Communications and Internet 

Computer network protection. Fighting malware on a local network. Multi-level systems with a Web interface

A very accurate phrase: “there are no invulnerable systems.” No system is completely secure. If the power is on and the computer is connected to the network, no matter what precautions are taken, the system is vulnerable and can make other computers on the network vulnerable. It is always necessary to assume the presence of previously unrecognized weaknesses and threats and continue to strengthen the security of the system.

Human factor and its shortcomings

If an employee of a company, due to the nature of his activity, has access to the latter’s computing resources, then he has information that may be valuable to attackers. Let's look at examples of information leaks.

  • Passwords that are difficult to crack are also difficult to remember, so they are often written down on paper ( Notebook, business diary, sticker on the monitor, etc.).
  • In a normal conversation, a person may blurt out too much.
  • Sociotechnique, or manipulative behavior, is an effective technique for attackers. For example, an attacker could impersonate a boss and force the user to give him important information or, conversely, impersonate the user and ask the administrator to tell him the password over the phone.
  • Disgruntled employees can pose a serious threat. This is especially dangerous if such an employee is System Administrator or a person who has access to important information that constitutes a trade secret.

The best defense against these vulnerabilities and threats is to train staff, increase their awareness, and establish penalties for violating system rules.

System and network administrators in this process they play an auxiliary but very important role. For example, an administrator can monitor user actions and, being thoroughly familiar with the rules of operation in the system, identify unauthorized activity and report it to the security service.

Vigilance is never enough

Always be aware of what is happening in your environment. If anything unusual appears, find out why. Cover identified weaknesses and try to reduce the likelihood of threats.
The main means of regular monitoring is log files. Analyzing the log files will provide insight into what happened and possibly who is responsible. It often helps identify weaknesses and potential threats. Interpreting information stored in log files is a completely manual process.
Possible threat of free software
The advantage of such programs is the availability of their source codes. Even if some of us don't have enough knowledge to check source or create a test environment, other people can do this. They report noticed flaws to developers, and also publish their comments on mailing lists ( bugtraq).
Always check the weak points, PGP signatures (C) and MD5 checksums (CS) of downloaded programs. If CS or C is missing, analyze the source code or run the program in a safe environment and see what happens.

The problem of the network worm epidemic is relevant for any local network. Sooner or later, a situation may arise when a network or email worm penetrates the LAN and is not detected by the antivirus being used. A network virus spreads across a LAN through operating system vulnerabilities that were not closed at the time of infection or through writable shared resources. An email virus, as the name suggests, spreads via email, provided that it is not blocked by client antivirus and antivirus software. mail server. In addition, an epidemic on a LAN can be organized from within as a result of the activities of an insider. In this article we will consider practical methods for the operational analysis of LAN computers using various means, in particular using the author's AVZ utility.

Formulation of the problem

If an epidemic or some abnormal activity is detected on the network, the administrator must quickly solve at least three tasks:

  • detect infected PCs on the network;
  • find samples of malware to send to an anti-virus laboratory and develop a counteraction strategy;
  • take measures to block the spread of the virus on the LAN and destroy it on infected computers.

In the case of insider activity, the main steps of analysis are identical and most often boil down to the need to detect third-party software installed by the insider on LAN computers. Examples of such software include utilities remote administration, keyloggers and various Trojan bookmarks.

Let us consider in more detail the solution to each of the tasks.

Search for infected PCs

To search for infected PCs on the network, you can use at least three methods:

  • automatic remote PC analysis - obtaining information about running processes, loaded libraries and drivers, searching for characteristic patterns - for example, processes or files with given names;
  • PC traffic analysis using a sniffer - this method very effective for catching spam bots, email and network worms, however, the main difficulty in using a sniffer is due to the fact that a modern LAN is built on the basis of switches and, as a result, the administrator cannot monitor the traffic of the entire network. The problem can be solved in two ways: by running a sniffer on the router (which allows you to monitor data exchange between the PC and the Internet) and using the monitoring functions of switches (many modern switches allow you to assign a monitoring port to which the traffic of one or more switch ports specified by the administrator is duplicated);
  • study of network load - in this case, it is very convenient to use smart switches, which allow you not only to assess the load, but also to remotely disable ports specified by the administrator. This operation it is significantly simplified if the administrator has a network map, which contains information about which PCs are connected to the corresponding ports of the switch and where they are located;
  • use of honeypots - it is strongly recommended to create several honeypots on the local network that will allow the administrator to timely detect an epidemic.

Automatic analysis of PCs on the network

Automatic PC analysis can be reduced to three main stages:

  • conducting a complete PC examination - running processes, loaded libraries and drivers, autorun;
  • conducting operational research - for example, searching for characteristic processes or files;
  • quarantine of objects according to certain criteria.

All of the above tasks can be solved using the author's AVZ utility, which is designed to be launched from a network folder on the server and supports a scripting language for automatic PC inspection. To run AVZ on user computers you must:

  1. Place AVZ in a network folder on the server that is open for reading.
  2. Create LOG and Qurantine subdirectories in this folder and allow users to write to them.
  3. Launch AVZ on LAN computers using the rexec utility or logon script.

Launching AVZ in step 3 should be done with the following parameters:

\\my_server\AVZ\avz.exe Priority=-1 nw=Y nq=Y HiddenMode=2 Script=\\my_server\AVZ\my_script.txt

In this case, the Priority=-1 parameter lowers the priority of the AVZ process, the nw=Y and nq=Y parameters switch the quarantine to the “network run” mode (in this case, a subdirectory is created in the quarantine folder for each computer, the name of which matches the network name of the PC) , HiddenMode=2 instructs to deny the user access to the GUI and AVZ controls, and, finally, the most important parameter Script specifies the full name of the script with commands that AVZ will execute on the user's computer. Script language AVZ is quite simple to use and is focused exclusively on solving problems of computer examination and treatment. To simplify the process of writing scripts, you can use a specialized script editor, which contains an online prompt, a wizard for creating standard scripts, and tools for checking the correctness of the written script without running it (Fig. 1).

Rice. 1. AVZ script editor

Let's look at three typical scripts that may be useful in the fight against the epidemic. First, we need a PC research script. The task of the script is to conduct a study of the system and create a protocol with the results in a given network folder. The script has next view:

ActivateWatchDog(60 * 10);

// Start scanning and analysis

// System exploration

ExecuteSysCheck(GetAVZDirectory+

‘\LOG\’+GetComputerName+’_log.htm’);

//Shutdown AVZ

During the execution of this script, HTML files with the results of the study of network computers will be created in the LOG folder (assuming that it is created in the AVZ directory on the server and is available for users to write), and to ensure uniqueness, the name of the computer being examined is included in the protocol name. At the beginning of the script there is a command to enable a watchdog timer, which will forcefully terminate the AVZ process after 10 minutes if failures occur during the execution of the script.

The AVZ protocol is convenient for manual study, but it is of little use for automated analysis. In addition, the administrator often knows the name of the malware file and only needs to check the presence or absence of this file, and if available, quarantine for analysis. In this case, you can use the following script:

// Enable watchdog timer for 10 minutes

ActivateWatchDog(60 * 10);

// Search for malware by name

QuarantineFile('%WinDir%\smss.exe', 'Suspicious about LdPinch.gen');

QuarantineFile('%WinDir%\csrss.exe', 'Suspicion of LdPinch.gen');

//Shutdown AVZ

This script uses the QuarantineFile function to attempt to quarantine the specified files. The administrator can only analyze the contents of the quarantine (folder Quarantine\network_name_PC\quarantine_date\) for the presence of quarantined files. Please note that the QuarantineFile function automatically blocks quarantine of files identified by the secure AVZ database or the Microsoft digital signature database. For practical use, this script can be improved - organize the loading of file names from an external text file, check the found files against the AVZ databases and generate a text protocol with the results of the work:

// Search for a file with the specified name

function CheckByName(Fname: string) : boolean;

Result:= FileExists(FName) ;

if Result then begin

case CheckFile(FName) of

1: S:= ‘, access to the file is blocked’;

1: S:= ‘, detected as Malware (‘+GetLastCheckTxt+’)’;

2: S:= ‘, suspected by the file scanner (‘+GetLastCheckTxt+’)’;

3: exit; // Safe files are ignored

AddToLog(‘The file ‘+NormalFileName(FName)+’ has a suspicious name’+S);

//Add specified file in quarantine

QuarantineFile(FName,’suspicious file’+S);

SuspNames: TStringList; // List of names of suspicious files

// Checking files against the updated database

if FileExists(GetAVZDirectory + ‘files.db’) then begin

SuspNames:= TStringList.Create;

SuspNames.LoadFromFile('files.db');

AddToLog('Name database loaded - number of records = '+inttostr(SuspNames.Count));

// Search loop

for i:= 0 to SuspNames.Count - 1 do

CheckByName(SuspNames[i]);

AddToLog('Error loading list of file names');

SaveLog(GetAVZDirectory+’\LOG\’+

GetComputerName+’_files.txt’);

For this script to work, you must create the Quarantine and LOG directories in the AVZ folder, accessible to users for writing, as well as text file files.db - each line of this file will contain the name of the suspicious file. File names can include macros, the most useful of which are %WinDir% (the path to the Windows folder) and %SystemRoot% (the path to the System32 folder). Another direction of analysis could be an automatic examination of the list of processes running on user computers. Information about running processes is in the system research protocol, but for automatic analysis it is more convenient to use the following script fragment:

procedure ScanProcess;

S:= ''; S1:= '';

//Updating the list of processes

RefreshProcessList;

AddToLog(‘Number of processes = ‘+IntToStr(GetProcessCount));

// Cycle of analysis of the received list

for i:= 0 to GetProcessCount - 1 do begin

S1:= S1 + ‘,’ + ExtractFileName(GetProcessName(i));

// Search for process by name

if pos(‘trojan.exe’, LowerCase(GetProcessName(i))) > 0 then

S:= S + GetProcessName(i)+’,’;

if S<>''then

AddLineToTxtFile(GetAVZDirectory+’\LOG\_alarm.txt’, DateTimeToStr(Now)+’ ‘+GetComputerName+’ : ‘+S);

AddLineToTxtFile(GetAVZDirectory+’\LOG\_all_process.txt’, DateTimeToStr(Now)+’ ‘+GetComputerName+’ : ‘+S1);

The study of processes in this script is performed as a separate ScanProcess procedure, so it is easy to place it in its own script. The ScanProcess procedure builds two lists of processes: full list processes (for subsequent analysis) and a list of processes that, from the administrator’s point of view, are considered dangerous. In this case, for demonstration purposes, a process named ‘trojan.exe’ is considered dangerous. Information about dangerous processes is added to the text file _alarm.txt, data about all processes is added to the file _all_process.txt. It is easy to see that you can complicate the script by adding to it, for example, checking process files against a database of safe files or checking the names of executable process files against an external database. A similar procedure is used in AVZ scripts used in Smolenskenergo: the administrator periodically studies the collected information and modifies the script, adding to it the name of the processes of programs prohibited by the security policy, for example ICQ and MailRu.Agent, which allows you to quickly check the presence of prohibited software on the PCs being studied . Another use for the process list is to find PCs that are missing a required process, such as an antivirus.

In conclusion, let’s look at the last of the useful analysis scripts - a script for automatic quarantine of all files that are not recognized by the safe AVZ database and the Microsoft digital signature database:

// Perform autoquarantine

ExecuteAutoQuarantine;

Automatic quarantine examines running processes and loaded libraries, services and drivers, about 45 autostart methods, browser and explorer extension modules, SPI/LSP handlers, scheduler jobs, print system handlers, etc. A special feature of quarantine is that files are added to it with repetition control, so the autoquarantine function can be called repeatedly.

The advantage of automatic quarantine is that with its help, the administrator can quickly collect potentially suspicious files from all computers on the network for examination. The simplest (but very effective in practice) form of studying files can be checking the resulting quarantine with several popular antiviruses in maximum heuristic mode. It should be noted that simultaneous launch of auto-quarantine on several hundred computers can create a high load on the network and the file server.

Traffic Research

Traffic research can be carried out in three ways:

  • manually using sniffers;
  • in semi-automatic mode - in this case, the sniffer collects information, and then its protocols are processed either manually or by some software;
  • automatically using intrusion detection systems (IDS) such as Snort (http://www.snort.org/) or their software or hardware analogues. In the simplest case, an IDS consists of a sniffer and a system that analyzes the information collected by the sniffer.

An intrusion detection system is an optimal tool because it allows you to create sets of rules to detect anomalies in network activity. Its second advantage is the following: most modern IDS allow traffic monitoring agents to be placed on several network nodes - the agents collect information and transmit it. In case of using a sniffer, it is very convenient to use the console UNIX sniffer tcpdump. For example, to monitor activity on port 25 (SMTP protocol), it is enough to run the sniffer with command line type:

tcpdump -i em0 -l tcp port 25 > smtp_log.txt

In this case, packets are captured via the em0 interface; information about captured packets will be stored in the smtp_log.txt file. The protocol is relatively easy to analyze manually, in in this example Analysis of activity on port 25 allows you to identify PCs with active spam bots.

Application of Honeypot

An outdated computer whose performance does not allow it to be used for solving production problems can be used as a honeypot. For example, a Pentium Pro with 64 MB is successfully used as a trap in the author’s network random access memory. On this PC you should install the most common LAN operating system and choose one of the strategies:

  • Install an operating system without update packages - it will be an indicator of the appearance of an active network worm on the network, exploiting any of the known vulnerabilities for this operating system;
  • install an operating system with updates that are installed on other PCs on the network - the Honeypot will be analogous to any of the workstations.

Each strategy has both its pros and cons; The author mainly uses the option without updates. After creating the Honeypot, you should create a disk image for quick recovery system after it has been damaged by malware. As an alternative to a disk image, you can use change rollback systems such as ShadowUser and its analogues. Having built a Honeypot, you should take into account that a number of network worms search for infected computers by scanning the IP range, calculated from the IP address of the infected PC (common typical strategies are X.X.X.*, X.X.X+1.*, X.X.X-1.*), - therefore, Ideally, there should be a Honeypot on each subnet. As additional preparation elements, you should definitely open access to several folders on the Honeypot system, and in these folders you should put several sample files of various formats, the minimum set is EXE, JPG, MP3.

Naturally, having created a Honeypot, the administrator must monitor its operation and respond to any anomalies detected on this computer. Auditors can be used as a means of recording changes; a sniffer can be used to record network activity. An important point is that most sniffers have the ability to configure sending an alert to the administrator if a specified network activity is detected. For example, in the CommView sniffer, a rule involves specifying a “formula” that describes network package, or setting quantitative criteria (sending more than a specified number of packets or bytes per second, sending packets to unidentified IP or MAC addresses) - Fig. 2.

Rice. 2. Create and configure a network activity alert

As a warning, it is most convenient to use email messages sent to Mailbox administrator - in this case, you can receive prompt alerts from all traps in the network. In addition, if the sniffer allows you to create multiple alerts, it makes sense to differentiate network activity, highlighting the work with by email, FTP/HTTP, TFTP, Telnet, MS Net, increased traffic of more than 20-30 packets per second for any protocol (Fig. 3).

Rice. 3. Notification letter sent
if packets matching the specified criteria are detected

When organizing a trap, it is a good idea to place on it several vulnerable network services used on the network or install an emulator for them. The simplest (and free) is the proprietary APS utility, which works without installation. The operating principle of APS comes down to listening to many TCP and UDP ports described in its database and issuing a predetermined or randomly generated response at the moment of connection (Fig. 4).

Rice. 4. Main window of the APS utility

The figure shows a screenshot taken during a real APS activation on the Smolenskenergo LAN. As can be seen in the figure, an attempt was recorded to connect one of the client computers on port 21. Analysis of the protocols showed that the attempts are periodic and are recorded by several traps on the network, which allows us to conclude that the network is being scanned in order to search for and hack FTP servers by guessing passwords. APS keeps logs and can send messages to administrators with reports of registered connections to monitored ports, which is convenient for quickly detecting network scans.

When creating a Honeypot, it is also helpful to familiarize yourself with online resources on the topic, in particular http://www.honeynet.org/. In chapter Tools given website (http://www.honeynet.org/tools/index.html) you can find a number of tools for recording and analyzing attacks.

Remote malware removal

Ideally, after samples have been discovered malware the administrator sends them to the anti-virus laboratory, where they are promptly studied by analysts and the corresponding signatures are entered into the anti-virus database. These signatures through automatic update reach the user's PC, and the antivirus produces automatic removal malware without administrator intervention. However, this chain does not always work as expected; in particular, the following reasons for failure are possible:

  • for a number of reasons independent of the network administrator, the images may not reach the anti-virus laboratory;
  • insufficient efficiency of the anti-virus laboratory - ideally, it takes no more than 1-2 hours to study samples and enter them into the database, which means that updated signature databases can be obtained within a working day. However, not all antivirus laboratories work so quickly, and you can wait several days for updates (in rare cases, even weeks);
  • high performance of the antivirus - a number of malicious programs, after activation, destroy antiviruses or otherwise disrupt their operation. Classic examples - inclusion in hosts file records blocking normal work antivirus auto-update systems, deletion of processes, services and antivirus drivers, damage to their settings, etc.

Therefore, in the above situations, you will have to deal with malware manually. In most cases, this is not difficult, since the results of the computer examination reveal the infected PCs, as well as the full names of the malware files. All that remains is to remove them remotely. If the malicious program is not protected from deletion, then it can be destroyed using the following AVZ script:

// Deleting a file

DeleteFile('filename');

ExecuteSysClean;

This script deletes one specified file (or several files, since there can be an unlimited number of DeleteFile commands in a script) and then automatically cleans the registry. In a more complex case, the malicious program can protect itself from being deleted (for example, by re-creating its files and registry keys) or disguise itself using rootkit technology. In this case, the script becomes more complicated and will look like this:

// Anti-rootkit

SearchRootkit(true, true);

// Control AVZGuard

SetAVZGuardStatus(true);

// Deleting a file

DeleteFile('filename');

// Enable BootCleaner logging

BC_LogFile(GetAVZDirectory + 'boot_clr.log');

// Import into the BootCleaner task a list of files deleted by the script

BC_ImportDeletedList;

// Activate BootCleaner

// Heuristic system cleaning

ExecuteSysClean;

RebootWindows(true);

This script includes active counteraction to rootkits, the use of the AVZGuard system (this is a malware activity blocker) and the BootCleaner system. BootCleaner is a driver that removes specified objects from KernelMode during a reboot, at an early stage of system boot. Practice shows that such a script is able to destroy the vast majority of existing malware. The exception is malware that changes the names of its executable files with each reboot - in this case, files discovered during system scanning can be renamed. In this case, you will need to disinfect your computer manually or create your own malware signatures (an example of a script that implements a signature search is described in the AVZ help).

Conclusion

In this article, we looked at some practical techniques for combating a LAN epidemic manually, without the use of antivirus products. Most of the described techniques can also be used to search for foreign PCs and Trojan bookmarks on user computers. If you have any difficulties finding malware or creating treatment scripts, the administrator can use the “Help” section of the forum http://virusinfo.info or the “Fighting Viruses” section of the forum http://forum.kaspersky.com/index.php?showforum= 18. Study of protocols and assistance in treatment are carried out on both forums free of charge, PC analysis is carried out according to AVZ protocols, and in most cases treatment comes down to executing an AVZ script on infected PCs, compiled by experienced specialists from these forums.

An antivirus must be installed on every Windows PC. For a long time this was considered the golden rule, but today IT security experts debate the effectiveness of security software. Critics argue that antiviruses do not always protect, and sometimes even the opposite - due to careless implementation, they can create gaps in the security of the system. The developers of such solutions counter this opinion with impressive numbers of blocked attacks, and marketing departments continue to assure them of the comprehensive protection that their products provide.

The truth lies somewhere in the middle. Antiviruses do not work flawlessly, but all of them cannot be called useless. They warn of many threats, but for the greatest possible Windows protection there aren't enough of them. For you as a user, this means the following: you can either throw the antivirus in the trash, or blindly trust it. But one way or another, it is just one of the blocks (albeit a large one) in the security strategy. We will provide you with nine more of these “bricks”.

Security Threat: Antiviruses

> What the critics are saying The current controversy over virus scanners was sparked by former Firefox developer Robert O'Callaghan. He claims: antiviruses threaten Windows security and must be removed. The only exception is Windows Defender from Microsoft.

> What the developers say The creators of antiviruses, including Kaspersky Lab, cite impressive numbers as an argument. Thus, in 2016, software from this laboratory registered and prevented about 760 million Internet attacks on user computers.

> What CHIP thinks Antiviruses should not be considered either a relic or a panacea. They are just a brick in the building of security. We recommend using compact antiviruses. But don't worry too much: Windows Defender is fine. You can even use simple third-party scanners.

Choose the right antivirus

We continue to be convinced that Windows is unthinkable without antivirus protection. You only need to choose the right product. For Tens users, this could even be the built-in Windows Defender. Despite the fact that during our tests it did not show the best degree of recognition, it is perfectly integrated into the system and, most importantly, without any security problems. In addition, Microsoft has improved its product in the Creators Update for Windows 10 and simplified its management.

Antivirus packages from other developers often have a higher recognition rate than Defender. We stand for a compact solution. The leader of our rating on this moment is Kaspersky Internet Security 2017. Those who can refuse such additional options as parental controls and a password manager should turn their attention to a more budget-friendly option from Kaspersky Lab.

Follow updates

If we had to choose only one measure to keep Windows secure, we would definitely go with updates. In this case, of course, we are talking primarily about updates for Windows, but not only. Installed software, including Office, Firefox and iTunes, should also be updated regularly. On Windows get system updates relatively easy. In both the “seven” and “ten”, patches are installed automatically using the default settings.

In the case of programs, the situation becomes more difficult, since not all of them are as easy to update as Firefox and Chrome, which have a built-in automatic update function. The SUMo (Software Update Monitor) utility will support you in solving this task and notify you about the availability of updates. A related program, DUMo (Driver Update Monitor), will do the same job for drivers. Both free assistant, however, only inform you about new versions - you will have to download and install them yourself.

Set up a firewall

Built in Windows firewall does its job well and reliably blocks all incoming requests. However, it is capable of more - its potential is not limited by the default configuration: all installed programs have the right to open ports in the firewall without asking. Free utility Windows Firewall Control puts more features at your fingertips.

Launch it and in the “Profiles” menu set the filter to “Medium Filtering”. Thanks to this, the firewall will also control outgoing traffic according to a given set of rules. You decide for yourself what measures will be included. To do this, in the lower left corner of the program screen, click on the note icon. This way you can view the rules and grant permission with one click separate program or block it.

Use special protection

Updates, antivirus and firewall - you've already taken care of this great trinity of security measures. It's time fine tuning. Problem additional programs under Windows is often that they do not use all the security features offered by the system. An anti-exploit utility such as EMET (Enhanced Mitigation Experience Toolkit) further strengthens the installed software. To do this, click on “Use Recommended Settings” and let the program run automatically.

Strengthen encryption

You can significantly enhance the protection of personal data by encrypting it. Even if your information falls into the wrong hands, a hacker will not be able to remove the good coding, at least not right away. In professional Windows versions The BitLocker utility is already provided, configured through the Control Panel.

VeraCrypt will be an alternative for all users. This program with open source is the unofficial successor to TrueCrypt, which was discontinued a couple of years ago. If we are talking only about protecting personal information, you can create an encrypted container through the “Create Volume” item. Select the “Create an encrypted file container” option and follow the Wizard’s instructions. Access to the ready-made safe with data is carried out through Windows Explorer, as in regular disk.

Protect user accounts

Many vulnerabilities remain unexploited by hackers simply because work on the computer is carried out under a standard account with limited rights. So for everyday tasks you should also set up one like this account. In Windows 7, this is done through the Control Panel and the “Add and Remove User Accounts” item. In the “top ten”, click on “Settings” and “Accounts”, and then select “Family and other people”.

Activate VPN outside of home

At home in wireless network Your level of security is high because you control who has access to the local network and are responsible for encryption and access codes. Everything is different in the case of hotspots, for example,
in hotels. Here Wi-Fi is distributed among third-party users, and you are not able to have any influence on the security of network access. For protection, we recommend using a VPN (Virtual Private Network). If you just need to browse sites through an access point, the built-in VPN in latest version Opera browser. Install the browser and in “Settings” click on “Security”. In the "VPN" section, check the box for "Enable VPN."

Cut off unused wireless connections


ok

Even the details can decide the outcome of a situation. If you don't use connections like Wi-Fi and Bluetooth, simply turn them off to close potential loopholes. In Windows 10, the easiest way to do this is through the Action Center. “Seven” offers a section on the Control Panel for this purpose “ Network connections».

Manage passwords

Each password must be used only once and must contain special characters, numbers, uppercase and lowercase letters. And also be as long as possible - preferably ten or more characters. The principle of password security has reached its limits today because users have to remember too much. Therefore, where possible, such protection should be replaced by other methods. Take signing into Windows for example: If you have a camera that supports Windows Hello, use facial recognition to sign in. For other codes, we recommend using password managers such as KeePass, which should be protected with a strong master password.

Secure your privacy in the browser

There are many ways to protect your privacy online. The Privacy Settings extension is ideal for Firefox. Install it and set it to "Full Privacy". After this, the browser will not provide any information about your behavior on the Internet.

Lifebuoy: backup

> Backups are extremely important Backup justifies
yourself not only after infection with the virus. It also works well when problems with hardware arise. Our advice: make a copy of all Windows once, and then additionally and regularly make backups of all important data.

> Full archiving of Windows Windows 10 inherited from the “seven” the “Archiving and Restore” module. With it you will create backup copy systems. You can also use special utilities, For example, True Image or Macrium Reflect.

> True Image file protection and the paid version of Macrium Reflect can make copies of specific files and folders. Free alternative The Personal Backup program will be used to archive important information.

PHOTO: manufacturing companies; NicoElNino/Fotolia.com

Nowadays, hacking of user computers is becoming more and more widespread. Hackers try to gain access to other people's devices for various purposes - from simply sending spam from your email address before using personal information for personal gain, and your task is to protect your PC by all means. Let's figure out how to protect your computer from hackers.

How do hackers penetrate?

First, you need to understand how hackers can penetrate your device and by what means they gain access to your files and information located directly on your hard drive. Only then will it be possible to protect the device.

In most cases, the role of the burglar is played by specific program, which lands on your PC in one of possible ways. In other words, malicious software most often called viruses. You can protect your computer from unauthorized access and penetration into your personal space using an antivirus program. In this case, the system will warn you that you are trying to download malicious or suspicious software. All programs can be divided into several types according to the level of harm:


What to do if your computer is hacked?

First of all, copy all important information to third party drive, which does not apply to this PC. If you couldn’t protect it on one device, then it will be safe on an external drive. However, before this you need to check the files with an antivirus for possible infections. If hackers didn’t get to the files, then feel free to copy them to a flash drive or external HDD, and delete it from your PC.

After this, you need to scan the system for viruses and suspicious software. After scanning, disconnect the system from the Internet and reboot. If the antivirus does not sound the alarm when checking again, it means that the danger has passed. For greater reliability, use only licensed antivirus programs and update databases promptly. This will help reliably protect your system. Now you know how to protect your PC.

Disabling remote access to the computer

  • Go to the Start menu and go to Explorer;
  • Right-click on the “My Computer” icon and select “Properties”;
  • On the left, select the item “Setting up remote access”;
  • Tab " remote access» click “Advanced”;
  • Uncheck "Allow remote control this computer";

Which are forced to wait for the creation of a physical file on the user's computer, network protection begins to analyze incoming data streams entering the user's computer through the network and blocks threats before they enter the system.

The main areas of network protection provided by Symantec technologies are:

Drive-by downloads, web attacks;
- “Social Engineering” attacks: FakeAV (fake antiviruses) and codecs;
- Attacks through social media like Facebook;
- Detection of malware, rootkits and systems infected with bots;
- Protection against advanced threats;
- Zero-day threats;
- Protection against unpatched software vulnerabilities;
- Protection from malicious domains and IP addresses.

Network Protection Technologies

The "Network Protection" level includes 3 different technologies.

Network Intrusion Prevention Solution (Network IPS)

Network IPS technology understands and scans over 200 different protocols. It intelligently and accurately penetrates binary and network protocols, looking for signs of malicious traffic along the way. This intelligence allows for more accurate network scanning while still providing robust protection. At its “heart” is an exploit blocking engine that provides open vulnerabilities with virtually impenetrable protection. A unique feature of Symantec IPS is that this component does not require any configuration. All its functions work, as they say, “out of the box”. Every Norton consumer product, and every Symantec Endpoint Protection product version 12.1 and later, has this critical technology enabled by default.

Browser Protection

This security engine is located inside the browser. It is capable of detecting the most complex threats that neither traditional antivirus nor Network IPS are able to detect. Nowadays, many network attacks use obfuscation techniques to avoid detection. Because Browser Protection runs inside the browser, it is able to study not-yet-hidden (obfuscated) code while it is being executed. This allows you to detect and block an attack if it was missed at lower levels of program protection.

Un-Authorized Download Protection (UXP)

Located within the network defense layer, the last line of defense helps cover and mitigate the effects of unknown and unpatched vulnerabilities, without the use of signatures. This provides an additional layer of protection against Zero Day attacks.

Focusing on problems

Working together, network security technologies solve the following problems.

Drive-by downloads and web attack kits

Using Network IPS, Browser Protection, and UXP technology, Symantec's network protection technologies block Drive-by downloads and essentially prevent malware from even reaching the user's system. Various preventive methods are practiced that include the use of these same technologies, including Generic Exploit Blocking technology and web attack detection tools. A general web attack detection tool analyzes the characteristics of a common web attack, regardless of the specific vulnerability that the attack targets. This allows you to provide additional protection for new and unknown vulnerabilities. The best thing about this type of protection is that if malicious file could “silently” infect a system, it would still be proactively stopped and removed from the system: this is precisely the behavior that traditional antivirus products usually miss. But Symantec continues to block tens of millions of variants of malware that typically cannot be detected by other means.

Social Engineering Attacks

As Symantec technology oversees network traffic and browser traffic during transmission, they detect Social Engineering attacks such as FakeAV or fake codecs. Technologies are designed to block such attacks before they appear on the user's screen. Most other competing solutions do not include this powerful capability.

Symantec blocks hundreds of millions of these types of attacks with online threat protection technology.

Attacks targeting social media applications

Social media applications have recently become widely popular as they allow instantaneous exchange of various messages, interesting videos and information with thousands of friends and users. Wide use and the potential of such programs make them the No. 1 target for hackers. Some common hacker tricks include creating fake accounts and sending spam.

Symantec IPS technology can protect against these types of deception methods, often preventing them before the user even clicks on them. Symantec stops fraudulent and spoofed URLs, applications, and other deception methods with online threat protection technology.

Detection of malware, rootkits and bot-infected systems

Wouldn’t it be nice to know exactly where on the network the infected computer is located? Symantec's IPS solutions provide this capability, also including detection and recovery of threats that may have evaded other layers of protection. Symantec solutions detect malware and bots that attempt to make auto-dialers or download “updates” to increase their activity on the system. This allows IT managers, who have a clear list of systems to review, to have assurance that their enterprise is secure. Polymorphic and complex stealth threats using rootkit techniques like Tidserv, ZeroAccess, Koobface and Zbot can be stopped and removed using this method.

Protection against obfuscated threats

Today's web attacks use complex techniques to increase the complexity of their attacks. Symantec's Browser Protection sits inside the browser and can detect very complex threats that traditional methods often cannot detect.

Zero-day threats and unpatched vulnerabilities

One of the past security additions the company has added is an additional layer of protection against zero-day threats and unpatched vulnerabilities. Using signatureless protection, the program intercepts System API calls and protects against malware downloads. This technology is called Un-Authorized Download Protection (UXP). It is the last line of support within the network threat protection ecosystem. This allows the product to “cover” unknown and unpatched vulnerabilities without using signatures. This technology is enabled by default and has been found in every product released since Norton 2010 debuted.

Protection against unpatched software vulnerabilities

Malicious programs are often installed without the user's knowledge, using vulnerabilities in the software. Symantec network security provides an additional layer of protection called Generic Exploit Blocking (GEB). Regardless of whether Latest updates or not, GEB "mostly" protects underlying vulnerabilities from exploitation. Vulnerabilities in Oracle Sun Java, Adobe Acrobat Reader, Adobe Flash, Internet Explorer, ActiveX controls, or QuickTime are now ubiquitous. Generic Exploit Protection was created by "reverse engineering" by figuring out how the vulnerability could be exploited in the network, while providing a special patch at the network level. A single GEB, or vulnerability signature, can provide protection against thousands of malware variants, new and unknown.

Malicious IPs and domain blocking

Symantec's network protection also includes the ability to block malicious domains and IP addresses while stopping malware and traffic from known malicious sites. Through STAR's rigorous analysis and updating of websites, Symantec provides real-time protection against ever-changing threats.

Improved Evasion Resistance

Support for additional encodings has been added to improve the effectiveness of attack detection using encryption techniques such as base64 and gzip.

Network audit detection to enforce usage policies and identify data leakage

Network IPS can be used to identify applications and tools that may violate corporate usage policies, or to prevent data leakage across the network. It is possible to detect, warn or prevent traffic like IM, P2P, social media, or other "interesting" types of traffic.

STAR Intelligence Communication Protocol

Network security technology does not work on its own. The engine communicates with other security services using the STAR Intelligence Communication (STAR ​​ICB) protocol. The Network IPS engine connects to the Symantec Sonar engine, and then to the Insight Reputation engine. This allows you to provide more informative and accurate protection.

In the next article we will look at the Behavior Analyzer level.

Based on materials from Symantec