Archive

Archive for the ‘cloud protection’ Category

MAPS in the cloud: How can it help your enterprise?

January 21st, 2015 No comments

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

  1. Consult the cloud upon detecting suspicious malware behaviors.
  2. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client.

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

  • Clients to report key telemetry events and suspicious malware queries to the cloud
  • Cloud to provide real-time blocking responses back to the client

The MAPS service is available for all Microsoft's antivirus products and services, including:

  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

  • Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

  • Aggregated protection telemetry

    Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

How the MAPS cloud protection and telemetry works from the endpoint and back

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

  • Threat telemetry –  to identify the threats, threat-related resources, and remediation results
  • Suspicious behavior – to collect samples, determine what to monitor and remediate
  • Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

  • Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
  • Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

MAPS in the cloud: How can it help your enterprise?

January 21st, 2015 No comments

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

  1. Consult the cloud upon detecting suspicious malware behaviors.
  2. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client.

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

  • Clients to report key telemetry events and suspicious malware queries to the cloud
  • Cloud to provide real-time blocking responses back to the client

The MAPS service is available for all Microsoft's antivirus products and services, including:

  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

  • Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

  • Aggregated protection telemetry

    Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

How the MAPS cloud protection and telemetry works from the endpoint and back

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

  • Threat telemetry –  to identify the threats, threat-related resources, and remediation results
  • Suspicious behavior – to collect samples, determine what to monitor and remediate
  • Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

  • Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
  • Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

Microsoft cloud protection

September 22nd, 2014 No comments

​Microsoft is using cloud protection to help keep our customers safe. In fact, nearly any detection made by Microsoft security products could be the result of cloud protection. Software developers often ask us how this cloud protection works and how they can improve our cloud’s impression of their software.

How our cloud protection works

When our antimalware products encounter anything unusual, they can send a small packet of information about the event or file to our server. The server then sends back a reply telling the antimalware software whether to block it or not. It can also request a sample for further analysis.

There are three situations that highlight the benefits of cloud protection:

  • If a file is known to be malware by our servers but not by the local antimalware product, the cloud protection module can tell the local product to block or remove it.
  • If a file is known to be clean by our servers, but the local antimalware product detects the file as malware (an incorrect detection situation), the cloud protection module can tell the local antimalware to not detect it, and the incorrect detection does not affect the user.
  • If a local antimalware product encounters a file that we don’t know about, our server can make a determination based on probabilities, and tell the local antimalware software to block it, even without having seen a copy of the file.

It’s this third point that I would like to discuss further.

Improving your software’s cloud impression

We are often asked by software vendors if we have a way for them to pre-whitelist their software. However, our backend processing actually works better if we see your software as it’s naturally distributed. I will outline a few methods to improve our cloud’s impression of your software below:

  • Digitally sign your software using a method accepted by Microsoft. This is the fastest way to get a good cloud reputation because the reputation of a good file can be distributed to all files signed by the same key.
  • Once you have digitally signed your software, be careful that malware isn’t also signed by your key. This will negate any good reputation. You can help avoid this situation by:
    • Making sure you protect your key from being stolen by malware authors.
    • Ensuring your development process prevents a parasitic file-infecting virus from being inadvertently signed by your key.
    • Reading more about the best practices for signing software.

  • If you can’t digitally sign your software, be aware that every minor version of your product will have to build reputation from scratch. This affects vendors who provide a different file on every single download. It doesn’t mean you can’t make bug-fix versions, different languages, etc.
  • Make sure your software doesn’t install malware:
    • Take care to avoid security vulnerabilities. Even if you don’t intend to install malware, a security vulnerability could be detected as your product installing malware.
    • If you download executables off the internet, have your software check a digital signature or cryptographic hash, to ensure it has the correct file you intended it to download. We have seen one case where a popular installer had some URLs distributing malware and we had to detect every one of their installers in case it was downloading one of the malware URLs.
  • Make sure your software isn’t installed by malware:
    • Proactively check your affiliates and companies who bundle your software.
    • Fill out the metadata information such as the information about the author and company in the file resources. If this and the digital signature isn’t enough, consider adding contact information, or a pointer to find contact information on the web. This contact information should direct to the right contact to report a security vulnerability, or work with to fix or prevent a incorrect detection.
  • If you use a runtime packer or obfuscator, you need to be aware that the majority of malware is packed or obfuscated, and this does affect how your software is seen at the back end.
  • Consider how your software is seen and whether it’s installed on the machines of users who really want it. We have honeypots, web crawlers, and automatic software testing. We can look at whether users chose to continue the download after the warning that a program isn’t commonly downloaded. We can also see whether users chose to ignore or remove software if our antimalware detects it. Bad behavior can quickly ruin a good software reputation.
  • There are some behaviors that, while not enough to warrant a detection on their own, do attract the suspicion of human and automated systems. They could be used for legitimate reasons, but are often closely associated with malware behavior. This includes:
    • Installing outside the commonly accepted folders for the type of software.
    • Modifying or adding a sensitive registry key.
    • Process or thread injection.
    • Autonomous internet activity.

If you believe we have made an incorrect detection for your product you can submit a developer contact form. Making a slight change and pushing it out to your software won’t necessarily address any incorrect bad reputation applied to the code signing key you used for the file that was incorrectly detected. Our cloud protection might also note the similarity between the file that it still believes was correctly detected as malware, and the new version.

MMPC

Categories: cloud protection Tags: