Re: CCleaner case vs. AMP full scan

natolin · ‎09-20-2017

Hello,

we've found marvelous Talos work done on CCleaner, again respect for State of Art discovery - (no irony - best part of AMP solution).

As an output, we got ClamAV signatures to detect this threat, all you need is to scan your infrastructure or wait for execution. Of course most of us, will choose preventive option.

Therefore I'd like to use this as the opportunity to discuss the solution of primary features, like regular full scans of the whole AMP infrastructure. E.g. in early nineties (irony) some security companies, previously handled by some hardware company, solve this issue by creating scans with randomize feature. Choose whatever you like period, and the scan will start randomly. This way, when the scan period occurs, when I can't work due to some heavy resources utilization, my desk friend can replace me (yes, heavy resource utilization is not an issue any more - but remember we're in 90's). What we've got, with the networking company that would like to be the security company some point in the future is "working as design" full scan feature. This feature allows AMP admin users to doom whole company running full scan for all possible workstations and servers at the same time - surely you can compare it to sake of security, ransomware - you pay and after some time your resources are unlocked. (Sure, we are covered by disclaimers stating this will happen)

And yes, true, I can create TAC to discover, that there is possibility to create some unlimited number of group of endpoints (to have every single second covered for given period) and then randomly move there endpoints - when working for big company there can be "randomizer engineer" hired to do the job.

But please "Cisco you're doing it wrong way!" - wake up before AMP/CTA will join other fantastic solutions killed when sold to some big name company.

Nat

JeMunos · ‎09-21-2017

Natolin,

The AMP for Endpoints product is designed from the ground up to utilize as few system resources as possible. While the ability to perform full and flash scans on endpoints is available within the product, this feature is not one that we recommend using during normal business hours.

Additionally, because of the way AMP monitors the endpoint file system, beyond a one-time full system scan there is little need to perform ad-hoc or scheduled scans in the future. Except in extraordinary circumstances.

More specifically, AMP for Endpoints in a Windows environment monitors all file copy, move, and execute operations. This includes all files that are written to disk and all files that are transferred to the endpoint via network communication whether written to disk or only loaded into memory. All of these files have a SHA256 generated and a disposition lookup performed on them to ensure they are not malicious, or part of a malicious chain of files.

As such, once the SHA256 of the malicious files are known, and marked malicious in our database the file will be quarantined at the next attempt to execute the file. If the file entered the system, or was executed on the system, within the last 7 days a Retrospective Quarantine will be issued and the file will be cleaned up as well.

While this is not a fool proof system, and some malicious events such as the CCleaner issue, do have an opportunity to write to disk before AMP becomes aware of the issue, once the issue is flagged in the AMP system it will be detected and cleaned up before additional damage occurs on the endpoint.

Finally, due to the resource overhead of performing full or flash scans on endpoints, the ability to do so at random intervals is generally not desirable. Rather being able to perform these scans during off hours such as at night or during weekends, and do so in various different time zones as defined by policy, offers the best compromise between security and functionality.

Thank you for your feedback.

Jesse