Monday, March 6, 2017

Blocking malware

Successfully resisting malware and phishing attacks starts with some fundamental security features that have protected the core of the operating system for several years. The first two features are designed to protect against exploits that use vulnerabilities such as buffer overruns in the operating system and in applications:

■ Address Space Layout Randomization (ASLR) This feature randomizes how and where important data is stored in memory, making it more likely that attacks that try to write directly to system memory will fail because the malware can’t find the specific location it needs to attack. Windows 8.1 and Windows 10 increase the level of entropy significantly from Windows 7, making it more difficult for most exploits to succeed. In addition, ASLR is unique across devices, making it more difficult for an exploit that works on one device to also work on another.

■ Data Execution Prevention (DEP) This feature substantially reduces the range of memory that code (including malicious code) can run in. Beginning with Windows 8, hardware-based DEP support is a requirement; Windows 10 will not install on a device that lacks this feature. DEP uses the Never eXecute (NX) bit on supported CPUs to mark blocks of memory so that they can store data but never run code. Therefore, even if malicious users succeed in loading malicious code into memory, they are unable to run it.

Windows Defender
In Windows 7, Windows Defender is the name of a limited antispyware solution. Beginning with Windows 8 and continuing in Windows 10, Windows Defender is a full-featured security solution (and the successor to Microsoft Security Essentials) capable of detecting all sorts of malicious software. Because it supports the ELAM feature, described earlier in this chapter, it also prevents rootkits that try to infect third-party boot drivers. In Windows 10, Windows Defender also includes network behavior monitoring.

Windows Defender is designed to be unobtrusive, updating automatically and providing messages only when required to do so. It is intended primarily for use in unmanaged PCs. In enterprise settings, you’ll probably want to use an alternative antimalware solution. Microsoft’s System Center Endpoint Protection, which uses the same engine as Windows Defender and also includes support for ELAM, is designed for use with enterprise-management tools. A number of third-party solutions that meet those same criteria are also available.

SmartScreen and phishing protection
Windows 10 includes two separate but related features that share a common name: SmartScreen. The basic security principle behind SmartScreen (which was first introduced in Windows 8) is simple: it’s much more effective to stop malicious code from running in the first place than to remove it after it has already secured a foothold on the system.

Microsoft’s technological investment in the SmartScreen technology has been built up over many years. The data comes from various sources, including Microsoft Edge and Internet Explorer, Bing, Windows Defender, and the Enhanced Mitigation Experience Toolkit (EMET). Collectively, this information powers an online service that is able to effectively block many drive-by attacks in the browser. When your users visit a webpage that SmartScreen has identified as having been compromised by an exploit kit, for example, the page contents are blocked with a message.

Independently of the browser, SmartScreen checks any executable file when it’s run. If the file is marked as being from an online source, a web service checks a hash of the file against Microsoft’s application-reputation database. Files that have established a positive reputation and are thus presumed to be safe are allowed to run. Files with a negative reputation that are presumed to be malicious are blocked.

Windows SmartScreen technology is particularly effective at preventing untrained users from running files of unknown provenance that have a greater-than-normal chance of being malicious. When SmartScreen identifies a file that has not yet established a reputation, it blocks execution and displays a warning message.

Local administrators can override SmartScreen blocks manually. If you want to disable the SmartScreen technology or adjust its behavior (for example, to prevent users from overriding SmartScreen actions), you can use Group Policy settings to do so.

Source of Information : Microsoft Introducing Windows 10 For IT Professionals

No comments: