This is the second part of the "How TruPrevent Works" article series. Apologies in advance if it seems a bit like shameless self promotion.
Code-named KRE (Kernel Rules Engine) this is TruPrevent’s second component, a Behavior Blocking module which complements TruPrevent's Behavioral Analysis. If we were to map these two modules within the HIPS framework used by Gartner to categorize the different technology styles used by integrated endpoint security suites, they would fit into the "Application Control, Resource Shielding and Behavioral Containment" styles. Such technology styles are not however as compartmentalized in commercial products as they may seem in Gartner's framework.
Hackers and malware mafias abuse the privileges of legitimate applications to attack systems by injecting code. To prevent these types of attacks generically a very cost-effective approach is to use rule-based blocking technology which can restrict the actions that authorized applications can perform in the system.
KRE is composed of a set of policies which are defined by a set of rules describing allowed and denied actions for a particular application of group thereof. Rules can be set to control an application’s access to files, user accounts, registry, COM objects, Windows services and network resources.
Despite offering a high degree of granularity to administrators for creating custom policies for deployment within a corporate network, KRE is shipped with a set of default configuration rules which are managed and updated regularly by PandaLabs. A limited list of the most relevant and queried rules can be viewed at http://www.pandasoftware.com/com/virus_info/rules. These provide protection against attacks exploiting common weaknesses found in out-of-the-box as well as fully-patched installations of Windows operating systems, such as modifications of the HOST file, loading Browser Helper Objects (BHO) in a certain way, exploitation of browser and email vulnerabilities, downloading and running executable code from within the iexplorer.exe process, launching commands from service applications, and many more such policies.
In summary, KRE provides a true security lock-down of a typical Microsoft Windows installation, regardless if it's patched or not. This technology has allowed us to tighten the security of a box which is normally left open by newly discovered vulnerabilities and techniques commonly used by malware mafias.
A recent example of the effectiveness of KRE is the never-ending wave of Microsoft Office format vulnerabilities. These vulnerabilities have been used recently by targeted attacks on certain companies. According to a study of known (patched) and zero-day (un-patched) Microsoft Office vulnerability exploits, an average AV signature detection rate of 50% was achieved by all tested antivirus engines. That’s a one-in-two chance of being infected by simply opening an exploited Microsoft Word, PowerPoint or Excel document.
Instead of relying on signatures and heuristics for these type of attacks, Behavior Blocking technologies such as KRE proactively prevents Microsoft Word, PowerPoint, Excel, Access, Acrobat Reader, Windows Media Player and other applications from dropping and running any type of executable code on the system. Unlike any AV signatures tested, TruPrevent provides real zero-day protection against any of these Microsoft Office exploit, known or unknown.
For example, rules 1039 & 1042: Recent MS Office, Acrobat and Windows Multimedia vulnerabilities have been discovered (PowerPoint, Excel, Word, Wmplayer, Acrobat Reader and others are vulnerable). In a normal behaviour these applications shouldn't create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited, as shown on the blocking notification when trying to open an infected Microsoft Word document.
In this case KRE is preventing these applications from creating and executing code in the system and thereby stopping malware without having to rely on signatures or heuristics for protecting users. Of course there are many more examples of how to block a multitude of malicious behaviour, but I think if you've read this far you get the picture.