Wednesday, November 26, 2008

Redemption





Though I missed the true beta period I downloaded and installed the pre-release version of FTK 2.1 last night. FTK 2.0 left us all in a state of shock. Many questions and accusations flew around various industry forums and mailing lists. Prices went up, quality went down, and we were wanting what we paid for. A lot of faith was lost in Accessdata and their ability to provide a solid product moving forward.

Don't throw away your dongles quite yet. 2.1 is the product 2.0 was supposed to be.

Compared to 2.0, the installation of 2.1 was a breeze. The only missing link was that I needed to reboot to get KFF installed.

Some remarkable improvements I noticed are:
Speed - moving between tabs is as it should be. Processing is much much faster.

Resource usage - Obviously with a 64bit install FTK will use as many resources as can be thrown at it. I like this. I have a good machine, with plenty of resources and before I moved to 64bit, I always watched in horror as my resources just didn't get used.

Here's a shot of FTK just beginning to process an image:



Here it is 10 minutes in to processing:


Usability - Wow, when you click on a tab, you open that tab immediately, even while processing a case.



Does it still require a huge amount of resources? Why yes, yes it does. My test rig has the following specs:
8GB ECC 667 RAM
Dual Xeon 2.66GHz Quad Core processors
System drive is a raid-0 on two 146GB SAS drives
Database drive 3*500GB SATA raid-0

All in all I have to hand it to Accessdata. After all the tongue lashing they took when 2.0 was released, they listened to their customers, licked their wounds, and went back to the drawing board and worked to remedy the problems. I won't say just yet that all of the problems have been fixed. I just installed the product last night, and I'm still processing cases, but this is what I wanted to see - a solid product capable of living up to its marketing, and a product that gives me what I paid for.

Addendum: An 80GB disk took about 6 hours to process and index. I imagine if I had more disk available I could get it taken care of in under 4 hours. Compared to FTK 1.7 which took 20 hours to process an image, I'm happy, very happy with the performance. Currently, I'm processing two more images of 100GB and 150GB in the same case.

Sunday, November 23, 2008

What your antivirus isn't telling you

Ever look at your antivirus logs or the antivirus logs of a compromised computer and found something like SillyFDC or Trojan.horse? These happen to be generic definitions provided by Symantec, but other vendors have generic detection signatures too. Generic detection is a common method of dealing with malware. While generic detection is generally fantastic, it's a big double edge sword.

Let me explain about the two types of malware above.

SillyFDC is a generic signature for removable media malware.

Trojan.horse has the following caption: Symantec antivirus programs use Trojan horse as a generic detection when detecting many individual but varied Trojan horse programs for which specific definitions have not been created.

So, using these signatures, we call things we don't have signatures for but exhibits trojan like properties a "trojan horse" and something that uses removable media as a spreading mechanism "SillyFDC". Ok, no problem right?

It is in fact a problem.

Antivirus now being the 40% solution against bots, it's likely to miss a recent variant of malware. Additionally, when your clients or users discovered a variant of these types of malware, how are they to know what to do? It's been detected generically. Symantec says that the malware is a low risk. Is it really? Again, how is an organization to know? What about how long it takes for an infection to be detected?

In a real world scenario, I first discovered a variant of removable media malware some 30 days before a definition was made available by Symantec. This malware, not only spread by removable media, but was a key stroke logger as well. Once Symantec generated a definition for it, it was labeled as trojan.horse.

Now, let's look at this from a sysadmin perspective. You run a managed antivirus environment and one day, after your server and clients grab the latest set of definitions, you get an alert for malware called trojan.horse. Great! you say to yourself. My antivirus has done its job. You move on about your day as if nothing happened, afterall your AV product detected and removed the threat. You never bother to look at the file, or the timestamps of the file, and you certainly don't bother to investigate. This is an all too common problem and scenario.

What's my point?

When an antivirus product fires an alert for a generic detection, it always bears investigation. It stands to reason that when something is generically detected, it's much more serious than it appears. Using Trojan.horse as the example, when no existing definition exists, it gets classified as trojan.horse so it can be detected and removed. That's fine, but you have no idea what that malware is actually capable of. An immediate threat assessment should take place, even if you simply submit the malware to an automated sandboxing web site.

What should you look at:
  • How long has the malware been on the system?
  • What capabilities does it have?
  • Has data been exfiltrated as a result of it?

Generic detection, while a good thing for the vendor, is a bad thing for the rest of us. It's misleading and provides no information whatsoever. Trojan.horse is a low threat level according to Symantec. I can think of no small amount of people that would consider a key logger a huge threat, especially one that was present on a system for 30 days before a definition was available.

*note I'm not picking on Symantec. This is an issue with all antivirus products*

Tuesday, November 4, 2008

Double take

This is short. Very short.

Accessdata offered to purchase Guidance Software's remaining stock.

Read about it here

The offer was rejected, but Guidance should now be aware that there are sharks in the water, and they smell blood.