WHITE PAPER. Understanding How File Size Affects Malware Detection



Similar documents
Controlling Web 2.0 Applications in the Enterprise SOLUTION GUIDE

Enabling Secure BYOD How Fortinet Provides a Secure Environment for BYOD

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Fighting Advanced Threats

Content-ID. Content-ID URLS THREATS DATA

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Types of cyber-attacks. And how to prevent them

Networking for Caribbean Development

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

isheriff CLOUD SECURITY

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

WHITE PAPER. Web Filtering: An Essential Part of a Consolidated Security System

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

WEB ATTACKS AND COUNTERMEASURES

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

How Attackers are Targeting Your Mobile Devices. Wade Williamson

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

The Hillstone and Trend Micro Joint Solution

Corporate Account Takeover & Information Security Awareness. Customer Training

Technical Product Overview. Employing cloud-based technologies to address security risks to endpoint systems

How Traditional Firewalls Fail Today s Networks And Why Next-Generation Firewalls Will Prevail

Defending Against Cyber Attacks with SessionLevel Network Security

Network Intrusion Prevention Systems (IPS) Frequently Asked Questions FAQ

What Do You Mean My Cloud Data Isn t Secure?

Advantages of Managed Security Services

Accelerating UTM with Specialized Hardware WHITE PAPER

Don t Fall Victim to Cybercrime:

Spyware: Securing gateway and endpoint against data theft

Streamlining Web and Security

Get Started Guide - PC Tools Internet Security

Top tips for improved network security

Virtual Private Networks Secured Connectivity for the Distributed Organization

The Key to Secure Online Financial Transactions

Firewall and UTM Solutions Guide

Cloud Based Secure Web Gateway

NetDefend Firewall UTM Services

Perspectives on Cybersecurity in Healthcare June 2015

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Countermeasures against Bots

Detecting peer-to-peer botnets

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Achieve Deeper Network Security

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

WildFire. Preparing for Modern Network Attacks

Symantec Advanced Threat Protection: Network

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Endpoint Security: Moving Beyond AV

End-user Security Analytics Strengthens Protection with ArcSight

Cisco Security Optimization Service

WHITE PAPER. Next-Generation Security for Enterprise Networks

ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows

Next-Generation Firewalls: Critical to SMB Network Security

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

Computer Security DD2395

E Commerce and Internet Security

SSL Performance Problems

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Network Security and the Small Business

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

The Fortinet Advanced Threat Protection Framework

NetDefend Firewall UTM Services

COMPUTER-INTERNET SECURITY. How am I vulnerable?

Contents. McAfee Internet Security 3

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

TRAINING FOR AMERICAN MOMENTUM BANK CLIENTS. Corporate Account Takeover & Information Security Awareness

Data Center security trends

Content Security: Protect Your Network with Five Must-Haves

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

The Evolution of the Enterprise And Enterprise Security

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

Symantec Endpoint Protection

BE SAFE ONLINE: Lesson Plan

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Transcription:

WHITE PAPER Understanding How File Size Affects Malware Detection

FORTINET Understanding How File Size Affects Malware Detection PAGE 2 Summary Malware normally propagates to users and computers through files attached to email or hiding within legitimate traffic. Attackers have taken advantage of social media to distribute malware. While most malicious codes are hidden in small sized files that make them easier to spread over the Internet, malware can be embedded in all file sizes. This document offer some insight on how malware inspection performance is related to the size of malware-infected files and how different scanning methods can help to strike a balance between performance and security. Introduction...3 File Size and Malware Detection...3 Web 2.0 Applications, Malware Types, Sizes and Associated Risk Level...4 Mitigating Risks from Malware...4 Conclusion...6 About Fortinet...6 About FortiOS...6

FORTINET Understanding How File Size Affects Malware Detection PAGE 3 Introduction Nearly 30-years after the first computer virus the Elk Cloner virus appeared, malware continues to evolve and pose significant risks to organizations today. In the early days, malware was typically transmitted by physical media such as floppy disks, limiting malware threat s propagation rate. Today, almost every computer is connected through the Internet using either a web browser, social network applications or other web 2.0 software, allowing malware to spread more rapidly than ever before. While many people use the term virus and malware interchangeably, there is an important difference. Malware is a broader term that includes viruses, but also includes any type of threat that is file-based in nature. Threat types such as spyware, adware, Trojan horses and worms all fall under the category of malware. Malware can come in almost any size file. To make their code easily propagated through the Internet, malware creators usually keep the files small. Malware is typically found within files that are less than one megabyte (MB) in size. According to Fortinet research, 97% of malware discovered in the past five years is below one MB in size. The small size of the malware file allows malicious content to be transferred over applications such as email, peer to peer download, IM and chat easily and executed quickly. File Size and Malware Detection The best way to prevent malware from being passed into the secured area of the network is to scan any given file in its entirety to ensure it is free from malware. Complete file inspection, often known as proxy-based scanning, can detect malware, which is using evasion methods such as polymorphism and encryption. This requires the gateway system to cache the entire file, decrypt it if necessary, and then inspect it for malware. In this scenario, the size of the file being transferred over the network has a direct effect on the observed network performance. Users typically notice that the file arrives very quickly at the destination after an observed delay. The delay introduced by the caching operation can grow as the file size grows, which administrators interpret as performance degradation. The development of stream-based or flow-based malware detection methods provides adequate protection against malware without the need to cache the entire file for scanning. This scanning method accelerates the file scanning by inspecting only the portion of the file within a single packet and does not wait for the remaining packets to complete the file assembly and caching process. End users will see faster file download speed as scanning occurs during the download. However, since the inspection engine never has a complete view of the file, malicious code or software can be harder to detect with streambased detection. Fortinet s FortiGate consolidated security platforms support proxy-based scanning and provide a maximum file size scanned parameter. This file size limit allows the administrator to customize how large files are processed, based on different protocols. The 10 MB default value has been determined to offer the best possible balance between protection and network performance. For organizations wanting maximum protection, they can adjust the file size scanned parameter to over 100MB (depending on different policies and protocols). Organizations prioritizing network performance over protection can reduce the maximum file size scanned parameter by protocol to decrease latency caused by file caching. If the parameter value is set too low, however, there is a risk of malware passing through undetected. FortiGate platforms also support flow-based malware detection for those environments that place a premium on network performance. Flow-based detection can be a good inspection method for locations that are exposed to fewer threats such as local area networks that lie behind the firewall. Fortinet offers both proxy-based and flow-based malware detection so network administrators can use the best tool for what they need.

FORTINET Understanding How File Size Affects Malware Detection PAGE 4 Web 2.0 Applications, Malware Types, Sizes and Associated Risk Level With the increased popularity in social networking applications and games, people are more connected then ever using messaging, email or SMS (short messaging service). Social network sites usually use email address for user identification and this makes mass-mailer types of malware to have one of the highest propagation rates in the wild. This type of malware spreads by sending hundreds of emails from each infected computer, hacked email or social network account. Once an infected email is opened, it harvests contacts stored on social network applications or the infected host computer to propagate. The amount of traffic generated on a network by mass-mailer malware types can be exponential. The Phishing threat is another common threat type that combines an email message and web site to deceive unsuspecting users. First, emails are sent out with the intention of enticing the recipients to click a link in the email that leads back to a website that appears to be a legitimate portal. The web site then gathers the login credentials from the unsuspecting user, and uses that information for financial fraud or identity theft. Phishing threats always first manifest themselves within a small email message due to the shear volume of messages generated by the spam generator. Trojans and spyware are purpose-built malicious applications that steal information from a host or allow the attacker to gain control of a host. Spyware, in particular a subtype called Adware, sends user information back to an ad server for delivery of targeted advertisements. The file sizes for spyware payloads also remain small, with 95% of spyware installers totalling less than one MB in size. Worm malware types are categorized on how they propagate through the Internet.. The most common worm subtype is the email-worm, also known as mass-mailers. The next are Instant Messaging (IM), Peer-to-Peer (P2P) and Network/Shared Folders worms. IM Worms send instant messages containing a malware payload to the compromised users contact list. When an unsuspecting user downloads and executes the file either directly or from a web site link, the worm penetrates the user s local machine and repeats the cycle over and over again. P2P and Network File Share Worms are almost identical. The only difference between the two malware subtypes is in their method of replication. P2P Worms copy themselves to the shareable download folder of P2P programs. Network File Share Worms copy themselves to a shared network folder. Some types of Network File Share Worms scan the local network for a fully writable-shared network folder. Botnet is a network of computers infected by malware, hijacked to perform malicious tasks on a specific target such as web page or web service. Infected computers (aka bot) are taken over by the botnet software embedded in a file, performing attacks without the attacker having to log in to the infected computers. Botnet software usually has very small foot print in terms of size and require very little system resource to avoid being detected. Standard malware generally infects users or hosts by attaching or inserting part of their malicious code into a benign file and activating those malicious codes. An effective file inspection method is critical to the detection and prevention of malware attacks and propagations. Mitigating Risks from Malware To achieve 100% detection of known malware, an antimalware application needs to scan a broad range of file sizes. Ideally, all files should be checked before they reach their destination. Stripping detected malware files from the messages or blocking their delivery prevents the damage that could occur if the malware were delivered to the target system. In modern business networks, organizations commonly use applications with proprietary file formats that transfer large amounts of data between clients and application servers. It is also common practice to store large documents on network file shares for common access. Scanning large files of this type ensures that malware replication does not occur, but can also cause noticeable delays for users who perform this type of repeated operation. Adjusting the maximum file size parameter in FortiGate products can reduce the observed delay caused by caching in proxy-based scanning. However, as Table 1 illustrates, lowering the maximum scanned file size parameter too much can increase the risk of malware infection for by lowering the catch rate. Once a malware infection occurs on a network, a

FORTINET Understanding How File Size Affects Malware Detection PAGE 5 network-wide outbreak may occur depending on the malware type, generating significant restoration costs and causing financial loss and/or brand damage. The table below shows the percentage of the effectiveness of detection by file size (in MB) limit scanned for each malware type. Table 1: Percentage of detection per Malware Type Note: Malware rated on the above table are only the discovered and known ones. As the file size limit is reduced, the rate of detection decreases too. Mass-mailers are best detected for all sizes. Phishing attempts, exploits, mobile viruses, macro viruses and instant messaging worms are detected with excellent accuracy with anything greater than a 2 MB max file size to scan limit. Spyware, Trojans and Bots have excellent detection rates anywhere higher than a 1 MB max files size to scan setting. To determine whether to modify the default max file size limit where files should pass uninspected, two factors should be considered: 1. The risk involved for the type of malware threat that may go undetected as a result of the change 2. The average file size transferred and transfer rate during normal network operation Setting a lower value for the maximum file size for proxy-based scanning could result in higher-risk of infection and may not be acceptable for certain types of organizations. In some organizations with multiple layers of network protection or endpoint security in place, setting a lower max file size value for proxy-based scanning and utilizing flow-based scanning may be advisable to increase the network throughput. There are additional tweaks that may enhance the protection from malware while not altering the max file size to scan parameter. Using file extension blocking on executable files (.exe,.com,.dll,.scr &.pif) generally eliminates most types of malware threats.

FORTINET Understanding How File Size Affects Malware Detection PAGE 6 Conclusion Malware continues to evolve, but is still typically observed in files less than one to two MB in size. By adjusting the max file size scan limit, enabling multiple layers of network protection such as end-point protection solution, proxy-based and flowbased scanning, network performance can be improved with minimal additional risk. In an ideal scenario, all files passing through the network should be scanned to attain the best possible protection. The FortiGuard Threat Research team from Fortinet delivers multi-layered security intelligence and zero-day protection from new and emerging threats. Fortinet recommends administrators needing to maximize network performance consider implementing multiple layers of protection and weigh the benefits versus potential risks. About Fortinet Fortinet delivers unified threat management and specialized security solutions that block today s sophisticated threats. Our consolidated architecture enables our customers to deploy fully integrated security technologies in a single device, delivering increased performance, improved protection, and reduced costs. Purpose-built hardware and software provide the high performance and complete content protection our customers need to stay abreast of a constantly evolving threat landscape. Our customers rely on Fortinet to protect their constantly evolving networks in every industry and region in the world. They deploy a robust defense-in-depth strategy that improves their security posture, simplifies their security infrastructure, and reduces their overall cost of ownership. For additional information, please visit Fortinet at: http://www.fortinet.com. About FortiOS FortiOS is a security-hardened, purpose-built operating system that is the software foundation of FortiGate multi-threat security platforms. FortiOS software enables high performance multi-threat security by leveraging the hardware acceleration provided by FortiASIC content and network processors. This combination of custom hardware and software gives you the best security and performance possible from a single device. FortiOS helps you stop the latest, most sophisticated, and dynamic threats facing your network today with expert threat intelligence delivered via FortiGuard Security Subscription Services. WP-DetectingMalware-201106

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information