4. Potentially Unwanted Programs ............................................................................. 39
5.3.5. Top Risk Users .............................................................................................................. 40
5.3.6. Top Risk Computers................................................................................................... 40
5.4. Executive report ............................................................................................... 41
6. Configuration of Adaptive Defense behavior .......................................... 43
6.1. Classified programs .......................................................................................... 43
6.1.1. Running specific programs classified as malware .............................................. 43
6.2. Unclassified programs ...................................................................................... 43
6.2.1. Audit mode ................................................................................................................ 44
6.2.2. Blocking mode for programs being classified (Extended Mode) ................... 44
6.2.3. Limited execution mode for programs being classified (Deep Hardening
mode) .................................................................................................................................... 44
6.2.4. Complete execution mode for programs being classified (Hardening mode)
................................................................................................................................................. 45
7. Forensic analysis and attack prevention ................................................... 47
7.1. Deep Hardening mode and infection by unknown malware ................... 47
7.2. Forensic analysis and prevention of attacks from infected computers ... 47
7.2.1. Forensic analysis through action tables................................................................ 47
7.2.2. Forensic analysis through execution graphs ........................................................ 51
7.2.3. Diagrams ..................................................................................................................... 52
7.2.4. Nodes .......................................................................................................................... 52
7.2.5. Lines and arrows ........................................................................................................ 54
7.2.6. The timeline ................................................................................................................ 54
7.2.7. Zoom in and Zoom out ............................................................................................. 55
7.2.8. Timeline ....................................................................................................................... 55
7.2.9. Filters ............................................................................................................................ 55
7.2.10. Movement of nodes and general zoom ............................................................ 56
7.3. Interpretation of the action tables and activity graphs ............................. 57
7.3.1. Example 1: Display of actions executed by the malware Trj/OCJ.A .............. 57
7.3.2. Example 2: Communication with external computers in BetterSurf ............... 58
7.3.3. Example 3: Access to the registry with PasswordStealer.BT .............................. 60
7.3.4. Example 4: Access to confidential data by Trj/Chgt.F ...................................... 61
8. Analysis of knowledge and advanced searches ..................................... 64
8.1. Access to the Logtrust environment .............................................................. 64
8.2. Description of the Adaptive Defense tables ................................................ 64
8.2.1. Alert Table ................................................................................................................... 65
8.2.2. Drivers Table ............................................................................................................... 70
8.2.3. Filesdwn Table ............................................................................................................ 71
8.2.4. Hook table .................................................................................................................. 75
8.2.5. Install Table ................................................................................................................. 77
8.2.6. Monitoredopen Table .............................................................................................. 78
8.2.7. Notblocked Table ..................................................................................................... 79
8.2.8. Ops Table .................................................................................................................... 82
8.2.9. Registry Table ............................................................................................................. 84
8.2.10. Socket Table ............................................................................................................ 86
3
8.2.11. Toast Table ............................................................................................................... 91
9. Appendix I: Integration with SIEM products ............................................... 95
10. Appendix II: Service Level Agreements ................................................... 97
10.1. Pre-sales and Migration Service ................................................................... 97
10.2. Technical Support Service............................................................................. 97
10.3. Our infrastructure in the Cloud ..................................................................... 98
10.4. Unreliable software classification service ................................................. 100
4
1. Prologue
Who is this guide for?
Icons
5
1. Prologue
This guide contains information and procedures for use to get the most out of the Adaptive
Defense product.
1.1. Who is this guide for?
This document is designed for network administrators who need to protect Windows computers in
the company's IT infrastructure against Advanced Persistent Threats (APTs).
Although Adaptive Defense is a managed service which offers guaranteed safety without the
involvement of the network administrator, it also provides very detailed and easy to understand
information on processes and programs run by users on company computers, whether these are
known or unknown threats or legitimate programs.
So that the network administrator can correctly interpret the information offered, and draw
conclusions that provide new initiatives to strengthen the company's security, it is necessary to
have a technical knowledge of Windows environments at a process, file system and registry level,
as well as to understand the most frequently used network protocols.
1.2. Icons
The following icons appear in this guide:
Additional information, such as an alternative method for performing a certain task.
Suggestions and recommendations.
Important tips on correctly using Adaptive Defense options.
6
2. Introduction
Main features
User profile
General architecture
7
2. Introduction
Adaptive Defense is a security service based on the monitoring, control and classification of
processes run in the infrastructure according to their behavior and nature.
Unlike traditional antiviruses, Adaptive Defense uses a new security concept which allows it to
adapt precisely to the particular environment of each company, monitoring the execution of all
applications and learning constantly from actions triggered by each of the processes.
After a brief learning period, Adaptive Defense is able to offer a far superior protection level to
that of a traditional antivirus, and provide valuable information on the context in which the
security problems arose in order to determine their scope and implement the necessary measures
to prevent their recurrence.
Adaptive Defense is a Cloud service so it does not require new control infrastructure in the
company, helping to maintain a low TCO.
2.1. Main features of Adaptive Defense.
Adaptive Defense is a managed service that offers guaranteed security against targeted attacks
and APTs, based on four cornerstones:




Display in real time of each action performed by the running applications.
Detection of threats by automatically classifying all network files and processes using
Machine Learning techniques in Big Data information operating environments.
Response through forensic analysis to fully investigate the scope of each intrusion
attempt.
Prevention through information that will help the network administrator to prevent similar
targeted attacks in the future.
8
2.2. Adaptive Defense User Profile
Although Adaptive Defense is a managed service that offers security without the involvement of
the network administrator, it also provides very detailed understandable information about the
activity of processes run by users in the whole of the company's IT infrastructure. This information
can be used by the administrator to clearly identify the impact of possible problems and to
adapt their security protocols, and so prevent equivalent situations in the future.
All users with an Adaptive Defense Agent installed on their computer will enjoy a guaranteed
security service, preventing the execution of programs that pose a threat to the company's
activity.
2.3. General architecture of the Adaptive Defense service
Adaptive Defense is an advanced security service based on analyzing the behavior of processes
run on each customer's infrastructure.
Processes are analyzed by applying Machine Learning techniques in Big Data infrastructures
housed in the cloud, so that the customer does not have to install hardware or additional
resources in their offices.
The general schema of Adaptive Defense is shown below:
9
According to the figure, Adaptive Defense is made up of various elements:






Adaptive Defense Server
Administration console Web server
Computers protected with Adaptive Defense
Network administrator's computer which accesses the Web console
Logtrust server providing real-time service on accumulated knowledge
Customer's SIEM servers compatible with Adaptive Defense
The different roles of the architecture shown are detailed below.
2.3.1. Adaptive Defense server
The Adaptive Defense server compiles all actions performed by the user's processes and sent from
the Agents installed on the customer's computers. It assesses their behavior using learning
techniques and issues a classification for each process being run, which is returned to the Agent
to execute a decision.
The Adaptive Defense server is made up of a cloud-based server farm which configures a Big
Data operating environment where Machine Learning rules are applied continuously to classify
each process run.
Compared to the model adopted by traditional antiviruses, based on the sending of samples to
the provider and manual analysis, there are several advantages of this new cloud-based process
analysis model:

The error percentage when classifying a process run in multiple endpoints over time is
99.9991% (less than 1 error for every 100,000 files analyzed) so the number of false
positives and false negatives is virtually zero.

The delay in classifying processes seen for the first time is minimal, as the Adaptive
Defense Agent sends the actions triggered by each process, and the server analyzes
them looking for suspicious patterns. In addition, for executable files found in the user's
computer that are unknown to the Adaptive Defense platform, the Agent will send the
file to the server for its analysis.
The impact on the performance of the customer's network due to the sending of unknown
executables is configured to go completely unnoticed. An unknown file is sent only once to all
customers that use Adaptive Defense. Mechanisms have also been implemented to manage
broadband usage and Agent and time limits to minimize the impact on the customer's network.

There is minimal consumption of CPU resources in the user's computer, being estimated
at 2% compared to the 5%-15% of traditional security solutions, as the entire analysis and
classification process is carried out in the cloud. The Agent installed simply collects the
classification sent by the Adaptive Defense server and runs a corrective action.

Cloud analysis frees the customer from installing and maintaining hardware and software
infrastructures, paying licenses and managing warranties, so the TCO drops significantly.
See Annex 2 for information on the availability of the Adaptive Defense platform and classification
times.
10
2.3.2. Administration console Web server
Adaptive Defense is fully managed through the Web console accessible to the administrator from
the following URL:
https://paps.pandasecurity.com/paps
The Web console is compatible with the most common browsers and accessible from any
location at any time, using any device with a compatible browser installed.
See Chapter 4: Installation and start-up of the Adaptive Defense service to check whether your
browser is compatible with the service.
The Web console is responsive, so it is accessible from smartphones and tablets at anytime and
anywhere.
2.3.3. Computers protected with Adaptive Defense
The Adaptive Defense Agent is a small software component which occupies less than 20MB and
which must be installed on all machines in the infrastructure likely to suffer security problems.
The Agent's operating mode consists in collecting information on all events that occur in the
machines, sending them to the Adaptive Defense Server. All the information collected concerns
software events and the components that produce them. No information or documents are
collected from the user.
The Agent will send all information to the Adaptive Defense Server in real time for its use and
classification.
The Adaptive Defense Agent is installed problem-free on machines with other security solutions
2.3.4. Logtrust accumulated knowledge server
Adaptive Defense is provided optionally with a storage service for all knowledge generated by
the customer's computers, recording each action performed by the processes run in the IT
infrastructure, whether goodware or malware. It is therefore possible to list and display flexibly all
data collected to obtain additional information on threats and how users are using the
company's computers.
The Logtrust service is accessible from the Web console dashboard.
See Chapter 8 to configure and take advantage of the knowledge analysis service and advanced
searches.
11
2.3.5. Customer SIEM servers compatible with Adaptive Defense
Adaptive Defense integrates with external providers’ SIEM solutions, sending data collected
about the activity of applications run in workstations. This information is sent to the SIEM server
along with all the knowledge of the Adaptive Defense platform and can be used by the
customer's systems.
Listed below are SIEM systems compatible with Adaptive Defense:

QRadar

AlienVault

ArcSight

LookWise

Bitacora
See Annex 1 Integration with SIEM products to obtain more information on the integration of
Adaptive Defense with third-party SIEM systems.
12
3. Basic
concepts of
Adaptive
Defense
Features of the endpoint protection service
Adaptive Defense model
Process classification
Event analysis
Data confidentiality
13
3. Basic concepts of Adaptive Defense.
Adaptive Defense is a guaranteed security service based on a completely different protection
model to that used in traditional antiviruses, whether On Premise, Cloud or standalone.
3.1. Features of the endpoint protection service
In terms of protecting computers in the network, there are three main parameters when it comes
to offering a reliable security product: the detection ratio, the classification ratio and the
classification accuracy of the files analyzed. To these three parameters should be added a fourth
which covers them: the time factor.
3.1.1. The detection ratio
The detection ratio answers the question: “How many viruses does the security solution know?”
This is the percentage of different samples recognized by the security provider, compared to the
total number of samples in circulation.
3.1.2. The classification ratio
The classification ratio answers the question: “How many files do you know?”
It indicates the percentage of files already recognized by the provider to be able to issue a
classification, compared to the total number circulating in the customer's network.
3.1.3. Classification reliability
The classification reliability measures the level of certainty in the verdict given when classifying an
element as goodware or malware. Or rather it is the likelihood that a known element changes its
classification, either because it was initially classified as goodware and subsequently reclassified
as malware or vice versa.
3.2. Adaptive Defense model
In the proposed model, the malware is classified and detected locally with the known heuristic
methods of the traditional system, but the main novelty is the automatic collection of actions
triggered by each process run on the customer's computers, and their subsequent study using
Machine Learning techniques in the Big Data environments deployed in the security provider's
infrastructure.
In this way, each Agent installed on the customer's computer records all actions and changes in
the system produced by each of the processes run by the user. These perfectly detailed actions
are sent to the provider, producing continuous data mining of process behavior in real time. This is
how Adaptive Defense knows the characteristics and behavior of each and every file circulating
on its customers' networks.
14
Given that the same software solution run in many customers can generate different groups of
actions depending on how it is used, the provider will have access to a multitude of executions of
the same program. This provides Adaptive Defense with a volume of highly valuable additional
evidence that is impossible to replicate in the traditional model, and which, once crossed and
exploited with statistical analysis technologies on Big Data platforms, will enable almost
instantaneous automatic classification in most cases of each and every process run by each
customer, with almost 100% reliability.
3.3. Process clasification in Adaptive Defense
The classification process consists in determining the threat of each program run in the customer's
company.
At a first level, the system distinguishes between two statuses.


Known processes
Unknown processes
3.3.1. Known processes
These are processes already recorded and analyzed by Adaptive Defense, or with certain
characteristics that turn them into known processes without having to analyze them. This group
would include programs that form part of the operating system or programs digitally signed by a
known certification body.
All processes known by Adaptive Defense have an associated hash so that the Agent can ask
the Adaptive Defense Server whether it is known or not and, if it is, to be able to reuse its
classification.
3.3.2. Unknown processes
These are new processes for the system so they do not have a hash identifier or associated
classification. Allowing the service to run or not on the customer's computer will depend on its
configuration. If it can be run, the Agent will send to the server the events generated by each
running of the process on each of the user's computers. When there a sufficiently relevant
number of events in the Adaptive Defense Server, a classification will be issued and the process
will change to Known status.
3.3.3. Types of known processes
There are two types of known processes: goodware and malware/PUPS.
Goodware: Goodware is a known process that has displayed safe behavior since the first time it
was seen on a computer. A process can be goodware for various reasons:
15

For belonging to the base distribution of the operating system and being digitally signed
by a trustworthy certification body.

For having been monitored once or more than once, so the events generated have
already been studied by Adaptive Defense.
Malware/PUP: Adaptive Defense analyzes the behavior of running processes and assesses the
threat level of their actions. If a program has performed actions in the past that are a threat to
the computer or network where Adaptive Defense was running, it will classify it as Malware or a
potentially unwanted program for all customers of the service.
3.4. Event analysis
The working of Adaptive Defense is based on three cornerstones: an Agent installed on the
customer's endpoint, a cloud-based automated analysis system, and a team of experts at
PandaLabs which studies the most complicated threats that the automatic systems cannot
resolve alone.
The Agent installed on each customer computer monitors each of the processes being run and
sends all the events to the cloud, where this knowledge is used to automatically determine for
most cases the threat of the running processes.
The number of types of actions recorded and sent to the provider is very exhaustive, with a list of
the most important detailed below:

Download of files

Installation of software

Download URLs

Modification of Hosts file

File age

Creation/installation of drivers

Capture of screenshots

Communications of processes (IP address, ports, protocols)

Creation and modification of executable files

Loading DLLs

Creation of services

Mapping executable files

Deleting and renaming files

Creation of folders
16

Creation and opening of files

Creation and modification of registry branches

Creation of threads in remote processes

Destruction of processes

Access to SAM

Access to data (around 200 file formats)
3.5. Customer data confidentiality
The new Adaptive Defense protection model requires obtaining information on the actions
performed by the applications installed on the customer's computers.
3.5.1. Guidelines on data collected by the service
Data collected in Adaptive Defense strictly follows the general guidelines listed below:

Only information on Windows executable files (.exe, .dll files etc.) run/loaded on the
user's computer is collected. No information on data files is collected.

The attributes of the files are sent normalized, removing information referring to the
logged-on
user.
For
example,
the
file
paths
are
normalized
as
LOCALAPPDATA\name.exe
instead
of
c:\Users\USER_NAME
\AppData
\Local\name.exe)

The URLs collected are only those of the download of executable files. User browsing URLs
are not collected.

There is no data-user relationship in the data collected.

In no case will Adaptive Defense send personal information to the cloud.
3.5.2. Information collected from machines.
The service collects the following information on the execution environment (computer hardware
and software):

Computer name.

Operating system.

Service Pack.

Group in which the protected PC is included.

Machine's default IP address.

MAC address.
17

IP addresses assigned to the PC in different network adapters.

MAC address for the different network adapters.

RAM memory in MBytes.
As essential information for supporting the new protection model, Adaptive Defense sends
information on the actions performed by the applications run on each user's computer.
Attribute
Data
Description
Example
File
Hash
File hash to which the event refers
N/A
URL
Url
Address from where an executable
file has been downloaded
http://www.Malware.com/execu
table.exe
Path
Path
Normalized path in which the file to
which the event refers is found
APPDATA\
Registry
Key/Value
Windows registry key and its related
content
HKEY_LOCAL_MACHINE\SOFTWA
RE\Panda Security\Panda
Research\Minerva\Version =
3.2.21
Operation
Operation ID
ID of event operation
(creation/modification/loading/.. of
executable file, executable file
download, communication...)
A type 0 event indicates the
execution of an executable file
Communication
Protocol/Port
/Address
Collects the communication event of
a process (not its content) together
with the protocol and address
Malware.exe sends data by UDP
on port 4865
Software
Installed
software
Collects the list of software installed
ot the endpoint according to the
Windows API
Office 2007, Firefox 25, IBM Client
Access 1.0
It may also be necessary to send executable files to our Collective Intelligence platform. To
reduce bandwidth consumption, executable files are only sent to the Collective Intelligence
platform in case they are not yet present. Sending only executable files ensures that in no case
will they contain confidential user/customer information.
3.5.3. Privacy of information collected
All information collected is only stored in our Windows Azure cloud platform.
The information is not shared with third parties unless customers:

Want to receive in their SIEM system information on security alerts and data collected by
Adaptive Defense. The information collected will be sent to the customers' SIEM system
through a secure protocol established by the customer.
18

They use the Logtrust platform, the accumulated knowledge real-time operating
platform with which Adaptive Defense is integrated by default. The information is sent to
Logtrust by HTTPS and stored in Logtrust data centers.
All the information sent to the cloud is encrypted with strong encryption algorithms such as
BlowFish.
Finally, the information collected on the user's computer by the Agent is temporarily stored in an
encrypted storage folder.
19
4. Installation
and start-up
Checklist of steps and necessary requirements
Learning phase
Malware blocking phase
20
4. Installation and start-up of Adaptive Defense service
The necessary steps for correctly completing the installation of the service and its subsequent
start-up are outlined in this chapter.
4.1. Checklist of steps and necessary requirements.
1. Check compatibility of the Adaptive Defense Agent with the computers to be protected.
The following Windows systems are compatible with the Agent:

Operating systems (stations): Windows XP SP2 or higher (Vista, Windows 7, 8 and 8.1) in 32
and 64 bit platforms.

Operating systems (servers): Windows Server 2003, Windows Server 2008, Windows Server
2012 in any of their configurations and architectures.
2. Check that the prerequisites are met on each computer to be protected
The Agent is an application that requires the following standard components, generally already
installed on the user's computer:

.NET Framework version 2.0 SP2 or any of the higher versions that include it. It will need to
be installed manually if it is not found

Visual C++ 2008 Redistributable Package. If it is not found, the installer will download and
install it itself.
3. Check that the connectivity prerequisites are met
The Agent communicates by default with the server through the HTTPS protocol so it requires
access through port 443 to the Internet with the following destinations:
https://paps.pandasecurity.com
https://rpuws.pandasecurity.com
https://rpkws.pandasecurity.com
https://prws2.pandasecurity.com/PAPS/Login.aspx/
In case a proxy server is used to access the Internet, the corresponding credentials must be
configured on the Web portal before downloading the installer (see step 4).
The Agent also has the capacity to switch from a proxy connection to a direct connection and
vice versa, automatically enabling the sending of events for mobile computers connected to
non-corporate networks (no proxy).
4. Creation of the installation package
The creation of the installation package introduces certain information in the installer that will
help the administrator with the subsequent deployment and configuration of the Agent.
21
Configuration of outbound Internet proxy: If Internet access from the network is via a proxy server,
you must firstly configure the information for its use on the Web console. This will generate an MSI
installer to be used in the network.
If several different proxies are going to be used, you must create a custom installer for
each of them and manage the deployment in each corresponding network.
To create an installation package click Add computers on the dashboard and complete the
proxy fields if the agents are going to access the Internet in this way.
After entering and saving the data, you can download the MSI installer on the local computer to
start its deployment.
The installer is unique and contains both the Agent versions compatible with 32-bit and 64-bit
systems.
Installation of the Agent on computers with other antiviruses installed: Adaptive Defense is
compatible with traditional endpoint antiviruses and can be installed as an accessory to protect
the customer's computers against targeted and sophisticated attacks.
5. Download and distribution of the installer
The MSI installer file can be distributed in various ways in the customer's network, depending on
the number of computers, their location and other factors.
Manual installation: The MSI installer can be shared in a network folder from where users will
collect it and install it manually, or it can also be sent by email.
22
Installation of the Agent requires local administrator permissions on the computer. Depending on
the configuration of the computer, the USC will require confirmation of the installation or entering
the administrator's password.
The installation program does not need any additional information.
If the Visual C++ 2008 Redistributable Package is not installed on the computer, the installer will
download and install it automatically.
After completing the installation process, the Adaptive Defense Agent will be updated with the
new knowledge.
The Adaptive Defense Agent is designed to go unnoticed by the user and not support any
configuration from the same computer.
Centralized installation through Group Policy Object (GPO): If there is a very large IT infrastructure,
the current Active Directory infrastructure can be used to deploy the installer or any other remote
installation software. In this way the network administrator won't have to actually go to each of
the computers, but will be able to perform a silent installation on those computers in the network
that they consider necessary.
The steps for performing an installation through a GPO are set out below.

Download the Adaptive Defense installer and share it: Place the Adaptive Defense
installer in a shared folder that is accessible to all those computers that the Agent will
receive.

Open the “Active Directory Users and Computers” applet and create a new OU
(Organizational Unit) called “Adaptive Defense”.
23

Open the Group Policy Management snap-in. In Domains, select the newly created OU
to block inheritance.

Create a new GPO in the “Adaptive Defense” OU
24

Edit the GPO
25

Add a new installation package that will contain the Adaptive Defense Agent. For this
you will be asked to add the installer to the GPO.

Once added, show the properties. In the Deployment tab, click Advanced and select
the checkbox that prevents the checking between the destination operating system and
that defined in the installer.
26

Finally, add in the Adaptive Defense OU previously created in “Active Directory Users and
Computers” all network computers that you want to send the Agent to.
6. Checking installation of the Agent
Installing the Agent creates the following items in the computers:

INSTALLATION PATH : Files for the services installed.
- %programfiles%\Panda Security\Minerva Suite\

W ORK PATH : It contains the cache and various temporary files of machine events
collected
- %ProgramData%\Minerva

SERVICES : The installation registers 2 new services whose executable files are digitally
signed by Panda Security, S.L. as with all the solution files:
- Minerva Agent (RMMsvc.exe): Collects and sends the events observed in the
computer.
- Minerva Updater (MinervaUpdater.exe): Creates agent updates.

R EGISTRY: The following registry branch is created with various configurations, including the
customer ID, service front end URL, proxy data, etc.
- HKEY_LOCAL_MACHINE\SOFTWARE\Panda Security\Panda Research\Minerva
Change of proxy connection data: Once the Agent is installed and working, it is no longer
possible to change the proxy connection data from the service console. The SetMinervaProxy.zip
program downloadable from
http://www.pandasecurity.com/resources/tools/paps/setminervaproxy.zip is used instead.
Once downloaded, unzip the file (password: panda) in the Adaptive Defense installation folder
and launch a command prompt window with Administrator permissions. Enter the following
command, indicating the information for the new proxy configuration data:
SetMinervaProxy.exe [Domain] [User] [password] [proxy server] [proxy port] [PROXYAUTH (1/0)]
If you want to disable the proxy and use a direct connection, you can run the following
command:
SetMinervaProxy.exe Activate=0
27
7. Agent update
The Agent has a service called Minerva Updater. Among other tasks, this service is responsible for
updating the Agent, downloading the update data published from the Adaptive Defense Server.
The update is completely transparent to the end user and can be monitored through the
Dashboard and daily reports accessible on the Web console.
See Chapter 5: Security status and computer visibility, for more information about the reports and
dashboards.
Having completed the installation of the Agents on all the computers, the service will start to
audit the processes run on the machines in order to classify them.
4.2. Learning phase
The learning phase is a period of time that starts when the installation of the Agent has been
completed and lasts anywhere from 2 days to 1 week depending on the number of applications
run on that computer. During this time, the Agent starts to monitor all the events that occur on the
machine, sending those considered relevant to the Adaptive Defense server.
The Agents will send to the front ends only those samples not yet registered in the Panda Security
knowledge base. A file will only be sent once from a machine. The Agent will limit and monitor
bandwidth usage.
Once received in the Server, the information collected by the Agents is passed to the service
backend where different technologies are applied to resolve unknown and/or potentially
malicious elements and identify potentially vulnerable software.
During the learning phase, Adaptive Defense will behave as follows with respect to goodware,
malware and unknown files:

Goodware: It can be run as normal

Malware: Its running is blocked

Unknown files: They can be run initially until Adaptive Defense concludes that they are
either goodware or malware. Once the item is classified, the knowledge is disseminated
to all computers that use the protection service. If a computer runs a program without
classifying it at the time and it later turns out to be malware, the system will block any
subsequent execution attempt and mark the computer as infected in the Alerts section.
See Chapter 5: Security status and computer visibility for more information about Alerts. See
Chapter 3: Basic concepts of Adaptive Defense for more information about goodware, malware
and unknown files.
At the end of the learning phase, 100% of the applications run by users are classified as
goodware or malware.
28
4.3. Malware blocking phase (hardening)
At the end of the learning phase, Adaptive Defense will start to protect the computer according
to the configuration chosen by the network administrator.
See Chapter 6: Configuration of Adaptive Defense behavior for more information.
29
5. Security status
and
computer
visibility
Service status
Security status
Detailed activity reports of threats
Executive report
30
5. Security status and computer visibility
The different ways of displaying the security status of the IT infrastructure in Adaptive Defense and
the service status are explained in this chapter.
5.1. Adaptive Defense service status
The Dashboard is the Adaptive Defense home screen and its purpose is to graphically represent
both the security status of the customer's network and the contracted service. This facilitates the
location at a glance of the main problems found in the network.
To show the service status, Adaptive Defense uses 3 widgets that report the information indicated
below to the administrator:
- The widget situated on the left-hand side shows the “Active” or “Inactive” service
status
- The central widget shows the number of devices protected by Adaptive Defense. To
add new devices, click the “Add computers” button, as explained in Chapter 4:
Installation and start-up
- The right-hand widget indicates the customer's computers which, having an Adaptive
Defense Agent correctly installed, have not communicated with the server in the past
3, 7 and 30 days.
5.2. Security status of the IT infrastructure
The central part of the Dashboard graphically represents the security status through 6 widgets
that are updated in real time and show a particular aspect of the customer's network at a
specific moment. You can click on each widget to obtain a detailed breakdown of data.
All counters included in the Dashboard show the number of various unique threats or programs
found in the customer's IT infrastructure in the period of time determined by the administrator.
This means that if the same threat or vulnerable program is detected several times in different
computers in the set period of time it will only be counted once.
31
Use the filtering tool located at the top to change the time interval established for showing data:
last day, last week, last month and last year.
Disinfected threats or updated vulnerable programs do not disappear from the counters or
dashboards in the chosen time interval; however, when choosing a time interval after the
disinfection they will no longer be shown.
5.2.1. Malicious programs
This widget shows the number of Malware threats found. It offers the following data:
- Number of unique threats found in the customer's IT infrastructure
- Run: Threats that were actually run on the user's computer
- Access data: Threats found that access the user's files
- Devices affected: Number of computers that contain malware
- Outbound connection: Number of threats that access other computers to send or
receive data
5.2.2. Under investigation at our lab
32
This widget shows the unknown programs found in the customer's network whose preliminary
analysis has revealed suspicious behavior, although they have yet to be definitively classified by
Panda Security technicians. These programs are classified as goodware or malware within 24
hours.
It offers the following data:
- Number of suspicious programs that are being analyzed in Panda Security’s
laboratory, and which were found after the installation and start-up of the Adaptive
Defense service
- Run: Potentially dangerous programs that were actually run on the user's computer
- Access data: Potentially dangerous programs found that access the user's files
- Devices affected: Number of computers that contain potentially dangerous programs
- Outbound connection: Number of potentially dangerous programs that access other
computers to send or receive data
5.2.3. Vulnerable programs
This widget shows the number of programs that contain any vulnerability that can be exploited
by malware and PUPs to infect computers in the customer's network.
- Number of programs that contain some type of vulnerability that can be exploited by
malware and PUPs, and which were found after the installation and start-up of the
Adaptive Defense service
- Run: Vulnerable programs that were actually used on the user's computer
33
- Access data: Vulnerable programs found that access the user's files
- Devices affected: Number of computers that have vulnerable programs installed
- Outbound connection: Number of vulnerable programs that access other remote
computers to send or receive data
5.2.4. Potentially Unwanted Programs
This widget shows PUPS (Potentially Unwanted Programs) found in the customer's network. It offers
the following data:
- Number of potentially dangerous programs found after the installation and start-up of
the Adaptive Defense service
- Run: Potentially dangerous programs that were actually run on the user's computer
- Access data: Potentially dangerous programs found that access the user's files
- Devices affected: Number of computers that contain potentially dangerous programs
- Outbound connection: Number of potentially dangerous programs that access
remote computers to send or receive data
5.2.5. Top Risk Users
34
This widget shows the four network users whose devices have a higher risk of infection. For this,
the four concepts previously seen and grouped by user are displayed:
- Number of Malicious programs
- Number of Potentially Unwanted Programs (PUP)
- Number of Under investigation at our lab programs
- Number of Vulnerable programs
5.2.6. Top Risk Computers
35
This widget shows the four computers in the network with highest risk of infection. For this, the four
concepts previously seen and grouped by computers are displayed:
- Number of Malicious programs
- Number of Potentially Unwanted Programs (PUP)
- Number of Potentially malicious programs
- Number of Vulnerable programs
5.3. Detailed activity reports of threats
Reports and detailed lists of the malware or vulnerable software found in the customer's network
are displayed by clicking on the various Dashboard panels.
You can order the content of all the tables displayed by clicking on the header fields, and at the
bottom there is a pagination system for easier browsing.
5.3.1. Malicious programs
A list of the threats found in computers protected with Adaptive Defense is shown in this report.
The search tool is located at the top:
The filter (1) restricts the search indicated in the textbox (2) situated to the right of the selected
field:
36

All: The search string will be applied to the Computer, Name and Date fields

Computer: The search string will be applied to the computer name

Name: The search string will be applied to the Malware name

Date: The search string will be applied to the date of detection
The filter (3) shows the threats that meet the selected criteria

Executed: The Malware was executed and the computer is infected

Not Executed: Malware detected by the vulnerability protection

Blocked: Malware known by Adaptive Defense and blocked

Allowed: Malware known by Adaptive Defense but its execution is allowed as it is
included in the Exceptions tab of the Settings menu.

Access to data files: The malware accessed the disk to collect information from the
computer, or to create files and resources necessary for its execution

Communications: The malware opened communication sockets with any machine,
including localhost
The table fields are as follows:
- Computer: Computer where the detection took place
- Name: Name of the malware
- Path: Full path where the infected file resides
- Run: The malware was run and the computer might be infected
- Accesses data: Indicates whether the threat sends or receives data from other
computers.
- Establishes an outbound connection: The threat has communicated with remote
computers to send or receive data.
- Date: Date when the malware was detected in the computer
5.3.2. Under investigation at our lab
This report shows a list of those files in which, without their classification having been completed,
Adaptive Defense has preliminarily detected some risk.
The filter (2) allows you to restrict the search indicated in the textbox (1) indicating the likelihood
of the potentially malicious program actually being a threat:

Medium
37

High

Very high
- Name: Name of the malware
- Run on (computers): Number of computers that ran the potentially dangerous
program. Click on the number to obtain a list of computers with their name and the
potentially dangerous file path. Click on each computer name to display the
machine information.
- Not run (computers): Number of computers in which Adaptive Defense found the
potentially dangerous program but it was not actually run. Click on the number to
obtain a list of computers with their name and the potentially dangerous file path.
Click on each computer name to display the machine information.
- Accesses data: Indicates whether the threat sends or receives data from other
computers.
- Establishes an outbound connection: The threat has communicated with remote
- Likelihood of being malicious: Very high, High, Medium
38
5.3.3. Vulnerable programs
This report shows a list of those programs that contain known vulnerabilities that can be exploited
by malware and advanced threats for infecting the computer.
- Name: Name of the program considered vulnerable
- Version: Full path where the infected file resides
- Vendor: The company that created the infected software
- Run on (computers): Number of computers that ran the program considered
vulnerable. Click on the number to obtain a list of computers with their name. Click
on each computer name to display the machine information.
- Not run (computers): Number of computers in which Adaptive Defense found the
program considered vulnerable but it was not actually run. Click on the number to
obtain a list of computers with their name. Click on each computer name to display
the machine information.
5.3.4. Potentially Unwanted Programs
A list of the PUPs (Potentially Unwanted Programs) found in the computers protected with
Adaptive Defense is shown in this report.
A search tool is found at the top:
The filter (1) restricts the search indicated in the textbox (2) situated to the right of the selected
field:

All: The search string will be applied to the Computer, Name and Date fields

Computer: The search string will be applied to the computer name

Name: The search string will be applied to the PUP name

Date: The search string will be applied to the date of detection
The filter (3) shows the threats that meet the selected criteria

Executed: The PUP was executed and the computer is infected
39

Not Executed: PUP detected by the vulnerability protection

Blocked: PUP known by Adaptive Defense and blocked

Allowed: PUP known by Adaptive Defense but its execution is allowed by the system
administrator.

Access to data files: The PUP accessed the disk to collect information from the computer
or to create files and resources necessary for its execution

Communications: The PUP opened communication sockets with other machines,
including localhost
- Computer: Computer where the detection took place
- Name: Name of the PUP
- Path: Full path where the PUP file resides
- Run: The PUP was run and the computer might be infected
- Accesses data: Indicates whether the PUP sends or receives data from other
computers.
- Establishes an outbound connection: The PUP has communicated with remote
- Date: Date when the PUP was detected in the computer
5.3.5. Top Risk Users
This report shows a list ordered by importance of network users with the most threats found in their
computer.
The report table fields are as follows:
- User: User associated with the process run
- Malicious programs: Number of malicious programs run by the user
- Potentially malicious programs: Number of potentially malicious programs run by the
user
- Vulnerable programs: Number of programs considered vulnerable and used by the
user
- Potentially unwanted programs: Number of PUPs run by the user
5.3.6. Top Risk Computers
This report shows a list of all computers audited in the network.
The report table fields are as follows:
40
- Computer: Audited computer. Click on the name to display information about the
computer.
- Malicious programs: Number of malicious programs run on the computer
- Potentially malicious programs: Number of potentially malicious programs run on the
computer
- Vulnerable programs: Number of programs considered vulnerable and used on the
computer
- Potentially unwanted programs: Number of PUPs run on the computer
- Last connection: Timestamp of the last connection of the computer to the Adaptive
Defense server
5.4. Executive report
There is a button at the top of the Dashboard to create an executive report. This report
summarizes all information shown on the Dashboard and in the reports, ready for download in
PDF format or printing.
41
6. Configuration
of behavior
Classified programs
Unclassified programs
42
6. Configuration of Adaptive Defense behavior
Adaptive Defense is a managed service which frees the network administrator from most of the
workload associated with products based on white/black lists and exceptions. In this way, Panda
Security automatically classifies the security of all processes run on each of the customer's
computers, without requiring any manual intervention.
Adaptive Defense's behavior is configurable for two groups of programs:

For classified programs

For unclassified programs
The network administrator must request from Panda Security any change in configuration of
Adaptive Defense's behavior that it considers appropriate, depending on the use of their
company's IT devices.
6.1. Classified programs
Programs known by Adaptive Defense are classified as goodware or malware. Depending on the
classification of the program attempting to be run, the default action will be:

Goodware: The service allows the program or process to run

Malware: By default, the service prevents the program or process from running.
6.1.1. Running specific programs classified as malware
Whenever the user needs to use any program classified as malware or an unwanted program
(hacking tools, browser bars, etc.), it may be advisable to allow its controlled running even if
Adaptive Defense has classified it as a potential threat.
6.2. Unclassified programs
More than 99% of the programs found in user computers are classified in Adaptive Defense;
however, those not yet classified can be run or temporarily blocked until their classification.
If blocked, Adaptive Defense informs the user of the reason for the block, enables conditional
execution depending on the decision made by the user, or for the program to be blocked
silently.
The classification process is a continuous task on the Adaptive Defense servers. Afterr a brief
period of time, the programs blocked initially for not having a classification can be run if Adaptive
Defense has determined that they are legitimate.
43
6.2.1. Audit mode
In audit mode, Adaptive Defense only reports threats detected but does not block the malware
found. This mode is useful for testing the security solution and to ensure that product installation
does not compromise the proper functioning of the computer.
6.2.2. Blocking mode for programs being classified (Extended Mode)
In environments where security is a priority and in order to offer fully guaranteed protection,
Adaptive Defense must be configured in Extended Mode to block the running of software that is
being classified. This will ensure that only legitimate software is run.
When configuring this operating mode on computers or servers where the software changes
regularly, these programs will not be allowed to run until they are classified. The classification
process is instantaneous on some occasions although on others it will be automatically performed
on our BigData platform in a matter of minutes. If the program is particularly complex, the
classification task is carried out by experts, normally in less than 24 hours. For this reason, this mode
is recommended for computers and servers where new software is not usually installed.
Adaptive Defense can be configured so that the Extended Mode asks the computer user if they
want to allow or not the running of programs being classified. This mode involves the risk of the end
user allowing the running of malware, believing it to be legitimate software; that is why its
configuration is only recommended in computers managed by advanced users.
6.2.3. Limited execution mode for programs being classified (Deep
Hardening mode)
In Deep Hardening Mode, unknown programs already installed on the user's computer can be
run although their actions will be sent to the Adaptive Defense Server for analysis. To prevent zeroday and similar type attacks, unknown programs from outside the network (Internet, email, etc.)
will be blocked until they have been classified. Once a sufficient amount of evidence has been
collected and used, Adaptive Defense will classify these programs as goodware or malware,
creating an alert in the latter case for the administrator for subsequent forensic analysis.
Once programs from outside the network have been classified, their entry and running will be
allowed or blocked depending on the classification (goodware or malware) received.
Deep Hardening Mode is recommended in environments where there are constant changes in
the software installed on users' computers, or where many unknown programs are run, such as
proprietary programs. In these scenarios, it may not be viable to wait for Adaptive Defense to
learn from them to classify them.
44
6.2.4. Complete execution mode for programs being classified (Hardening
mode)
Unknown programs can be run in Hardening mode, although Adaptive Defense will always
collect evidence until completing their classification. After the program has been classified, the
Agent will block it if it turns out to be malware, generating an alert for the administrator for
subsequent forensic analysis in order to assess the impact on the company.
45
7. Forensic
analysis and
attack
prevention
Deep Hardening mode and infection by
unknown malware
Forensic analysis and attack prevention
Interpretation of action tables and activity
graphs
46
7. Forensic analysis and attack prevention
Adaptive Defense is a managed service that adapts to the particular application ecosystem of
each company. The protection it provides makes it possible to classify 100% of the software used
by each customer; however, it is possible that security incidents related to the configuration
mode chosen by the network administrator or due to infections prior to the start-up of the service
may arise.
7.1. Deep Hardening mode and infection by unknown malware
In Deep Hardening mode, it is possible that some of the programs unknown to Adaptive Defense
and which reside on the user's computer might be run, so if the program contained malware the
computer could be compromised.
Adaptive Defense will classify unknown programs when it has sufficient evidence, generally within
the first 24 hours after the program is first run, generating an alert for the administrator, and
blocking from that moment the program classified as a threat.
7.2. Forensic analysis and prevention of attacks from infected computers
When the customer's network has been infected, it needs to be determined to what extent it has
been compromised and how to protect it from future attacks.
New-generation malware is characterized by going undetected for long periods of time, taking
advantage of this to access sensitive data or company intellectual property. Its objective is
economic gain, either through blackmail by encrypting company documents or selling the
information obtained to the competition, among other strategies common to these types of
attacks.
Whatever the case, it is vital to determine the actions that triggered the malware on the network
in order to take appropriate measures. Adaptive Defense is able to continuously monitor all
actions triggered by threats and store them to show their path, from their initial appearance in
the network until their neutralization.
Adaptive Defense displays this type of information in two ways: through tables of actions and
graphs.
7.2.1. Forensic analysis through action tables
The action tables are visible from the Malicious programs and Under Investigation at our lab
reports by clicking any column in the table, apart from the Computer column, which will open a
dialogue with information on the selected computer. Click on any other column to display a
drop-down panel with the content of the action table.
47
The fields included to generally describe the threat are:

Path: Path of the executable file that contains the malware.

Dwell time: Time that the threat has remained in the system.

User: Name of the user who launched the process classified as Malware or PUP.

MD5: Adaptive Defense shows the malware hash that it will use for later reference in
VirusTotal or Google through the Search in Google and Search in VirusTotal buttons

Life cycle of the malware in the computer: This is a table that details each of the actions
triggered by the threat.
In the table of actions for the threat, only relevant events are included because the amount of
actions triggered by a process is so high that it would prevent the extraction of useful information
for a forensic analysis.
The table content is initially presented in date order, making it easier to follow the development
of the threat.
The fields included in the action table are detailed below:

Date: Date of the action

Times: Number of times the action was run. A single action run several times
consecutively only appears once in the list of actions with the times field updated.

Action: Action implemented. Below is a list of actions that can appear in this field:
- File Download
- Socket Used
- Accesses Data
- Executed By
- Execute
- Created By
- Create
- Modified By
- Modify
- Loaded By
- Load
- Installed By
- Install
- Mapped By
- Map
- Deleted By
- Delete
- Renamed By
- Rename
48
- Stopped By
- Stops Process
- Remote Thread Created By
- Creates Remote Thread
- Stops Process:
- Remote Thread Created By
- Creates Remote Thread
- Opened Comp By
- Open Comp
- Created Comp By
- Create Comp
- Creates Reg Key To Exe
- Modifies Reg key To Exe

Path/URL/Registry key/IP:port: This is the action entity. Depending on the type of action it
can contain:
- Registry key: For all actions that involve modifying the Windows registry
- IP:port: For all actions that involve communicating with a local or remote computer
- Path: For all actions that involve access to the computer hard disk
- URL: For all actions that involve access to a URL

File Hash/Registry Value/Protocol-Direction/Description: It is a field that complements the
entity. Depending on the type of action it can contain:
- File Hash: For all actions that involve access to a file
- Registry Value: For all actions that involve access to the registry
- Protocol-Direction: For all actions that involve communicating with a local or remote
computer. The possible values are
- TCP
- UDP
- Bidirectional
- Unknown
- Description

Trusted: The file is digitally signed
Subject and predicate in the actions
To correctly understand the format used to present the information in the list of actions, a parallel
needs to be drawn with the natural language:

All actions have the file classified as malware as the subject. This subject is not indicated
in each line of the action table because it is common throughout the table.
49

All actions have a verb which relates the subject (the classified threat) with an object,
called the entity. The entity is the Path/URL/Registry key/IP:port field of the table.

The entity is complemented with a second field which adds information to the action,
which is the Hash/Registry Value/Protocol-Direction/Description field.
Here are two example actions of the same hypothetical malware:
Date
Times
3/30/2015
4:38:40 PM
1
Action
Connects
to
Path/URL/Registry
Hash/Registry Value/Protocol-
key/IP:port …
Direction/Description
54.69.32.99:80
TCP-Bidirectional
Trusted
NO
PROGRAM_FILES|\M
3/30/2015
4:38:40 PM
1
Loads
OVIES
9994BF035813FE8EB6BC98EC
TOOLBAR\SAFETYNUT
CBD5B0E1
NO
\SAFETYCRT.DLL
The first action indicates that the malware (subject) connects (Action) to the IP address
54.69.32.99:80 (entity) through the TCP-bidirectional protocol.
The second action indicates that the malware (subject) loads (Action) the library
PROGRAM_FILES|\MOVIES TOOLBAR\SAFETYNUT\SAFETYCRT.DLL with hash
9994BF035813FE8EB6BC98ECCBD5B0E1
As with the natural language, two types of sentences are implemented:

Active: These are predicative actions (with a subject and predicate) related by an
active verb. In these actions, the verb of the action relates the subject, which is always
the process classified as a threat, and a direct object, the entity, which can be different
actions.

Passive: These are actions where the subject (the process classified as malware)
becomes the passive subject (which receives rather than executes the action) and the
verb is passive (to be + participle). In this case, the passive verb relates the passive
subject which receives the action with the entity, which performs the action.
Examples of active actions are:

Connects to

Loads

Creates
Examples of passive actions are:

Is created by

Downloaded from
50
An example of a passive action is:
Date
Times
Action
Path/URL/Registry
Hash/Registry Value/Protocol-
key/IP:port …
Direction/Description
Trusted
3/30/
2015
4:51:4
Is executed
1
by
7522F548A84ABAD8FA516DE5
WINDOWS|\explorer.exe
AB3931EF
NO
6 PM
In
this
action,
the
malware
(passive
subject)
is
executed
(passive
action)
by
the
WINDOWS|\explorer.exe program (entity) with hash 7522F548A84ABAD8FA516DE5AB3931EF
Active type actions let you inspect in detail the steps taken by the malware. By contrast, passive
type actions usually reflect the infection vector used by the malware (which process executed it,
what process copied it to the user's computer, etc.)
7.2.2. Forensic analysis through execution graphs
Execution graphs visually display the information shown in the action tables, emphasizing the
temporal approach.
The graphs are initially used to provide, at a glance, a general idea of the actions triggered by
the threat.
51
7.2.3. Diagrams
The string of actions in the execution graphs view is represented by two elements:

Nodes: They mostly represent actions or information elements

Lines and arrows: They unite the action and information nodes to establish a temporal
order and assign each node the role of “subject” or “predicate”.
7.2.4. Nodes
The nodes show the information through their associated icon, color and descriptive panel on the
right of the screen when selected with the mouse.
The color code used is as follows:
-
Red: Unreliable element, malware, threat.
Orange: Unknown element, unclassified.
Green: Reliable element, goodware.
Listed below are the action type nodes with a brief description:
Symbol
Node
Type
Description
Action
-
Downloaded file
Compressed file created
Action
-
Socket / communication used
Action
-
Monitoring initiated
Action
-
Process created
Action
-
Executable file created
Library created
Key created in the registry
Action
-
Modified executable file
Modified registry key
Action
-
Mapped executable file for write
52
Action
-
Deleted executable file
Action
-
Loaded library
Action
-
Installed service
-
Renamed executable file
-
Stopped or closed process
-
Remotely created thread
-
Compressed file opened
Action
Action
Action
Action
Listed below are the descriptive type nodes with a brief description:
Symbol
Node
Type
Description
Final
Node
o
o
o
File name and extension
Green: Goodware
Orange: Unclassified
Red: Malware/PUP
o
o
o
Internal computer (it is in the
corporate network)
Green: Reliable
Orange: Unknown
Red: Unreliable
o
o
o
External computers
Green: Reliable
Orange: Unknown
Red: Unreliable
-
Country associated with the IP
address of an external computer
Final
Node
Final
Node
Final
Node
53
Final
Node
-
File and extension
Final
Node
-
Registry key
7.2.5. Lines and arrows
The lines of the graphs relate the different nodes, and help to establish the order of the actions
executed by the threat.
The two attributes of a line are:

Line thickness: The thickness of a line which joins two nodes indicates the number of
occurrences that this relationship has had in the graph. The greater number of
occurrences, the greater the size of the line.

Arrow: Marks the direction of the relationship between the two nodes.
7.2.6. The timeline
The timeline helps control the display of the string of actions carried out by the threat over time.
Using the buttons at the bottom of the screen you can position yourself at the precise moment
where the threat carried out a certain action and retrieve extended information that can help
you in the forensic analysis processes.
The timeline of the execution graphs looks like this:
Initially, you can select a specific interval on the timeline dragging the interval selectors to the left
or right to cover the timeframe of most interest to you.
After selecting the timeframe, the graph will only show the actions and nodes that fall within that
interval. The rest of the actions and nodes will be blurred on the graph.
The actions of the threat are represented on the timeline as vertical bars accompanied by the
timestamp, which marks the hour and minute where they occurred.
54
7.2.7. Zoom in and Zoom out
The + and – buttons of the time bar let you zoom in or zoom out for higher resolution if there are
many actions in a short time interval.
7.2.8. Timeline
To view the full string of actions executed by a threat, the following controls are used:

Start: Starts the execution of the timeline at a constant speed of x1. The graphs and lines
of actions will appear while passing along the timeline.

1x: Establishes the speed of travelling along the timeline

Stop: Stops the execution of the timeline

+ and -: Zoom in and zoom out of the timeline

< and >: Moves the selection of the node to the immediately previous or subsequent
node

Initial zoom: Restores the initial zoom level if modified with the + and – buttons

Select all nodes: Moves the time selectors to cover the whole timeline

First node: Establishes the time interval at the start, a necessary step for initiating the
display of the complete timeline.
To display the full path of the timeline, first select “First node” and then “Start”. To set the travel
speed, select the button 1x.
7.2.9. Filters
The controls for filtering the information shown are at the top of the graph.
The filter criteria available are:

Action: Drop-down menu which lets you select a type of action from all those executed
by the threat. This way, the graph only shows the nodes that match the type of action
selected and those adjacent nodes associated with this action.
55

Entity: Drop-down menu which lets you choose an entity (Path/URL/Registry key/IP:port
field content)
7.2.10. Movement of nodes and general zoom
To move the graph in four directions and zoom in or zoom out, you can use the controls in the top
right of the graph.
To zoom in and zoom out more easily, you can use the mouse scroll wheel.
The X symbol allows you to exit the graph view.
If you would rather hide the timeline buttons zone to leave more space on the screen for the
graph, you can select the
symbol situated in the bottom right of the graph.
Finally, the behavior of the graph when presented on screen or dragged by one of its nodes can
be configured using the panel shown below, accessible by selecting the button in the top left of
the graph.
56
7.3. Interpretation of the action tables and activity graphs
Certain technical knowledge is required to correctly interpret the action tables and activity
graphs, as both resources are representations of the dumping of evidence collected, which must
be interpreted by the company's network administrator.
In this chapter, some basic interpretation guidelines are offered through various real malware
examples.
The name of the threats indicated here can vary among different security providers. You should
use the hash ID to identify specific malware.
7.3.1. Example 1: Display of actions executed by the malware Trj/OCJ.A
Essential information about the malware found is included in the table shown in Malicious
programs. In this case the important data is as follows:

Date: 06/04/2015 3:21:36

Computer: XP-BARCELONA1

Name: Trj/OCJ.A

Status: Executed

MD5: EEEEEEEEDDDD

Path: TEMP|\Rar$EXa0.946\appnee.com.patch.exe
Computer status
The malware status is Executed due to the fact that the Adaptive Defense mode configured was
Deep hardening: the malware already resided in the computer when Adaptive Defense was
installed and was unknown at the time of its execution.
Hash
The hash string can be used to obtain more information on sites such as VirusTotal to gain a
general idea of the threat and how it works.
Malware path:
The path where the malware was detected for the first time on the computer belongs to a
temporary directory and contains the RAR string, so it comes from a RAR file temporarily
uncompressed in the directory, and which gave the appnee.com.patch.exe executable file as
the result.
Action table
57
Step
Date
Action
Path
1
3:17:00
Created by
PROGRAM_FILES|\WinRAR\WinRAR.exe
2
03:17:01
Executed by
PROGRAM_FILES|\WinRAR\WinRAR.exe
3
03:17:13
Create
TEMP|\bassmod.dll
4
03:17:34
Create
PROGRAM_FILES|\Adobe\ACROBAT 11.0\Acrobat\AMTLIB.DLL.BAK
5
03:17:40
Modify
PROGRAM_FILES|\Adobe\ACROBAT 11.0\Acrobat\amtlib.dll
6
03:17:40
Delete
PROGRAM_FILES|\ADOBE\ACROBAT 11.0\ACROBAT\AMTLIB.DLL.BAK
7
03:17:41
Create
PROGRAM_FILES|\Adobe\ACROBAT
11.0\Acrobat\ACROBAT.DLL.BAK
8
03:17:42
Modify
PROGRAM_FILES|\Adobe\ACROBAT 11.0\Acrobat\Acrobat.dll
9
03:17:59
Execute
PROGRAM_FILES|\Google\Chrome\Application\chrome.exe
Steps 1 and 2 indicate that the malware was uncompressed by WinRar.Exe and executed from
the same program: the user opened the compressed file and clicked on its binary.
Once it is executed in step 3, the malware creates a DLL file (bassmod.dll) in a temporary folder
and another (step 4) in the installation directory of the Adobe Acrobat 11 program. In step 5 it
also modifies an Adobe DLL file, to take advantage perhaps of some type of program exploit.
After modifying other DLL files, it launches an instance of Chrome which is when the timeline
finishes; Adaptive Defense classifies the program as a threat after that string of suspicious actions,
and has stopped its execution.
In the timeline no actions appear on the registry, so it is very likely that the malware is not
persistent or has not been executed up to that point to survive a restart of the computer.
The Adobe Acrobat 11 program has been compromised so a reinstallation is recommended;
However, thanks to the fact that Adaptive Defense monitors both goodware and malware
executable files, the execution of a compromised program will be detected when it triggers
dangerous actions, and ultimately be blocked.
7.3.2. Example 2: Communication with external computers in BetterSurf
BetterSurf is a potentially unwanted program that modifies the browser installed in the user's
computer and injects ads in the Web pages that it visits.
Essential information about the malware found is included in the table shown in Potentially
Unwanted Programs. In this case the important data is as follows:

Date: 30/03/2015

Computer: MARTA-CAL

Name: PUP/BetterSurf

Path: PROGRAM_FILES|\VER0BLOCKANDSURF\N4CD190.EXE

Dwell time: 11 days 22 hours 9 minutes 46 seconds
58
Dwell time
In this case, the exposure time was very long: for almost 12 days the malware was dormant on the
customer's network. This is increasingly normal behavior and may be for various reasons: perhaps
because the malware has not carried out any suspicious action until very late or simply because
the user downloaded the file but did not execute it at the time.
Action table
Step
1
2
3
4
5
6
7
8
9
Date
08/03/2015
11:16
18/03/2015
11:16
18/03/2015
11:16
18/03/2015
11:16
18/03/2015
11:16
18/03/2015
11:16
18/03/2015
11:17
18/03/2015
11:17
18/03/2015
11:17
Action
Path / IP
Hash / Protocol
Created by
TEMP|\08c3b650-e9e14f.exe
EB0C9D2E28E1EE
Executed by
SYSTEM|\services.exe
953DF73048B8E8
Load
PROGRAM_FILES|\VER0BLOF\N4Cd190.d
ll
CE44F5559FE618
Load
SYSTEM|\BDL.dll
D7D59CABE1270
Socket used
127.0.0.1:13879
0-UnKnown
Socket used
37.58.101.205:80
0-Bidrectional
Socket used
5.153.39.133:80
0-Bidrectional
Socket used
50.97.62.154:80
0-Bidrectional
Socket used
50.19.102.217:80
0-Bidrectional
Here it can be seen how the malware establishes communication with several different IP
addresses. The first of them (step 5) is the computer itself and the rest are external IP addresses to
which it connects via port 80 and from which the advertising content is probably downloaded.
The main prevention measure in this case will be to block the IP addresses in the corporate
firewall.
Before adding rules to block IP addresses in the corporate firewall, you should consult the IP
addresses to be blocked in the associated RIR (RIPE, ARIN, APNIC, etc.) to see the network of the
provider to which they belong. In many cases the remote infrastructure used by the malware is
shared with legitimate services housed in providers such as Amazon and similar, so blocking their
IP addresses would be the same as blocking access to normal Web pages.
59
7.3.3. Example 3: Access to the registry with PasswordStealer.BT
PasswordStealer.BT is a Trojan that records the user's activity in the computer and sends the
information obtained to the exterior. Among other things, it is able to capture the user's screen,
record the keystrokes and send files to a C&C (Command & Control) server.
Essential information about the malware found is included in the table shown in Malicious
programs. In this case, the important data is as follows:

Path: APPDATA|\microsoftupdates\micupdate.exe
Due to the name and location of the executable file, the malware poses as a Microsoft update.
This particular malware is not able to infect computers by itself; it requires the user to execute the
virus manually.
Computer status
The malware status is Executed due to the fact that the Adaptive Defense mode configured was
Deep hardening: the malware already resided in the computer when Adaptive Defense was
installed and was unknown at the time of its execution.
Action table
Step
Date
Action
Path
Path / Hash
1
31/03/201
5 23:29
Executed
by
PROGRAM_FILESX86|\internet
explorer\iexplore.exe
7477021D17D781B24
2
31/03/201
5 23:29
Created by
INTERNET_CACHE|\Content.IE5\QGV8PV8
0\ index[1].php
C9D4C32DF27B3CDEF
3
31/03/201
5 23:30
Creates
Reg Key To
Exe
\REGISTRY\USER\S-1-5[...]95659\Software\Microsoft\Windows\
CurrentVersion \Run?MicUpdate
C:\Users\vig03\AppData
\ Roaming\
MicrosoftUpdates\
MicUpdate.exe
4
31/03/201
5 23:30
Execute
SYSTEMX86|\notepad.exe
D378BFFB70864AA61C
5
31/03/201
5 23:30
Remote
Thread
Created by
SYSTEMX86|\notepad.exe
D378BFFB70864AA61C
In this case, the malware is created in step 2 by a Web page and executed by the browser
Internet Explorer.
The order of actions has a granularity of 1 microsecond. For this reason several actions executed
within the same microsecond may not appear in order in the timeline, as in step 1 and step 2.
Once the malware has been executed, it becomes persistent in step 3 adding a branch in the
registry branch that belongs to the user and which will launch the program in the system start-up.
60
It then starts to execute malware actions such as starting a notepad and injecting code in one of
its threads.
As a remedial action in this case, and in the absence of a known disinfection method, you can
minimize the impact of this malware by deleting the registry entry. It is quite possible that in an
infected machine the malware prevents you from editing that entry; depending on the case, you
would have to either start the computer in safe mode or with a bootable CD to delete that entry.
7.3.4. Example 4: Access to confidential data by Trj/Chgt.F
Trj/Chgt.F was published by wikileaks at the end of 2014 as a tool used by government agencies
in some countries for selective espionage.
In this example, go directly to the action table to observe the behavior of this advanced threat.
Action table
Step
Date
Action
Path
Info
1
4/21/2015 2:17:47
PM
Is executed by
SYSTEMDRIVE|\Python2
7\pythonw.exe
9F20D976AFFFB2D0B9BE38
B476CB2053
2
4/21/2015 2:18:01
PM
Accesses Data
#.XLS
Office Excel document
access
3
4/21/2015 2:18:01
PM
Accesses Data
#.DOC
Office Word document
access
4
4/21/2015 2:18:01
PM
Creates
TEMP|\doc.scr
4DBD8393522CD5DA7364
ACEA35E80719
5
4/21/2015 2:18:01
PM
Executes
TEMP|\doc.scr
4DBD8393522CD5DA7364
ACEA35E80719
6
4/21/2015 2:18:37
PM
Executes
PROGRAM_FILES|\Micro
soft
Office\Office12\WINW
ORD.EXE
CEAA5817A65E914AA178B
28F12359A46
7
4/21/2015 8:58:02
PM
Connects to
192.168.0.1:2042
TCP-Bidirectional
The malware is initially executed by the Python interpreter (step 1) to later access an Excel and
Word document (steps 2 and 3). In step 4, a file with an SCR extension is executed, probably a
screensaver with some type of fault or error that causes an anomalous situation on the computer
and which might be exploited by the malware.
A TCP type connection occurs in step 7. The IP address is private so it would be connecting to the
customer's network.
61
In this case, the content of the files accessed must be checked to assess the loss of information,
although looking at the timeline the information accessed in principle has not been extracted
from the customer's network.
Adaptive Defense will automatically block subsequent executions of the malware in that
customer and in other customers.
62
8. Analysis of
knowledge and
advanced
searches
Access to the LogTrust environment
Description of the Adaptive Defense tables
63
8. Analysis of knowledge and advanced searches
The LogTrust environment is an optional module of Adaptive Defense. If you do not have access to
this environment contact your sales rep.
Logtrust is a real-time service on complementary accumulated knowledge which imports and
automatically analyzes in real time all information generated by Adaptive Defense.
Logtrust facilitates information searches on the safety of the customer's IT resources and helps
generate colorful graphics to interpret the data registered by the Adaptive Defense Agents.
This chapter will show in detail the organizational scheme designed to store the information
generated by Adaptive Defense and the procedures necessary to use this information.
The objective of the Logtrust platform is to complement the information offered by Adaptive
Defense when it comes to establishing new remediation protocols and look closely at the forensic
analysis techniques shown in chapter 7.
The Logtrust environment has an online help accessible from the top panel Help.
8.1. Access to the Logtrust environment
To access the Logtrust environment you need to select the Advanced Search link on the
Adaptive Defense Dashboard.
After accessing it, the preconfigured environment will be displayed with the Dashboard shown in
the Adaptive Defense console.
8.2. Description of the Adaptive Defense tables
Adaptive Defense sends all the information collected from the Agents installed in the customer's
computers to the Logtrust service, which will organize it into easy-to-read tables.
Each line of a table is an event supervised by Adaptive Defense. The tables contain a series of
specific fields as well as common fields that appear in all of them, and which offer information
such as when the event occurred, the machine where it was registered, its IP address, etc.
Many fields use prefixes that help refer to the information shown. The two most used prefixes are:
64

Parent: The fields that begin with the Parent tag (parentPath, parentHash,
parentCompany…) reflect the content of a characteristic or attribute of the parent
process.

Child: The fields that begin with the Child tag (childPath, childHash, childCompany…)
reflect the content of a characteristic or attribute of a child process created by the
parent process.
Besides these prefixes in many fields and values, abbreviations are also used; knowing their
meaning helps interpret the field in question:

Sig: Signature (digital signature)

Exe: Executable

Prev: Prevalence

Mw: Malware

Sec: seconds

Op: Operation

Cat: Category

PUP: Potential Unwanted Program

Ver: Version

SP: Service Pack

Cfg: Configuration

Svc: Service

Op: Operation

PE: Executable Program

Cmp and comp: Compressed

Dst: Destination
Listed below are the available tables indicating the type of information they contain and their
specific fields.
8.2.1. Alert Table
This table contains a line for each threat detected in the customer's network with information on
the computer involved, the type of alert, the timestamp and the result of the alert.
Name
Explanation
Values
eventdate
Date of the event in the customer's machine
Date
65
machineIP
IP address of the customer's machine that
triggered the alert
IP address
date
Date when the event is received in the
Adaptive Defense server
Date
alertType
Category of the threat that triggered the alert
Malware, PUP
machineName
Name of the customer's machine
String
version
Version of the Adaptive Defense Agent
installed on the machine
x.x.x
executionStatus
The threat was executed or not executed
Executed or Not Executed
dwellTimeSecs
Time in seconds from the first time the threat
was seen in the customer's network
Seconds
itemHash
Hash of the known threat
String
itemName
Name of the known threat
String
itemPath
Complete path of the file that contains the
threat
String
Thanks to the information contained in this table, it is very simple to obtain statistics from the most
infected computers:
10 most attacked and infected computers
A simple list can be obtained of the 10 most attacked computers by clicking on the header of
the machineName or machineIP column.
66
This list spans from the first moment when Adaptive Defense starts to work in the customer; if you
want to reduce the range you can simply narrow the interval with the Search limits controls.
These limits include both malware blocking and executions; if you want to only show infected
computers, you will need to add a filter by clicking on the icon in the toolbar.
You will also need to configure a data filter using the executionStatus field and equaling to
Executed, as shown in the image.
67
10 most viewed threats
Similarly, by clicking on the itemHash or itemName columns you can display quick statistics on the
10 most viewed threats on the customer's network.
Another way of obtaining far more visual information is to generate a graph of the most viewed
malware. The name of the malware is shown on the coordinate axis and the number of
occurrences on the abscissa axis.
For this, you need to follow the steps below:

Add an aggrupation to the itemName field without any time limit (No temporal
aggrupation)

Add a counter function to determine how many occurrences there are in each
itemName group.
68

Add a filter to determine the aggrupation of 2 or fewer occurrences. This will clean the
graphic of those threats that have only been viewed twice

Add a Chart Aggregation type graphic and use the Count column as a parameter.
In this point there is already a list of alerts grouped by threat and with the number of occurrences
for each threat. You can build a simple graph with this data:
69
Other useful information
There are several interesting fields in the Alerts table that can be used to extract valuable
information on the attacks received on the customer's network:

Eventdate: Grouping by this field you can see the number of daily attacks and determine
if there is an ongoing epidemic.

dwellTimeSecs: This field provides the detection window of the threats received, i.e. the
time from when the threat was first seen in the customer's network to its classification.

itemHash: Given that the name of the threat varies among security providers, the hash
field can be used to group threats instead of the itemName. This also helps to distinguish
malware that is labelled with the same name.
8.2.2. Drivers Table
This table includes all operations performed on drivers that are detected in processes executed in
the user's computers.
Name
Explanation
Values
eventdate
Date
serverdate
Date
machine
String
machineIp
IP address of the customer's machine
IP address
ver
String
user
Username of the process that performs the
registered operation on the driver
String
Internal identifier of the customer's computer
xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx
Operation performed by the process on the
Open
driver
Creation
hash
Hash / digest of the file
String
driveType
Type of drive where the process that triggered
the registered operation on the driver resides
Fixed, Remote, Removable
path
Path of the process that triggered the
registered operation on the driver
String
validSig
Digitally signed process
Boolean
company
Content of the Company attribute of the
process metadata
String
imageType
Internal architecture of the executable file
EXEx32, EXEx64, DLLx32, DLLx64
muid
op
70
exeType
Type of executable file
Delphi, DOTNET, VisualC, VB,
CBuilder, Mingw, Mssetup,
Setupfactory, Lcc32,
Setupfactory, Unknown
prevalence
Historical prevalence in Panda Security
systems
HIGH, LOW, MEDIUM
prevLastDay
Previous day prevalence in Panda Security
systems
HIGH, LOW, MEDIUM
cat
Category of the file that performed the
operation on the driver
Goodware, Malware, PUP,
mwName
Name of the malware if the file is classified as
String, (Null if the element is not
a threat
Malware)
Type of drive where the driver that receives
the registered operation resides
serviceDriveType
servicePath
Path of the driver that received the registered
operation
Unknown, Monitoring
String
This table indicates the operations carried out by all the processes on the drivers installed. Since
the malware which creates or modifies drivers is considered particularly dangerous because it
attacks basic elements of the system, the ideal solution in this case is to filter the Cat field and
discard anything that is classified as “Goodware” or “Monitoring”.
8.2.3. Filesdwn Table
This table contains information on the downloading of data via HTTP by processes seen in the
customer's network (URL, downloaded file data, computers that performed the downloading,
etc.).
Name
Explanation
Values
eventdate
Date of the event on the customer's machine
Date
71
serverdate
Date
machine
String
machineIP
IP address
ver
String
muid
type
Type of file downloaded
Zip, Exe, Cab, Rar
url
Download URL
URI resource
hash
Digest / hash of the downloaded file
String
validSig
Digitally signed downloaded file
Boolean
company
Content of the Company attribute of the
downloaded file metadata
String
imageType
Internal architecture of the downloaded file
exeType
Type of executable of the downloaded file
prevalence
Historical prevalence in Panda Security systems
HIGH, LOW, MEDIUM
prevLastDay
systems
HIGH, LOW, MEDIUM
cat
Category of the downloaded file
mwName
Name of the malware if the downloaded file is
classified as a threat
Malware)
Unknown, Monitoring
Since this table shows all downloads of network users irrespective of whether they are malware or
goodware, apart from locating with a simple filter the download information in the case of
malware, it will also be possible to graphically display the domains that receive most downloads.
72
Domains that receive most downloads
To show this type of information, you need to use the content of the url field to clean the part of
the string not of interest to you and end up with the domain.

Create a new column with the Split field set to url.

Group by different url and select No temporal aggrupation

Add a count type aggregation column.
73
This results in a list for each grouped domain and the number of occurrences of each domain
within each group. With this information you can easily obtain a graph with the most visited
domains for download.
In this case a pie chart, simpler to interpret for the type of information shown here. For this, prefilter the aggrupations of 10 or fewer occurrences to be able to look in more detail at the rest of
the domains.
In pie charts, the different sections are active, so when you pass the mouse over them they show
the percentages and name of the series represented.
Other useful information
Similarly, other fields can be combined to enrich or filter the lists and obtain more refined tables.
You can use:

Machine or machineIP: Grouping these fields you can see the computers in the
customer's network that start the most downloads.
74

Cat: Filtering by this field you can clear the table and only show what is classified as
malware. You can therefore obtain domains considered as malware emitters to block
them in a firewall enabling layer 7 analysis.
8.2.4. Hook table
This table contains all tasks in which hooks were created or used in the user's system
Name
Explanation
Values
eventdate
Date of the event in the customer's
machine
Date
serverdate
Date
machine
String
machineIP
IP address
ver
String
user
Process username
String
Internal identifier of the customer's
muid
hooktype
hash
computer
Type of hook made by the process
Digest of the process that made the hook in
the system
Keyboard_ll, mouse_ll,
keyboard, mouse
String
driveType
Type of drive where the process that makes
the hook resides
path
Path of the process that makes the hook
String
validSig
Process that makes the digitally signed hook
Boolean
company
Content of the Company attribute in the
metadata of the process that makes the
hook
String
imageType
Architecture of the file that makes the hook
exeType
Type of executable file of the process that
makes the hook
75
prevalence
Historical prevalence in the Panda Security
systems of the process that makes the hook
HIGH, LOW, MEDIUM
prevLastDay
systems of the process that makes the hook
HIGH, LOW, MEDIUM
cat
Category of the process that makes the
hook in the system
mwName
Name of the malware if the process that
makes the hook in the system is classified as
a threat
Unknown, Monitoring
malware)
hookPEhash
Digest / hash of the hooked process
String
Hook
Type of drive where the hooked process
resides
hookPEpath
Path of the hooked process
String
hookPEvalidSig
Digitally signed hooked process
Boolean
hookPEcompany
hookPEimageType
metadata of the hooked process
Internal architecture of the hooked process
file
String
hookPEexeType
Type of executable file of the hooked
process
hookPEprevalence
Historical prevalence in Panda Security’s
systems of the hooked process
HIGH, LOW, MEDIUM
hookPEprevLastDay
Previous day prevalence in Panda
Security’s systems of the hooked process
HIGH, LOW, MEDIUM
hookPEcat
Category of the hooked process
hookPEmwName
Name of the malware if the hooked process
is classified as a threat
Unknown, Monitoring
String
76
This table shows the operations carried out by all the processes that make hooks. Since the
malware that performs this type of operation is considered particularly dangerous because it
intercepts communications, the ideal solution in this case is to filter the Cat field and discard
anything that is classified as “Goodware” or “Monitoring”.
8.2.5. Install Table
This table contains all the information generated in the installation of the Adaptive Defense
Agents in the customer's machines.
Name
Explanation
Values
eventdate
Date
serverdate
Date when the event is received in the Adaptive Defense server
Date
machine
String
machineIP
IP address
machineIP1
IP address of an additional network card if it is installed
IP address
machineIP2
IP address
machineIP3
IP address
machineIP4
IP address
machineIP5
IP address
ver
String
op
Operation performed
Install, Uninstall, Upgrade
osVer
Operating System version
String
osSP
Service Pack version
String
osPlatform
Operating System platform
WIN32, WIN64
Agent uninstall
Apart from the graphs shown in the Adaptive Defense Dashboard on the versions of the agents
installed or uninstalled, it can be very useful to quickly locate computers that have uninstalled
their agent in a given time period.
77
For this, you need to select the date and simply add a filter to the op field to select all the rows
that have the “Uninstall” string. With this operation you can obtain a list of all the machines whose
protection has been uninstalled and are vulnerable to threats.
8.2.6. Monitoredopen Table
This table contains the data files accessed by the applications executed in the user's computer
and the processes that accessed the data.
Name
Explanation
Values
eventdate
Date of the event on the customer's machine
Date
serverdate
Date when the event is received in the Adaptive
Defense server
Date
machine
String
machineIP
IP address
ver
String
user
Process username
String
muid
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
parentHash
Digest / hash of the file that accesses data
String
parentPath
Path of the process that accesses data
String
parentValidSig
Process that accesses digitally signed data
Boolean
parentCompany
metadata of the file that accesses data
String
parentBroken
The file that accesses data is corrupted/defective
Boolean
parentImageType
Type of internal architecture of the file that
accesses data
parentExeType
Type of executable file that accesses data
Setupfactory, Lcc32, Setupfactory,
Unknown
parentPrevalence
Historical prevalence of the file that accesses
data in Panda Security’s systems
HIGH, LOW, MEDIUM
parentPrevLastDay
Previous day prevalence of the file that accesses
data in Panda Security’s systems
HIGH, LOW, MEDIUM
parentCat
Category of the file that accesses data
78
Unknown, Monitoring
parentMWName
parentPid
Name of the malware if the file that accesses
data is classified as a threat
malware)
ID number of the process that accesses data in
the customer's computer
childPath
String
Name of the data file accessed by the process.
By default only the file extension is indicated to
String
preserve the privacy of the customer's data
loggedUser
User logged on the computer at the time of file
access
String
Access to user's documents
This table shows the access to files of all processes executed in the user's computer, it is quite
simple to locate an information leak in case of infection.
Filtering by the parentCat field to distinguish goodware from the rest of the possibilities, you can
obtain a list of accesses to data files by processes that are unclassified or classified as malware.
This way, you can see at a glance the impact of data leakage and take the necessary measures.
8.2.7. Notblocked Table
This table includes a record for each element that Adaptive Defense has not analyzed due to
exceptional situations such as a timeout of the service on the endpoint, configuration changes,
etc.
Name
Explanation
Values
eventdate
machine
Date
serverdate
Date when the event is received in
the Adaptive Defense server
Date
machine
String
machineIP
IP address
ver
Version of the Adaptive Defense
Agent
String
user
Process username
String
79
muid
computer
parentHash
Digest / hash of the parent file
String
parentValidSig
Digitally signed parent process
Boolean
parentCompany
Content of the Company attribute in
the parent process metadata
String
parentBroken
The parent file is corrupted
Boolean
parentImageType
Internal architecture of the parent
process
parentExeType
Type of executable file of the parent
process
Unknown
parentPrevalence
Historical prevalence in Panda
Security’s systems of the parent
process
HIGH, LOW, MEDIUM
parentPrevLastDay
Security’s systems of the parent
process
HIGH, LOW, MEDIUM
parentCat
Category of the parent file
ParentmwName
Name of the malware if the parent
string, (Null if the element is not
file is classified as a threat
malware)
childHash
Digest / hash of the child file
String
childValidSig
Digitally signed child process
Boolean
childCompany
Content of the Company attribute of
the child process metadata
String
childBroken
The child file is corrupted
Boolean
childImageType
Internal architecture of the child
process
childExeType
Type of executable file of the child
process
Unknown
Unknown, Monitoring
80
childPrevalence
Security’s systems of the child file
HIGH, LOW, MEDIUM
childPrevLastDay
Security’s systems of the child file
HIGH, LOW, MEDIUM
childCat
Category of the child process
childmwName
cfgSvcLevel
Unknown, Monitoring
Name of the malware if the child file
malware)

Learning: The agent enables
the execution of unknown
processes

Hardening: The agent
prevents the execution of
processes classified as threats

Block: The agent prevents the
execution of processes
classified as threats and
unknown processes

Learning: The agent enables
the execution of unknown
processes

Hardening: The agent
prevents the execution of
processes classified as threats

Block: The agent prevents the
execution of processes
classified as threats and
unknown processes
Configuration of the agent service
Agent operating mode. The agent
may temporarily have a
configuration established that is
realSvcLevel
different to the configuration being
used for various reasons in the
execution environment. Eventually
cfgSvcLevel and realSvcLevel must
coincide.
Unknown = 0
Goodware = 1
Malware = 2
responseCat
File category returned by the cloud
Suspect = 3
Compromised =4
GoodwareNotConfirmed = 5
PUP = 6
GoodwareUnwanted = 7
numCacheClassifiedElements
No. of elements classified in cache
Numeric value
81
8.2.8. Ops Table
This table contains a record of all operations performed by the processes seen in the customer's
network.
Name
Explanation
Values
eventdate
Date of the event in the
customer's machine
Date
serverdate
Date when the event is received
in the Adaptive Defense server
Date
machine
String
machineIP
IP of the customer's machine
IP address
ver
Agent
String
user
Process username
String
CreateDir, Exec, KillProcess, CreatePE, DeletePE,
op
muid
Operation performed
Internal identifier of the
customer's computer
LoadLib, OpenCmp, RenamePE, CreateCmp
parentHash
String
parentPath
Path of the parent process
String
parentValidSig
Digitally signed parent process
Boolean
parentCompany
Content of the Company
attribute in the parent file
metadata
String
parentImageType
Type of internal architecture of
the parent file
parentExeType
Type of executable parent
Delphi, DOTNET, VisualC, VB, CBuilder, Mingw,
Mssetup, Setupfactory, Lcc32, Setupfactory,
Unknown
parentPrevalence
Historical prevalence of the
parent file in Panda Security’s
systems
HIGH, LOW, MEDIUM
parentPrevLastDay
Previous day prevalence of the
HIGH, LOW, MEDIUM
82
systems
parentCat
Goodware, Malware, PUP, Unknown, Monitoring
parentMWName
Name of the malware found in
the parent file
String, (Null if the element is not malware)
childHash
String
childPath
Path of the child process
String
childValidSig
Boolean
childCompany
attribute inthe child file
metadata
String
childImageType
Type of internal architecture of
the child file
childExeType
Type of child executable file
Unknown
childPrevalence
Historical prevalence of the child
file in Panda Security’s systems
HIGH, LOW, MEDIUM
childPrevLastDay
Previous day prevalence of the
child file in Panda Security’s
systems
HIGH, LOW, MEDIUM
childCat
Category of the child file
childMWName
Name of the malware found in
the child file
ocsExec
Software considered as
vulnerable was executed or not
Boolean
ocsName
Name of software considered
vulnerable
String
ocsVer
Version of software considered
vulnerable
String
Executable process creation
peCreationSource
source. Equivalent to the
String
DriveType field
params
toastResult
Execution parameters of the
executable process
Result of the popup message
String

OK
83
shown
clientCat
action
Category in cache of the
element agent
Action carried out
Agent mode
serviceLevel
winningTech
Technology that caused the
action

Timeout

Angry

Block

Allow
Allow, Block, BlockTimeout

Learning: The agent enables the execution
of unknown processes

Hardening: The agent prevents the
execution of processes classified as threats

Block: The agent prevents the execution of
processes classified as threats and unknown
processes

Unknown

Cache

Cloud

Contect

Serializer

User

Legacyuser

Netnative

certifUA
8.2.9. Registry Table
This table contains a record of all operations performed by the processes seen in the customer's
network on each system registry.
Name
Explanation
Values
eventdate
machine
Date
serverdate
Date when the event is received in
the Adaptive Defense server
Date
machine
String
machineIP
IP address
ver
String
84
Agent
user
Username of the process that
String
modified the registry
op
Operation performed on the
ModifyExeKey, CreateExeKey
computer registry
hash
Digest / hash of the process that
String
makes the change in the registry
muid
computer
targetPath
Path of the executable file noted in
the registry.
Type of drive where the process that makes the hook
resides
regKey
Registry key
String
driveType
Type of drive where the process that
accesses the registry resides
String
path
Path of the process that modifies the
String
registry
validSig
Registry key
Boolean
company
Registry key
String
imageType
Architecture of the file that accesses
String
the registry
exeType
Type of executable file
Unknown
Prevalence
HIGH, LOW, MEDIUM
Security’s systems of the process
prevLastDay
HIGH, LOW, MEDIUM
Security’s systems of the process
Cat
Category of the process
mwName
Name of the malware if the process
85
Persistence of installed threats
As this table shows the access to the registry of all processes executed in the user's computer, it is
quite simple to see the malware that managed to run and achieve persistence in the system.
There are many different registry branches that invoke a program in the start-up but the most
used by Trojans and other types of threats are:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Looking at the keys, almost all share the “Run” branch, so by filtering by the regKey field and
searching for the “Run” substring you can view all the information on the process which added
the branch to or removed it from the registry.
After filtering the processes that manipulate the start-up system, you can then apply subsequent
filters that refine the initial search, using the Cat field to remove all programs classified as
goodware from the list, as shown in the above examples.
8.2.10. Socket Table
This table contains a record of all network operations performed by the processes seen in the
customer's network.
86
Name
Explanation
Values
eventdate
machine
Date
serverdate
Date
machine
String
machineIP
IP address
ver
String
user
Process username
String
hash
muid
Digest / hash of the process that makes the
connection
computer
driveType
Type of drive where the process that makes
the connection resides
path
Path of the process that makes the
connection
protocol
Communications protocol used by the
process
String
String
TCP, UDP, ICMP, ICMPv6,IGMP, RF
port
Communications port used by the process
0-65535
direction
Communication direction
Upload, Download, Bidirectional, Unknown
dstIp
Destination IP address
IP address
dstPort
Destination port
0-65535
dstIp6
Destination IP v6
IP address
validSig
File that makes the digitally signed
connection
Boolean
company
metadata of the file that makes the
connection
String
imageType
Internal architecture of the process that
makes the connection
87
exeType
Type of executable file of the process that
makes the connection
Unknown
prevalence
Historical prevalence in Panda Security’s
systems
HIGH, LOW, MEDIUM
prevLastDay
Security’s systems
HIGH, LOW, MEDIUM
cat
Category of the process that makes the
connection
Goodware, Malware, PUP, Unknown,
mwName
Monitoring
Name of the malware if the process that
makes the connection is classified as a
threat
Programs that most connect to the exterior
In a similar way to the console graph that geolocates the destinations of the connections made
by the malware installed on the customer's network, you can obtain the destinations most
connected by the legitimate software that is run on the computers. For this, you need to follow
the steps below:

Add a filter that removes all programs that are not considered legitimate. For this, you
need to equal the Cat field to the “Goodware” string.

Add a filter that removes all the connections to private IP addresses. For this, you need to
create a column with the Is Public IPv4 function in the dstIp field, as shown in the figure.

Add both latitude and longitude columns that extract the longitude and latitude from
the dstIP field with the functions Geolocated Latitude / Longitude.
88
In this point of the procedure there is a list of connections from legitimate software to public IP
addresses and the latitude and longitude of each IP address. The coordinates obtained will be
shown on the map-type graph as dots.
As the intention is to show the number of connections to the same IP address, you will need to
form an aggrupation and add a counter to obtain the number of IP addresses repeated in an
aggrupation.

Add an aggrupation in the dstIP table and the newly created latitude and longitude
fields, without time limit.

Add a counter type function.

Add a Flat world map by coordinates or Google heat map type graph using the count,
latitude and longitude columns as data.
89
When dragging the columns to the boxes indicated, the map chosen will be shown with the data
represented by dots in different colors and sizes.
90
8.2.11. Toast Table
The Toast table records an entry every time a message appears from the customer’s agent.
Name
Explanation
Values
eventdate
Date of the event in the
customer's machine
Date
serverdate
Date when the event is
received in the Adaptive
Defense server
Date
machine
Name of the customer's
machine
String
machineIP
IP address of the customer's
machine
IP address
ver
Version of the Adaptive
Defense Agent
String
user
Process username
String
muid
Internal identifier of the
customer's computer
parentHash
String
parentPath
Path of the parent process
String
parentValidSig
Digitally signed parent
process
Boolean
parentCompany
attribute in the parent file
metadata
String
parentImageType
Type of internal architecture
91
of the parent file
parentExeType
Type of executable parent file
Delphi, DOTNET, VisualC, VB, CBuilder,
Mingw, Mssetup, Setupfactory, Lcc32,
parentPrevalence
systems
HIGH, LOW, MEDIUM
parentPrevLastDay
Previous day prevalence of
the parent file in Panda
HIGH, LOW, MEDIUM
parentCat
Monitoring
parentMWName
Name of the malware found
in the parent file
childHash
String
childPath
Path of the child process
String
childValidSig
Boolean
childCompany
attribute in the child file
metadata
String
childImageType
Type of internal architecture
of the child file
childExeType
Type of child executable file
Delphi, DOTNET, VisualC, VB, CBuilder,
Mingw, Mssetup, Setupfactory, Lcc32,
childPrevalence
child file in Panda Security’s
systems
HIGH, LOW, MEDIUM
childPrevLastDay
Previous day prevalence of
the child file in Panda
HIGH, LOW, MEDIUM
childCat
Category of the child file
Monitoring
clientCat
Category in the cache of the
element agent
Monitoring
childMWName
Name of the malware found
in the child file
Learning: The agent enables the
execution of unknown processes
serviceLevel
Agent mode
Hardening: The agent prevents the
execution of processes classified as
threats
Block: The agent prevents the execution
of processes classified as threats and
92
unknown processes
winningTech
Technology that caused the
action
Unknown
Cache
Cloud
Contect
Serializer
User
Legacyuser
Netnative
certifUA
cloudAccessOk
Access to the cloud
Boolean
SonFirstSeen
First time that the system saw
the process that caused the
popup message to appear
Date
SonLastQuery
Last time that the process that
caused the popup message
launched a query to the
cloud
Date
PreviousClientCat
Previous category of the
element that caused the
popup message
Numeric value
OK: The customer accepts the message
Timeout: The popup message disappears
due to non-action by the user
ToastResult
Result of the popup message
Angry: The user rejects the block
Block
Allow
93
9. Appendix I:
Integration
with SIEM
products
94
9. Appendix I: Integration with SIEM products
Adaptive Defense is integrated with SIEM solutions, adding detailed information about the activity
of the applications running in protected workstations.
The information sent to the customer's SIEM system comes from the Adaptive Defense server,
which is why it is pre-prepared information (category, prevalence, etc.) and not simply raw data
collected from the agents installed on the users' machines.
Listed below are the SIEM systems compatible with Adaptive Defense:

QRadar

AlienVault

ArcSight

LookWise

Bitacora
QRadar
Adaptive Defense supports QRadar (Live format).
AlienVault and ArcSight
Integration with AlienVault and ArcSight adds information to SIEM systems under CEF (Common
Event Format).
LookWise and the former Bitacora
LookWise and the former Bitacora can receive alert events and prevalence information from
Adaptive Defense, that is, information on when and on which computers of the IT infrastructure
the detected malware has been seen.
Integration open to other manufacturers (Splunk, etc.)
Integration with new SIEM platforms is a process that is undertaken on demand, so there is a
possibility of integration with manufacturers such as Splunk and others.
95
10. Appendix II:
Service Level
Agreements
Pre-sales and Migration Service
Technical Support Service
Our infrastructure in the Cloud
Unreliable software classification service
96
10. Appendix II: Service Level Agreements
At Panda Security we consider it essential to clearly indicate the services included with your
purchase. Below is a description of the service levels offered with the purchase of our solutions.
10.1. Pre-sales and Migration Service
The pre-sales migration service includes a service demonstration, information and answers to all
customer doubts and queries, coordination with Panda Security internal departments, active
support in migration, and uninstallers for the solution replaced with Panda Adaptive Defense.

Customer information service providing email or telephone responses to all customer
doubts and questions.

Internal coordination and open communication with all Panda Security internal
departments to provide a response to all customer doubts and queries, and
communication of customer needs so that they can be incorporated in the service in
future reviews.

Active support in migration. Active support in migration, collecting data, preparing
proposals and collaborating in deployments.

Uninstallers for replaced solution. If the company that purchases Panda Adaptive
Defense wants to replace its traditional antivirus solution, Panda offers uninstallers for
different antivirus products/solutions. These uninstallers will be launched automatically on
the workstations and servers where the Panda Adaptive Defense protection is installed,
provided this is established in the configuration of the service. If no uninstaller is available,
Panda agrees to create the uninstaller in a maximum period of 2 weeks after receiving
the necessary information. It will be possible to create the uninstaller in all cases unless
the product to be uninstalled includes self-protection methods that prevent it from being
uninstalled.
10.2. Technical Support Service
The Panda products support service establishes the maintenance and technical assistance
necessary to ensure the correct working of all Panda programs in all of the customer's
workstations and servers.

Service Packs and hotfixes: Access to the best product techniques during the service
period.

Support website: Access to forums, blogs, support website, information on latest threats,
virus map, Panda ThreatWatch, virus encyclopedia, etc.

Technical support: Telephone and email support from technicians certified in PANDA
SECURITY solutions.

Access to beta programs to access the latest versions of PANDA security products and
share experiences and feedback with us.

Unlimited access to the HelpDesk: No limit on reported incidents.
The following conditions define the service:
97

Personal technical support service. Customer telephone service managed by product
experts. Personal resolution of any query or incident related to virus detection or product
configuration.
10.3. Our infrastructure in the Cloud
Service Availability
Panda Security ensures that the service will be available 99.5% of the time, and covers the
infrastructure used by the Panda Adaptive Defense solution, specifically applied to the following
systems:

Management console.

The downloading of packages for installing both the agent and the protection on
Windows laptops, workstations and servers.

Availability will be calculated annually according to the following equation:
𝑡𝑜𝑡𝑎𝑙 − 𝑛𝑜𝑛𝑒𝑥𝑐𝑙𝑢𝑑𝑒𝑑 − 𝑒𝑥𝑐𝑙𝑢𝑑𝑒𝑑
{(
) | ∗ 100} ≥ 99,5%
𝑡𝑜𝑡𝑎𝑙 − 𝑒𝑥𝑐𝑙𝑢𝑑𝑒𝑑

Where:
- Total is the total number of minutes per year.
- Nonexcluded is the downtime which is not excluded, i.e. the time during which there
has been a service downtime in which the management console and/or downloads
of the packages for installing the agent and the protection have not been available.
- Excluded time is that which is included in the following cases:
- Planned stops for maintenance, installation of new versions (major and minor),
and for the installation of hotfixes. This time will never exceed 48 hours per
quarter.
- Any stop for maintenance where Panda Security provides 48h to 96h notice by
email to the partner. That notification will indicate the approximate start and
finish time of the maintenance tasks.
- Any planned stop for installing Major Releases, limited to a maximum of 3 a
year.
- Any planned stop for installing Minor Releases, limited to a maximum of 3 a
year.
- Any planned stop for installing hotfixes.
- Any service downtime caused by Force Majeure, and generally any
circumstances beyond the control of Panda Security, including but not limited
to, any external event that could not be foreseen or even if it could be foreseen
was inevitable, preventing the performance of the obligations of one of the
parties, such as storms, floods, fires, war or sabotage.
98
Availability calculations will be produced for the whole year, even in cases in which the customer
has contracted the service for less time or during the same year. During 2013, our cloud platform
had 99.9% availability.
What security does the platform hosting the data have?
Windows Azure, the platform where Panda Adaptive Defense is hosted, provides maximum
confidentiality and security for the stored data. The security and control policies established in
Azure are described in the “Windows Azure Security Overview” White Paper. See
http://download.microsoft.com/download/6/0/2/6028B1AE-4AEE-46CE-9187641DA97FC1EE/Windows%20Azure%20Security%20Overview%20v1.01.pdf
What security certifications does the platform hosting the data have?
As indicated in the .PDF in the above section, Windows Azure runs on Microsoft Global
Foundation Services (GFS): “Windows Azure operates in the Microsoft Global Foundation Services
(GFS) infrastructure”.
The following document shows information on how security is managed in Global Foundation
Services (GFS), the Microsoft Cloud infrastructure in which Windows
Azure operates:
http://cdn.globalfoundationservices.com/documents/InformationSecurityMangSysforMSCloudInfr
astructure.pdf
Windows Azure certifications are indicated in the .PDF document:

ISO/IEC 27001:2005

Statement on Auditing Standards No. 70 (SAS 70) Type I and II

Sarbanes-Oxley (SOX)

Payment Card Industry Data Security Standard (PCI DSS)

Federal Information Security Management Act (FISMA)
We also have more detailed information on the 27001 certification at:
http://blogs.msdn.com/b/windowsazure/archive/2011/12/19/windows-azure-achieves-is0-27001certification-from-the-british-standards-institute.aspx
Finally, there is a White Paper at http://www.microsoft.com/download/en/details.aspx?id=26647
which describes how Windows Azure fulfils the security requirements defined by Cloud Security
Alliance, Cloud Control Matrix. A paragraph from the White Paper is included below:
“Our security framework based on ISO 27001 enables customers to evaluate how Microsoft meets
or exceeds the security standards and implementation guidelines. ISO 27001 defines how to
implement, monitor, maintain, and continually improve the Information Security Management
System (ISMS). In addition, the GFS infrastructure undergoes an annual American Institute of
Certified Public Accountants (AICPA) Statement of Auditing Standards (SAS) No. 70 audit, which
will be replaced with an AICPA Statement on Standards for Attestation Engagements (SSAE) No.
99
16 audit and an International Standards for Assurance Engagements (ISAE) No. 3402 audit.
Planning for an SSAE 16 audit of Windows Azure is underway.”
10.4. Unreliable software classification service
Panda Adaptive Defense is based on innovative technologies that feed off information collected
from the continuous monitoring of applications running on workstations and servers, reputation
information, information from the Panda community itself and information obtained in the
controlled execution of these applications in physical machines located in Panda's infrastructure.
All these inputs power a Big Data analysis engine in our cloud infrastructure, where the inputs are
added, correlated and processed. The end result is a diagnosis which determines whether the
application is reliable or not for Panda. This diagnosis is determined with almost 100% accuracy,
calculated based on all the goodware and malware classifications made by Panda to date.
In any case, the level of reliability of the applications is recalculated continuously as new events
arrive in the system.
Our experts from PandaLabs, with all the information collected from the continuous monitoring of
applications running on endpoints, and with the results of the BigData analysis carried out in our
infrastructure in the cloud, will manually classify those applications that are not automatically
classified by the system.
100
101

Adaptive Defense Guide

Transcription

Similar documents

Egils.Milbergs Testimony 12-6-2010

Guidance For Development Of An Emergency Fallout Shelter

COMPREHENSIVE SECURITY AND DEFENSE POLICY FOR

We are always here to help! - Geri Fashions of London Ltd.

Adaptive - Business In Focus

Property Flyer - THE LUMBERYARD

Chapter 2: Framing and Aligning the Project and Team

WITH A ``HUGE WOOOW``.

Slides - AFDOSS

base defense thailand chapter 2.3