Organizations need to understand and protect themselves from many different types of threat actors. If you’re planning to take the SY0-501 exam, you should have a good understanding of detecting attacks and protecting systems from these attacks. This includes how organizations and individuals can prevent many of these attacks from succeeding with just a few steps.
For example, can you answer this practice test question?
Q. Your local library is planning to purchase new computers that patrons can use for Internet research. Which of the following are the BEST choices to protect these computers? (Select TWO.)
A. Mantrap
B. Anti-malware software
C. Cable locks
D. Disk encryption
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Antivirus and Anti-Malware Software
Anti-malware software provides protection against many types of malware. You’ll often hear the term antivirus software indicating it only protects against viruses. However, the lines have blurred. Viruses aren’t the only threats. Attackers have changed their methodologies using different types of malware, and antivirus software vendors have adapted by including methods to detect and block these new threats. Most antivirus software detects, blocks, and removes several different types of malware, such as viruses, Trojans, worms, rootkits, spyware, and adware. Antivirus software provides real-time protection and can perform both scheduled and manual scans. The real-time protection continuously monitors the system. For example, when a user visits a web site, antivirus software scans the downloaded web site files and attempts to block malicious code. Similarly, when a user downloads or opens a file, antivirus software scans it before opening it. Scheduled scans occur regularly, such as once a week. If users or technicians detect suspicious activity, they can perform manual scans to check the system.
If the antivirus software detects malware, it will typically quarantine it and notify the user. However, the exact way antivirus software does so varies from one vendor to another. The key to analyzing and interpreting the output from the antivirus software is to recognize the alert and read it. Some people just click OK without paying attention to alerts and can inadvertently override the antivirus software.
Antivirus software detects viruses using either signature-based detection or heuristic- based detection.
Signature-Based Detection
Viruses and other malware have known patterns. Signature files (also called data definition files) define the patterns, and the antivirus software scans files for matching patterns. When the software identifies a matching pattern, it reports it as an infection and takes action, such as deleting or quarantining the file.
A quarantined virus is not harmful to the system while it is in quarantine, but it’s still available for analysis. As an example, a security professional could release a quarantined virus into an unprotected but isolated virtual machine environment for research and study.
Malware developers constantly release new viruses, so it’s important to update signature definition files regularly. Most antivirus software includes the ability to automate the process of checking and downloading updated signature definition files. They typically check for updates several times a day.
It’s also possible to download and install signature files manually. Administrators do this when updating systems that do not have Internet access. When doing so, it’s important for administrators to ensure the signature file has not lost data integrity by comparing the hash of the signature file posted on the antivirus vendor’s web site with the hash of the downloaded file.
Heuristic-Based Detection
Some antivirus software includes heuristic-based detection. Heuristic-based detection attempts to detect viruses that were previously unknown and do not have signatures. This includes zero-day exploits.
Heuristic-based analysis runs questionable code in a sandbox or virtualized environment specifically designed to protect the live environment, while it observes the code’s behavior. Most viruses engage in viral activities—actions that can be harmful, but are rarely performed by legitimate programs. The heuristic-based analysis detects these viral activities.
As an example, polymorphic malware adds variations to files when it creates copies. It’s highly unusual for any application to add variations in files like this, and heuristic methods are often successful at detecting polymorphic malware.
As an example, polymorphic malware adds variations to files when it creates copies. It’s highly unusual for any application to add variations in files like this, and heuristic methods are often successful at detecting polymorphic malware.
Checking File Integrity
Some antivirus scanners use file integrity checkers to detect modified system files. A file integrity checker calculates hashes on system files as a baseline. It then periodically recalculates the hashes on these files and compares them with the hashes in the baseline. If the hashes are ever different, it indicates the system files have been modified. When an antivirus scanner detects a modified file, it sends an alert. Many times, these alerts can detect rootkit infections.
It’s also possible to check file integrity with command-line tools. For example, the Microsoft File Checksum Integrity Verifier (fciv.exe) tool can verify the integrity of all files within a folder, or a group of nested folders.
The fciv.exe allows you to create a data file listing all the hashes for files within a directory. You can then run the command later to verify the hashes are the same. Normally, you’ll see the following message indicating the files haven’t lost integrity: “All files verified successfully.” However, if the application detects a file has a different hash, you’ll see a message similar to this:
List of modified files:
———————–
exefiles\md5Sum.exe
Hash is: 08ab4b9b40448d77079f61751f989702bbebe2ed
It should be: 7648ec1a2d8c8b65a024973d30b4b2dc48ad0cec
In this example, it indicates that the file md5sum.exe has been modified. Because executable files aren’t normally modified, this indicates the file has likely been infected with malware and it shouldn’t be used.
Q. Your local library is planning to purchase new computers that patrons can use for Internet research. Which of the following are the BEST choices to protect these computers? (Select TWO.)
A. Mantrap
B. Anti-malware software
C. Cable locks
D. Disk encryption
Answers are B, C. Anti-malware software and cable locks are the best choices to protect these computers. Anti-malware software protects the systems from viruses and other malware. The cable locks deter theft of the computers.
A mantrap prevents tailgating, but this is unrelated to this question.
Disk encryption is useful if the computers have confidential information, but it wouldn’t be appropriate to put confidential information on a public computer.
See Chapter 6 and 9 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on protecting systems.