WEBVTT

00:00.750 --> 00:05.970
The security plus exam has a number of questions on it that are going to be covering things like here's

00:05.970 --> 00:11.250
some output from this anti-malware or here's some output from a file integrity check.

00:11.280 --> 00:14.070
What are we looking at here and what should I do about it.

00:14.070 --> 00:19.890
So in this episode I'm going to just call this analyzing output and we're going to go through a number

00:19.890 --> 00:23.940
of different types of security applications and look at their output.

00:23.940 --> 00:28.680
Now if you're expecting to see log files here something that's not it alot of times we'll just be looking

00:28.680 --> 00:33.970
at screens and trying to figure out what this particular security application is going to be saying.

00:33.990 --> 00:41.570
So let's go and get started with probably my personal favorite anti-malware.

00:41.590 --> 00:45.430
I'm going to assume at this point in your life that you've probably dealt with some anti-malware.

00:45.430 --> 00:50.530
So what I really want to do more than anything else is discuss some of the output that we're going to

00:50.530 --> 00:55.420
be seeing from running anti-malware or anti-virus tools.

00:55.420 --> 01:01.840
Now there are a zillion different anti-malware tools out there and I'm not going to make a sales pitch

01:01.840 --> 01:03.760
for any of them personally.

01:03.790 --> 01:07.480
I'm going to be using the built in Windows Defender with Windows 10.

01:07.510 --> 01:08.220
I like it.

01:08.260 --> 01:13.720
It's OK there's possibly better ones out there but I'm going to avoid a big argument and a lot of people

01:13.720 --> 01:16.290
going with Mike Boyer's you never tried it at it.

01:16.510 --> 01:18.910
We're going to be using Windows Defender because it's convenient.

01:18.910 --> 01:22.550
I've got it here and it covers everything I need for the exam.

01:22.550 --> 01:29.800
So one of the things I want to talk about is how do we set up anti-malware now.

01:30.050 --> 01:33.930
These days it's a lot easier than it used to be back in my day.

01:33.980 --> 01:39.590
You'd have to have like an e-mail anti-malware and a web browser anti-malware and then something to

01:39.590 --> 01:44.990
scan your hard drives and then something to scan your memory today what you tend to see more than anything

01:44.990 --> 01:50.060
else is really only two settings you're going to have some kind of real time setting which basically

01:50.090 --> 01:56.550
anything coming in and out of the network card is being scanned and then you also have a.

01:56.720 --> 01:57.710
I think I've got a problem.

01:57.710 --> 02:01.000
Can you go ahead and scan all my storage.

02:01.070 --> 02:04.270
So let's go and take a look at this particular guy right here.

02:05.090 --> 02:10.230
So this is the initializations screen for it and you'll notice I've got a little problem right here.

02:10.250 --> 02:13.600
So let's go ahead and just see what kind of threat is going on.

02:14.030 --> 02:17.870
So it finds this particular threat and it's called Hech to a Win32 Kane.

02:17.870 --> 02:20.360
I know exactly what that is.

02:20.420 --> 02:24.950
Now it's asking me for specific options you want me to just remove that file.

02:24.970 --> 02:30.010
Do you want me to quarantine it which will mean to copy it to a specific folder and leave it there.

02:30.110 --> 02:32.160
Or are you just going to let it go.

02:32.240 --> 02:36.250
Now you can actually click on details on this and you get some pretty interesting output.

02:36.260 --> 02:40.890
Now what's happening here is I know exactly what happened because I did this on purpose.

02:41.000 --> 02:47.360
And what's taking place is I installed I didn't install I just downloaded the popular password cracker

02:47.390 --> 02:48.980
Cain and Abel.

02:49.220 --> 02:54.470
It's on Windows defender's list of naughtiness is in this particular case.

02:54.500 --> 03:01.430
I want it to be there but I also like to just let the anti-malware tool continue to yell about it.

03:01.490 --> 03:04.550
I'm not going to do anything here but if I wanted to I could delete it.

03:04.580 --> 03:08.090
I could move it to a specific folder or I could say ignore it.

03:08.090 --> 03:09.960
Let's just go ahead and keep it there.

03:11.380 --> 03:18.160
So one of the big things we need to be thinking about is in a situation like this is when we're analyzing

03:18.160 --> 03:21.430
this output what we're actually seeing is a false positive.

03:21.460 --> 03:25.570
There's really nothing wrong with Cain and Abel Cain and Abel isn't going to do anything evil to my

03:25.570 --> 03:26.180
system.

03:26.380 --> 03:32.290
It might do evil things to other people's systems but it's for me it's just a password cracker at a

03:32.290 --> 03:34.170
really good tool with that.

03:34.180 --> 03:37.270
The other thing we need to look at are true positives.

03:37.300 --> 03:42.520
If you ever see a positive on here you don't know whether it's a false positive or not.

03:42.520 --> 03:44.250
So you do some kind of research.

03:44.260 --> 03:49.520
Let's take a look one more time here it says hack tool Colan Win32 slash Cain.

03:49.720 --> 03:53.500
It is documented in a lot of anti-malware databases just like this.

03:53.500 --> 03:57.520
So even at this particular tool couldn't give me the answers I wanted.

03:57.610 --> 04:03.430
It's trivial for me to go online and take a look and be able to determine is this particularly bad or

04:03.430 --> 04:04.720
not.

04:04.720 --> 04:10.740
The other thing I'm going to mention is that a lot of anti-malware tools do generate log file type outputs.

04:10.750 --> 04:11.560
I don't like those.

04:11.560 --> 04:15.780
Personally I like a GUI interface that makes life a little bit easier for me.

04:15.880 --> 04:21.280
But the bottom line is they're still going to be saying the exact same things you removed off file or

04:21.280 --> 04:22.390
something like that.

04:22.690 --> 04:26.960
One more thing before we stop talking about anti-malware and that is updates.

04:27.070 --> 04:31.580
Back in the old days we used to have to worry about definition files and things like that.

04:31.600 --> 04:38.320
I am unaware of any anti-malware today that doesn't automatically update making sure that your anti-malware

04:38.320 --> 04:40.150
is ready for anything that's coming.

04:44.010 --> 04:49.620
Host based firewalls are any type of firewall that is installed on an individual host.

04:49.630 --> 04:57.070
Now this device this software is designed to do one job and that is to protect this individual host

04:57.310 --> 05:03.340
from anything evil going out or coming into the system because it's a host based firewall.

05:03.340 --> 05:09.370
It can actually do this based on filenames because it knows all the file names on its particular system.

05:09.370 --> 05:12.150
It could also use port numbers and other things like that.

05:12.170 --> 05:16.050
Now the output we're going to be looking at isn't going to be a log or something like that.

05:16.060 --> 05:21.550
What you're going to be looking at is some form of output in the form of an Access Control list or a

05:21.550 --> 05:23.890
rules list the term is interchangeable.

05:23.890 --> 05:25.180
This particular case.

05:25.300 --> 05:30.360
Now what I'm using right here is the wonderful firewall that is built into Windows 10.

05:30.370 --> 05:33.280
I like this one primarily because it's a very good firewall.

05:33.280 --> 05:36.450
And then secondly it's graphical and easy for me to take a look at.

05:36.640 --> 05:38.250
So if we take a peek at this.

05:38.440 --> 05:44.220
Now if you look in the upper left here it will say things like in-bound rules and outbound rules or

05:44.220 --> 05:48.900
you can just click here under the monitoring and you get to see all the rules at once.

05:49.050 --> 05:57.840
So what we're looking at here is a list of all of the different applications that are right now whitelist.

05:57.930 --> 06:02.520
And this is an important issue that we've got to deal with with a host based firewall.

06:02.580 --> 06:10.230
All space firewalls are basically they exclude everybody so it is called an implicit deny.

06:10.500 --> 06:12.750
No program gets in or out.

06:12.760 --> 06:19.590
Now you begin to build up this whitelist as which what you're looking at right here in a couple of different

06:19.590 --> 06:20.080
ways.

06:20.100 --> 06:26.430
One way is with a lot of programs when they install the actual Windows Installer comes with part of

06:26.430 --> 06:27.520
the rule being.

06:27.570 --> 06:33.240
Let me go ahead and put an exception into the Access Control list so that's one way does it.

06:33.240 --> 06:38.130
The other way it does it is if you actually run a program and that program tries to phone home or whatever

06:38.130 --> 06:44.430
it might be you're going to get a big pop up that comes up and says Is this ok if you say OK you've

06:44.430 --> 06:48.340
created an exception and it's going to show up on this list.

06:48.420 --> 06:54.780
So when you're analyzing host based firewall output what you're doing and this is this is tricky but

06:54.780 --> 07:00.320
we do it is we scroll through here and we make sure we understand what is all here.

07:00.510 --> 07:07.630
So march of Empires war lords OK somebody installed a game on here.

07:07.630 --> 07:09.030
Now do I want to keep that.

07:09.040 --> 07:10.210
I probably wouldn't.

07:10.210 --> 07:15.190
I'm really big in the least privilege kind of thing and I could come through here and delete a whole

07:15.190 --> 07:19.480
bunch of stuff but you know we're going to keep it here just in case somebody else might be playing

07:19.480 --> 07:20.740
that game.

07:20.740 --> 07:21.320
All right.

07:21.350 --> 07:26.200
So when you think about a host based firewall Number one remember your output is really at Access Control

07:26.200 --> 07:26.980
List.

07:26.980 --> 07:32.770
You're going to be using least privilege and you have a whitelist that builds up over time to allow

07:32.770 --> 07:36.320
certain programs to do whatever they need to do on the Internet.

07:41.170 --> 07:47.590
We have gazillions of files and gazillions of different places throughout our infrastructure.

07:47.590 --> 07:53.200
A lot of these files are absolutely critical and we need to check them from time to time to make sure

07:53.200 --> 07:54.690
that they're in good order.

07:54.700 --> 08:00.340
We do this through what is known generically as a file integrity check now file integrity checks work

08:00.370 --> 08:01.890
and all kinds of places.

08:01.990 --> 08:09.070
For example a lot of applications will actually run file integrity checks on their types of files to

08:09.070 --> 08:10.930
make sure that they're OK.

08:10.930 --> 08:17.250
Operating systems can run file integrity checks to make sure that the operating system files are OK.

08:17.290 --> 08:22.060
So there's all kinds of different places where file integrity checks take place.

08:22.060 --> 08:28.990
What's important is that a file integrity check verifies that a particular file is in good order and

08:28.990 --> 08:36.280
is ready to run the file isn't corrupted the file hasn't been tampered with in some way and the file

08:36.280 --> 08:40.120
is of the version and date that's expected.

08:40.130 --> 08:43.670
Now there's a lot of different ways to run a file integrity check.

08:43.770 --> 08:48.690
So what I'm going to do here on my Windows 10 system is I'm going to run a program in fact I've already

08:48.690 --> 08:51.410
run it for you called System file checker.

08:51.750 --> 08:56.750
So I've got windows power shell open and if you take a look I've run system file checker right here

08:56.760 --> 09:00.640
so you see as see space slash scan now.

09:00.660 --> 09:06.180
Now it took it a while to run so I just want to had ranted ahead of time we're going to see some output

09:06.180 --> 09:14.300
from it here in just a moment system file checker is a Windows tool whose job is to check the core files

09:14.310 --> 09:21.900
that makes up the Windows operating system the critical executables and DL Elle's and a few data files

09:21.900 --> 09:27.540
that collectively must be working in order for Windows to boot and run properly.

09:27.600 --> 09:34.590
You're going to run Esteve see if you get strange corruptions on Windows mainly when you're not in an

09:34.590 --> 09:35.340
application.

09:35.340 --> 09:38.290
So if you're just booting up your desktop and things go weird.

09:38.460 --> 09:44.220
A quick system file check is always a good idea so how do we know a file is good.

09:44.230 --> 09:46.660
Well first of all well you've got a couple of choices.

09:46.660 --> 09:53.290
Number one when you know the file is good go ahead and hash it you generate a hash of a file and then

09:53.290 --> 09:58.540
you have this hash value and a lot of times what they'll do is not only hash the file but they'll hash

09:58.540 --> 10:02.590
all the attributes like the name of the file and the date of the file and all that.

10:02.590 --> 10:07.960
So somebody tries to change a name that the date changes on the file or if anything within the file

10:07.960 --> 10:09.790
changes the hash is going to change.

10:09.820 --> 10:12.520
And these tools can instantly go to there's a problem.

10:12.580 --> 10:16.710
So they're going to have to run this before there's a problem.

10:16.700 --> 10:18.730
Now Windows does it another way.

10:18.730 --> 10:23.320
Windows basically just makes an extra copy of all the critical files.

10:23.320 --> 10:24.550
It's not really a backup.

10:24.550 --> 10:29.800
I mean it is a backup but it's not like a backup that you run Windows does this automatically and sets

10:29.800 --> 10:31.800
them aside in a very specific folder.

10:31.960 --> 10:36.680
So when you're running system file checker you're actually not comparing hashes or anything.

10:36.700 --> 10:42.070
You actually have a backup copy of these individual files and it looks at each of them and if it's good.

10:42.130 --> 10:47.620
Great and if it's not it'll put up a big nasty error and warn you that something's going on.

10:47.620 --> 10:54.820
So what is interesting though is that all file integrity check tools pretty much always generate a log.

10:54.820 --> 10:59.200
Now you notice here it said it didn't find any integrity violations on the screen.

10:59.380 --> 11:02.920
And let's go ahead pull up the log file for this particular tool and I think you're going to see it

11:02.920 --> 11:04.070
agrees with that.

11:04.410 --> 11:08.590
And if you look way up at the top here you'll see it's starting system file checker and then System

11:08.590 --> 11:11.370
file checker terminated normally.

11:11.380 --> 11:14.310
So this is a little boring but it's still a good log.

11:14.440 --> 11:21.160
If there had been a problem the issue would have popped up on the screen for a moment but more importantly

11:21.160 --> 11:26.650
this particular log file would be giving the names that each individual file and telling you that it

11:26.650 --> 11:27.500
had a problem.

11:27.550 --> 11:34.120
In that case we can go ahead and we can grab a Windows installation media and we can do a Repair Install

11:34.120 --> 11:38.250
that would bring the proper copies back and we would be OK.

11:38.260 --> 11:43.480
Now remember this is just windows in this particular situation if we were doing a file integrity check

11:43.780 --> 11:44.420
on.

11:44.530 --> 11:51.370
I don't know some but Photoshop images that I have the Adobe tool itself has a file integrity checker

11:51.370 --> 11:52.380
built into it.

11:52.630 --> 11:56.380
And when it finds it you know it does it keep a backup copy.

11:56.530 --> 12:05.010
And in that particular case guess what you are going to be restoring from a backup.

12:05.070 --> 12:10.650
It's really important for us in an enterprise environment to make sure that the applications that are

12:10.650 --> 12:16.680
running on our individual systems are the right applications and when I say the right applications I

12:16.680 --> 12:22.500
mean number one I don't want people installing unauthorized stuff so yeah I know you might like playing

12:22.500 --> 12:27.570
World of Warcraft but I don't like people installing it on their individual systems.

12:27.570 --> 12:31.460
Equally I don't want them installing things that I may not like.

12:31.470 --> 12:36.510
For example you could be installing some little innocuous looking game but it actually is corrupted

12:36.510 --> 12:37.860
with malware.

12:37.860 --> 12:42.650
The other thing that comes into play when we talk about the right application is licensing.

12:42.690 --> 12:45.790
Well actually licensing slash inventory.

12:45.900 --> 12:52.920
If I'm using Microsoft Office for example and I'm still actually buying it from CDs I'm buying X number

12:52.920 --> 12:54.480
of license copies.

12:54.480 --> 12:59.520
Now if I want to I could sit here and keep track of individual CDs but in enterprise environments what

12:59.520 --> 13:05.430
we usually do is we have some type of installation server which then distributes out the right number

13:05.490 --> 13:10.910
of office to all the different systems and it actually keeps track of all the licensing for me.

13:11.100 --> 13:14.970
So that's really licensing and inventory because it keeps track of the number of systems.

13:14.970 --> 13:21.760
If I've got 100 user licenses and I've only got 67 installed it keeps track of that.

13:21.760 --> 13:23.150
So somebody comes along.

13:23.170 --> 13:29.610
They will just put another one in the other thing that becomes important for knowing the right application

13:29.850 --> 13:34.470
is the idea of standardization as you might imagine with me writing books.

13:34.500 --> 13:41.160
I go through a lot of Microsoft Word and there's nothing more irritating than for me to have one version

13:41.160 --> 13:45.750
of Word and somebody else to have another version of Word and editor over there to have another version

13:45.750 --> 13:46.470
of Word.

13:46.500 --> 13:51.660
So in an enterprise environment it's really important for us to be very very standardized and making

13:51.660 --> 13:57.720
sure everybody's running not only the same office applications but even things like web browsers and

13:57.720 --> 14:00.330
stuff like that can become very very important.

14:00.690 --> 14:05.380
And that's where a whole class of programs with a whole bunch of different names.

14:05.440 --> 14:12.010
They're called software management programs or desktop management programs or application white Lister's.

14:12.120 --> 14:18.330
There's a gazillion names to these guys but basically their job is to make sure that everybody's running

14:18.330 --> 14:20.630
the right application as we described.

14:20.640 --> 14:25.560
So when we're talking about software management desktop management application whitelist or whatever

14:25.560 --> 14:26.680
you want to call them.

14:26.730 --> 14:31.770
Remember their main job is to make sure that you're running the right applications on your individual

14:31.830 --> 14:47.690
enterprise systems.