WHITE PAPER. Understanding How File Size Affects Malware Detection

Transcription

1 WHITE PAPER Understanding How File Size Affects Malware Detection

2 FORTINET Understanding How File Size Affects Malware Detection PAGE 2 Summary Malware normally propagates to users and computers through files attached to or hiding within legitimate traffic. Attackers have taken advantage of social media to distribute malware. While most malicious codes are hidden in small sized files that make them easier to spread over the Internet, malware can be embedded in all file sizes. This document offer some insight on how malware inspection performance is related to the size of malware-infected files and how different scanning methods can help to strike a balance between performance and security. Introduction...3 File Size and Malware Detection...3 Web 2.0 Applications, Malware Types, Sizes and Associated Risk Level...4 Mitigating Risks from Malware...4 Conclusion...6 About Fortinet...6 About FortiOS...6

3 FORTINET Understanding How File Size Affects Malware Detection PAGE 3 Introduction Nearly 30-years after the first computer virus the Elk Cloner virus appeared, malware continues to evolve and pose significant risks to organizations today. In the early days, malware was typically transmitted by physical media such as floppy disks, limiting malware threat s propagation rate. Today, almost every computer is connected through the Internet using either a web browser, social network applications or other web 2.0 software, allowing malware to spread more rapidly than ever before. While many people use the term virus and malware interchangeably, there is an important difference. Malware is a broader term that includes viruses, but also includes any type of threat that is file-based in nature. Threat types such as spyware, adware, Trojan horses and worms all fall under the category of malware. Malware can come in almost any size file. To make their code easily propagated through the Internet, malware creators usually keep the files small. Malware is typically found within files that are less than one megabyte (MB) in size. According to Fortinet research, 97% of malware discovered in the past five years is below one MB in size. The small size of the malware file allows malicious content to be transferred over applications such as , peer to peer download, IM and chat easily and executed quickly. File Size and Malware Detection The best way to prevent malware from being passed into the secured area of the network is to scan any given file in its entirety to ensure it is free from malware. Complete file inspection, often known as proxy-based scanning, can detect malware, which is using evasion methods such as polymorphism and encryption. This requires the gateway system to cache the entire file, decrypt it if necessary, and then inspect it for malware. In this scenario, the size of the file being transferred over the network has a direct effect on the observed network performance. Users typically notice that the file arrives very quickly at the destination after an observed delay. The delay introduced by the caching operation can grow as the file size grows, which administrators interpret as performance degradation. The development of stream-based or flow-based malware detection methods provides adequate protection against malware without the need to cache the entire file for scanning. This scanning method accelerates the file scanning by inspecting only the portion of the file within a single packet and does not wait for the remaining packets to complete the file assembly and caching process. End users will see faster file download speed as scanning occurs during the download. However, since the inspection engine never has a complete view of the file, malicious code or software can be harder to detect with streambased detection. Fortinet s FortiGate consolidated security platforms support proxy-based scanning and provide a maximum file size scanned parameter. This file size limit allows the administrator to customize how large files are processed, based on different protocols. The 10 MB default value has been determined to offer the best possible balance between protection and network performance. For organizations wanting maximum protection, they can adjust the file size scanned parameter to over 100MB (depending on different policies and protocols). Organizations prioritizing network performance over protection can reduce the maximum file size scanned parameter by protocol to decrease latency caused by file caching. If the parameter value is set too low, however, there is a risk of malware passing through undetected. FortiGate platforms also support flow-based malware detection for those environments that place a premium on network performance. Flow-based detection can be a good inspection method for locations that are exposed to fewer threats such as local area networks that lie behind the firewall. Fortinet offers both proxy-based and flow-based malware detection so network administrators can use the best tool for what they need.

4 FORTINET Understanding How File Size Affects Malware Detection PAGE 4 Web 2.0 Applications, Malware Types, Sizes and Associated Risk Level With the increased popularity in social networking applications and games, people are more connected then ever using messaging, or SMS (short messaging service). Social network sites usually use address for user identification and this makes mass-mailer types of malware to have one of the highest propagation rates in the wild. This type of malware spreads by sending hundreds of s from each infected computer, hacked or social network account. Once an infected is opened, it harvests contacts stored on social network applications or the infected host computer to propagate. The amount of traffic generated on a network by mass-mailer malware types can be exponential. The Phishing threat is another common threat type that combines an message and web site to deceive unsuspecting users. First, s are sent out with the intention of enticing the recipients to click a link in the that leads back to a website that appears to be a legitimate portal. The web site then gathers the login credentials from the unsuspecting user, and uses that information for financial fraud or identity theft. Phishing threats always first manifest themselves within a small message due to the shear volume of messages generated by the spam generator. Trojans and spyware are purpose-built malicious applications that steal information from a host or allow the attacker to gain control of a host. Spyware, in particular a subtype called Adware, sends user information back to an ad server for delivery of targeted advertisements. The file sizes for spyware payloads also remain small, with 95% of spyware installers totalling less than one MB in size. Worm malware types are categorized on how they propagate through the Internet.. The most common worm subtype is the -worm, also known as mass-mailers. The next are Instant Messaging (IM), Peer-to-Peer (P2P) and Network/Shared Folders worms. IM Worms send instant messages containing a malware payload to the compromised users contact list. When an unsuspecting user downloads and executes the file either directly or from a web site link, the worm penetrates the user s local machine and repeats the cycle over and over again. P2P and Network File Share Worms are almost identical. The only difference between the two malware subtypes is in their method of replication. P2P Worms copy themselves to the shareable download folder of P2P programs. Network File Share Worms copy themselves to a shared network folder. Some types of Network File Share Worms scan the local network for a fully writable-shared network folder. Botnet is a network of computers infected by malware, hijacked to perform malicious tasks on a specific target such as web page or web service. Infected computers (aka bot) are taken over by the botnet software embedded in a file, performing attacks without the attacker having to log in to the infected computers. Botnet software usually has very small foot print in terms of size and require very little system resource to avoid being detected. Standard malware generally infects users or hosts by attaching or inserting part of their malicious code into a benign file and activating those malicious codes. An effective file inspection method is critical to the detection and prevention of malware attacks and propagations. Mitigating Risks from Malware To achieve 100% detection of known malware, an antimalware application needs to scan a broad range of file sizes. Ideally, all files should be checked before they reach their destination. Stripping detected malware files from the messages or blocking their delivery prevents the damage that could occur if the malware were delivered to the target system. In modern business networks, organizations commonly use applications with proprietary file formats that transfer large amounts of data between clients and application servers. It is also common practice to store large documents on network file shares for common access. Scanning large files of this type ensures that malware replication does not occur, but can also cause noticeable delays for users who perform this type of repeated operation. Adjusting the maximum file size parameter in FortiGate products can reduce the observed delay caused by caching in proxy-based scanning. However, as Table 1 illustrates, lowering the maximum scanned file size parameter too much can increase the risk of malware infection for by lowering the catch rate. Once a malware infection occurs on a network, a

5 FORTINET Understanding How File Size Affects Malware Detection PAGE 5 network-wide outbreak may occur depending on the malware type, generating significant restoration costs and causing financial loss and/or brand damage. The table below shows the percentage of the effectiveness of detection by file size (in MB) limit scanned for each malware type. Table 1: Percentage of detection per Malware Type Note: Malware rated on the above table are only the discovered and known ones. As the file size limit is reduced, the rate of detection decreases too. Mass-mailers are best detected for all sizes. Phishing attempts, exploits, mobile viruses, macro viruses and instant messaging worms are detected with excellent accuracy with anything greater than a 2 MB max file size to scan limit. Spyware, Trojans and Bots have excellent detection rates anywhere higher than a 1 MB max files size to scan setting. To determine whether to modify the default max file size limit where files should pass uninspected, two factors should be considered: 1. The risk involved for the type of malware threat that may go undetected as a result of the change 2. The average file size transferred and transfer rate during normal network operation Setting a lower value for the maximum file size for proxy-based scanning could result in higher-risk of infection and may not be acceptable for certain types of organizations. In some organizations with multiple layers of network protection or endpoint security in place, setting a lower max file size value for proxy-based scanning and utilizing flow-based scanning may be advisable to increase the network throughput. There are additional tweaks that may enhance the protection from malware while not altering the max file size to scan parameter. Using file extension blocking on executable files (.exe,.com,.dll,.scr &.pif) generally eliminates most types of malware threats.

6 FORTINET Understanding How File Size Affects Malware Detection PAGE 6 Conclusion Malware continues to evolve, but is still typically observed in files less than one to two MB in size. By adjusting the max file size scan limit, enabling multiple layers of network protection such as end-point protection solution, proxy-based and flowbased scanning, network performance can be improved with minimal additional risk. In an ideal scenario, all files passing through the network should be scanned to attain the best possible protection. The FortiGuard Threat Research team from Fortinet delivers multi-layered security intelligence and zero-day protection from new and emerging threats. Fortinet recommends administrators needing to maximize network performance consider implementing multiple layers of protection and weigh the benefits versus potential risks. About Fortinet Fortinet delivers unified threat management and specialized security solutions that block today s sophisticated threats. Our consolidated architecture enables our customers to deploy fully integrated security technologies in a single device, delivering increased performance, improved protection, and reduced costs. Purpose-built hardware and software provide the high performance and complete content protection our customers need to stay abreast of a constantly evolving threat landscape. Our customers rely on Fortinet to protect their constantly evolving networks in every industry and region in the world. They deploy a robust defense-in-depth strategy that improves their security posture, simplifies their security infrastructure, and reduces their overall cost of ownership. For additional information, please visit Fortinet at: About FortiOS FortiOS is a security-hardened, purpose-built operating system that is the software foundation of FortiGate multi-threat security platforms. FortiOS software enables high performance multi-threat security by leveraging the hardware acceleration provided by FortiASIC content and network processors. This combination of custom hardware and software gives you the best security and performance possible from a single device. FortiOS helps you stop the latest, most sophisticated, and dynamic threats facing your network today with expert threat intelligence delivered via FortiGuard Security Subscription Services. WP-DetectingMalware