WEBVTT 0:00:02.460000 --> 0:00:08.140000 Hello and welcome to this video titled Antivirus and Anti-Malware. 0:00:08.140000 --> 0:00:13.100000 In this video, the topics I'm going to cover are what are antivirus and 0:00:13.100000 --> 0:00:15.040000 anti-malware programs. 0:00:15.040000 --> 0:00:18.280000 At a real high level, how do these programs work? 0:00:18.280000 --> 0:00:22.620000 I'm going to give you some examples of both paid and free antivirus and 0:00:22.620000 --> 0:00:24.420000 anti-malware programs. 0:00:24.420000 --> 0:00:28.720000 Then I'm going to introduce you to AMP for Endpoints, Cisco's Advanced 0:00:28.720000 --> 0:00:33.720000 Malware Protection, and also introduce you to something called Cisco Talos, 0:00:33.720000 --> 0:00:38.240000 which is critical for AMP to actually work. 0:00:38.240000 --> 0:00:41.420000 So in the event that you've never heard of this term, antivirus or anti 0:00:41.420000 --> 0:00:45.200000 -malware software, what is that? 0:00:45.200000 --> 0:00:49.400000 Well, ideally, if you've been watching the other videos, you know that 0:00:49.400000 --> 0:00:55.100000 you want a line of defense before malware or bad software gets to your 0:00:55.100000 --> 0:00:59.260000 laptop. You want a firewall at the perimeter of your network. 0:00:59.260000 --> 0:01:03.400000 If something gets through that, you want some sort of access list or something 0:01:03.400000 --> 0:01:04.900000 configured on a router. 0:01:04.900000 --> 0:01:08.100000 Ideally, you'd have something like a web security appliance that's monitoring 0:01:08.100000 --> 0:01:11.380000 all web transactions going out and going in. 0:01:11.380000 --> 0:01:14.020000 So there's multiple layers of defense. 0:01:14.020000 --> 0:01:19.160000 But things are not 100% perfect, especially with the evolving rate of 0:01:19.160000 --> 0:01:21.120000 malware that comes out on a daily basis. 0:01:21.120000 --> 0:01:26.220000 There's just no way for any security software or security device to capture 0:01:26.220000 --> 0:01:31.140000 everything. So it's kind of inevitable that malware or viruses will eventually 0:01:31.140000 --> 0:01:33.180000 make it to your endpoint. 0:01:33.180000 --> 0:01:37.880000 Once again, endpoint referring to your laptop, your PC, your server. 0:01:37.880000 --> 0:01:43.460000 So you're going to want some sort of first line defense on that device 0:01:43.460000 --> 0:01:48.180000 itself, some sort of software that's monitoring for these types of things. 0:01:48.180000 --> 0:01:52.700000 So antivirus, anti-malware, and anti -spyware software are, like it says, 0:01:52.700000 --> 0:01:57.700000 their programs designed to detect this type of malicious software, prevent 0:01:57.700000 --> 0:02:02.380000 it, and take action if it is detected on your system. 0:02:02.380000 --> 0:02:04.080000 Now, let's just pause for a moment here. 0:02:04.080000 --> 0:02:09.960000 What's the difference between anti-virus, anti-malware, and anti-spyware? 0:02:09.960000 --> 0:02:14.040000 Well, keep in mind that the term malware is a derivative of two words, 0:02:14.040000 --> 0:02:15.740000 malicious software. 0:02:15.740000 --> 0:02:17.680000 That's what malware stands for. 0:02:17.680000 --> 0:02:20.440000 So malware is sort of an umbrella term. 0:02:20.440000 --> 0:02:25.800000 So viruses are an example of malware, but there's other examples of malware 0:02:25.800000 --> 0:02:32.460000 as well, such as, for example, ransomware, Trojan horses, worms, lots 0:02:32.460000 --> 0:02:35.780000 of different types of malicious software that falls into the category 0:02:35.780000 --> 0:02:42.480000 of malware. So if we were strictly to install just an antivirus solution, 0:02:42.480000 --> 0:02:46.380000 well, that would be great for blocking detecting known viruses, but what 0:02:46.380000 --> 0:02:47.580000 about ransomware? 0:02:47.580000 --> 0:02:49.140000 What about Trojan horses? 0:02:49.140000 --> 0:02:50.820000 What about root kits? 0:02:50.820000 --> 0:02:54.580000 A strict virus scanner might not be designed to look for those types of 0:02:54.580000 --> 0:02:58.040000 things. What is anti-spyware? 0:02:58.040000 --> 0:03:04.700000 Well, basically, spyware is anything that you download, and it is reporting 0:03:04.700000 --> 0:03:06.440000 back information about you. 0:03:06.440000 --> 0:03:09.220000 Like, for example, sometimes spyware is not malicious. 0:03:09.220000 --> 0:03:13.060000 Like, for example, sometimes you will go to a website or something and 0:03:13.060000 --> 0:03:16.280000 you will agree that in order to use the services of the website or maybe 0:03:16.280000 --> 0:03:20.940000 to agree to use the services of some software you purchased, you agree 0:03:20.940000 --> 0:03:24.080000 to let it display ads on your laptop. 0:03:24.080000 --> 0:03:27.580000 Kind of irritating, but if you want the benefits of the software, you 0:03:27.580000 --> 0:03:29.260000 might have to agree to that. 0:03:29.260000 --> 0:03:33.600000 So once you agree to that, now it's displaying those ads to you, and what's 0:03:33.600000 --> 0:03:37.640000 probably doing the background is installing a cookie or something to monitor 0:03:37.640000 --> 0:03:42.520000 your browsing habits to more customize the type of ads it's displaying 0:03:42.520000 --> 0:03:46.280000 to you. So technically, that would be considered spyware because that 0:03:46.280000 --> 0:03:52.260000 software is collecting your usage, how you're using the program, how you're 0:03:52.260000 --> 0:03:55.420000 using the website, and then reporting them back to some central server 0:03:55.420000 --> 0:04:00.100000 somewhere, and then using that information to customize the ads it's displaying 0:04:00.100000 --> 0:04:05.000000 on your system. Now, we wouldn't necessarily call that malicious, that's 0:04:05.000000 --> 0:04:09.760000 kind of irritating, but other types of spyware could report back more 0:04:09.760000 --> 0:04:10.540000 than what you want. 0:04:10.540000 --> 0:04:13.800000 So for example, if that exact same program that you agree to let it display 0:04:13.800000 --> 0:04:18.740000 ads on your system is actually reporting back more information about your 0:04:18.740000 --> 0:04:20.840000 system than you actually wanted to. 0:04:20.840000 --> 0:04:24.400000 Let's say it's actually reporting back more detailed logs, more detailed 0:04:24.400000 --> 0:04:28.420000 information that you actually think, if you knew about it, you would say, 0:04:28.420000 --> 0:04:32.200000 wait a second, they don't need that level of personal information about 0:04:32.200000 --> 0:04:35.720000 me. Well, that would now cross the line into malware. 0:04:35.720000 --> 0:04:37.360000 So that's what spyware is. 0:04:37.360000 --> 0:04:43.160000 So we probably want more than one type of software defense to look for 0:04:43.160000 --> 0:04:47.900000 viruses, to look for spyware, and to look for all the other things that 0:04:47.900000 --> 0:04:50.680000 are considered malware as well. 0:04:50.680000 --> 0:04:55.300000 So let's focus right now on specifically on antivirus and anti-malware. 0:04:55.300000 --> 0:04:56.080000 How do they do it? 0:04:56.080000 --> 0:05:00.900000 So when something's downloaded, a file and executable, whatever it is, 0:05:00.900000 --> 0:05:04.640000 how does it look at that thing and classify it as being bad, classifying 0:05:04.640000 --> 0:05:05.940000 as being malware? 0:05:05.940000 --> 0:05:08.940000 Well, there's three basic approaches you want to know to this. 0:05:08.940000 --> 0:05:14.340000 So historically, signature-based detection was the first one that was 0:05:14.340000 --> 0:05:18.520000 developed and still to this day is probably more of the predominant way 0:05:18.520000 --> 0:05:20.380000 of detecting viruses. 0:05:20.380000 --> 0:05:26.740000 What this does is when a virus is known, when malware is known by the 0:05:26.740000 --> 0:05:31.740000 security community, they can look at the code of that malware and they 0:05:31.740000 --> 0:05:37.520000 can extract from that known recognizable characteristics and create what's 0:05:37.520000 --> 0:05:42.140000 called a signature, and then put that into a signature database. 0:05:42.140000 --> 0:05:46.540000 So signature-based antivirus or anti -malware, what it will do is when 0:05:46.540000 --> 0:05:50.220000 you download something like an attachment or something from a website, 0:05:50.220000 --> 0:05:53.580000 it will go to that database and compare the signatures and that database 0:05:53.580000 --> 0:05:57.200000 with the code of what you just downloaded, like for example, the name 0:05:57.200000 --> 0:06:01.040000 of the file. Maybe some of the specific code within the file and say, 0:06:01.040000 --> 0:06:05.360000 okay, does anything here in this file match a known signature of known 0:06:05.360000 --> 0:06:10.780000 malware? So that's what's predominantly used, but the downside to that 0:06:10.780000 --> 0:06:17.460000 is malware and viruses are changing so rapidly on a daily basis that a 0:06:17.460000 --> 0:06:21.440000 lot of times there is no known signature for it because the security community 0:06:21.440000 --> 0:06:25.120000 doesn't know about it yet or they haven't had time to create a signature 0:06:25.120000 --> 0:06:29.980000 for it yet. So signature-based programs might not capture that. 0:06:29.980000 --> 0:06:32.360000 So we might want to use one of the remaining two methods. 0:06:32.360000 --> 0:06:36.040000 So the next method would be something called heuristic detection. 0:06:36.040000 --> 0:06:42.680000 So what heuristic detection will do is say, okay, let's take this malware, 0:06:42.680000 --> 0:06:47.700000 let's take this suspected file and basically break it down to its actual 0:06:47.700000 --> 0:06:51.240000 source code. So the software will take a look at the actual source code 0:06:51.240000 --> 0:06:54.220000 of the file and then say, okay, let's take a look at the source code and 0:06:54.220000 --> 0:06:59.040000 let's compare it to known viruses known malware and see if any of the 0:06:59.040000 --> 0:07:02.740000 source code matches any of the characteristics that we would see inside 0:07:02.740000 --> 0:07:07.020000 there. If certain portions of that file match the characteristic, then 0:07:07.020000 --> 0:07:11.640000 heuristic detection would say, this is probably malware, it'll alert you 0:07:11.640000 --> 0:07:15.160000 to that and they'll give you the option of either quarantining or possibly 0:07:15.160000 --> 0:07:19.040000 blocking or deleting the file in its entirety. 0:07:19.040000 --> 0:07:22.960000 Now one other method, which is probably the most complex of all the methods, 0:07:22.960000 --> 0:07:25.800000 is something called behavioral based detection. 0:07:25.800000 --> 0:07:29.780000 So what this does is it says, hey, let's take a look at the file at the 0:07:29.780000 --> 0:07:35.460000 executable and see line by line if we allowed this thing to run, what 0:07:35.460000 --> 0:07:38.760000 would it do? Would it do something that looks suspicious? 0:07:38.760000 --> 0:07:42.840000 If we allowed this to run, would this line start to change the registry? 0:07:42.840000 --> 0:07:46.660000 Would this line try to change the behavior of a current executable we 0:07:46.660000 --> 0:07:51.680000 have? Would this line here maybe start to invoke a capture program that 0:07:51.680000 --> 0:07:53.340000 captures our keystrokes? 0:07:53.340000 --> 0:07:57.140000 So those are behaviors that would be, that's kind of suspicious, so we 0:07:57.140000 --> 0:07:58.760000 probably don't want that thing to run. 0:07:58.760000 --> 0:08:00.400000 There's not a known signature for it. 0:08:00.400000 --> 0:08:04.280000 It doesn't match anything that we currently know, but by looking at line 0:08:04.280000 --> 0:08:08.620000 by line and seeing what calls it would make, what it would do, it looks 0:08:08.620000 --> 0:08:11.320000 like it would invoke something bad. 0:08:11.320000 --> 0:08:14.640000 So behavioral based detection would pick up on that. 0:08:14.640000 --> 0:08:19.780000 So ideally, any antivirus or any anti-malware program you have would actually 0:08:19.780000 --> 0:08:23.640000 have a combination of all three of these things, to most effectively block 0:08:23.640000 --> 0:08:24.820000 or look for malware. 0:08:24.820000 --> 0:08:28.580000 But just keep in mind, nothing is 100% perfect. 0:08:28.580000 --> 0:08:31.720000 The best you can get is by invoking all three of these to get as close 0:08:31.720000 --> 0:08:33.280000 to perfect as you can. 0:08:33.280000 --> 0:08:38.420000 Now there is a lot of antivirus, anti -malware and anti-spyware software 0:08:38.420000 --> 0:08:39.560000 available out there. 0:08:39.560000 --> 0:08:42.540000 Some of it is free, some of it is paid. 0:08:42.540000 --> 0:08:48.080000 Clearly, the paid options are better, they're going to give you more ways 0:08:48.080000 --> 0:08:52.980000 of scanning, more detection techniques, and a lot of times, if you download 0:08:52.980000 --> 0:08:56.340000 something like this for your family, you'll get like a dashboard, like 0:08:56.340000 --> 0:08:58.160000 a portal you can log into. 0:08:58.160000 --> 0:09:03.040000 And you can see all your devices, you know, what files they downloaded, 0:09:03.040000 --> 0:09:07.260000 what keywords those devices looked up that may have sparked something 0:09:07.260000 --> 0:09:08.200000 or blocked something. 0:09:08.200000 --> 0:09:12.880000 The paid versions will give you that, the free versions typically won't. 0:09:12.880000 --> 0:09:16.360000 So you can see here, here's an example of a lot of different, I'll just 0:09:16.360000 --> 0:09:18.180000 make that a little bit bigger. 0:09:18.180000 --> 0:09:22.180000 All of those are different versions of antivirus, anti-malware, some of 0:09:22.180000 --> 0:09:25.880000 which is free, some of which are paid versions. 0:09:25.880000 --> 0:09:31.420000 Now if we look specifically at a solution that Cisco offers, they have 0:09:31.420000 --> 0:09:34.680000 something called AMP for endpoints. 0:09:34.680000 --> 0:09:39.900000 Now this is not really something designed for a personal or a home user. 0:09:39.900000 --> 0:09:45.040000 This is designed for, you know, let's say that you are a CEO of a company 0:09:45.040000 --> 0:09:48.880000 or the director of IT of your company, you say, you know what, I'd like 0:09:48.880000 --> 0:09:53.560000 to install something across the board on all the laptops, all the notebooks 0:09:53.560000 --> 0:09:56.140000 and Mac books of all my employees. 0:09:56.140000 --> 0:10:01.980000 So I can see all of the files that they're downloading, I can see if any 0:10:01.980000 --> 0:10:04.260000 of those files are doing anything malicious. 0:10:04.260000 --> 0:10:08.680000 I want sort of a broad view of everything across my organization. 0:10:08.680000 --> 0:10:11.460000 That is what AMP is designed for. 0:10:11.460000 --> 0:10:15.320000 They don't really have a home or personal solution just for you at your 0:10:15.320000 --> 0:10:16.960000 house, for your family. 0:10:16.960000 --> 0:10:22.180000 So with that, AMP stand for stands for Cisco's Advanced Malware Protection 0:10:22.180000 --> 0:10:26.020000 and uses a mixture of preventative engines are built right into the software 0:10:26.020000 --> 0:10:31.480000 itself running locally on the laptop per PC, as well as cloud based intelligence. 0:10:31.480000 --> 0:10:34.900000 That cloud based intelligence is updated by Cisco Talos and the Cisco 0:10:34.900000 --> 0:10:38.240000 threat grid. Now what is Cisco Talos? 0:10:38.240000 --> 0:10:40.300000 We'll take a look at that in the next slide. 0:10:40.300000 --> 0:10:43.740000 But basically what we're talking about here is a solution that not only 0:10:43.740000 --> 0:10:48.080000 has built in intelligence in your laptop per PC, but also reaches out 0:10:48.080000 --> 0:10:50.520000 to the cloud on a very frequent basis. 0:10:50.520000 --> 0:10:54.940000 To download the latest signatures, to download the latest heuristics and 0:10:54.940000 --> 0:10:59.280000 behavioral based techniques, as well as to update to the cloud to some 0:10:59.280000 --> 0:11:03.100000 central portal that you can access everything that's going on on your 0:11:03.100000 --> 0:11:07.620000 endpoints. You can see as a manager or a director in your company exactly 0:11:07.620000 --> 0:11:09.320000 what's going on. 0:11:09.320000 --> 0:11:13.140000 So AMP for endpoints supports lots of different operating systems. 0:11:13.140000 --> 0:11:18.120000 You can see right here most operating systems that you would find within 0:11:18.120000 --> 0:11:21.280000 your organization would be supported by this. 0:11:21.280000 --> 0:11:26.540000 Now what makes AMP really effective is the fact that it's going to the 0:11:26.540000 --> 0:11:31.260000 cloud and that cloud is being fed with a database that is produced by 0:11:31.260000 --> 0:11:35.720000 Cisco Talos. Now I'm not going to read this to you here, but you can see 0:11:35.720000 --> 0:11:41.060000 the Talos is basically a huge organization of security professionals whose 0:11:41.060000 --> 0:11:43.120000 job it is to keep up with the data. 0:11:43.120000 --> 0:11:46.280000 So you can talk to date on the latest threats worldwide, the latest malware, 0:11:46.280000 --> 0:11:49.840000 the latest antivirus, you know, where it's coming from, where the outbreaks 0:11:49.840000 --> 0:11:54.820000 are happening, and Cisco Talos puts all that information into these massive 0:11:54.820000 --> 0:11:59.960000 databases, which then feed the advanced malware protection software that 0:11:59.960000 --> 0:12:05.240000 you have running on your endpoints. 0:12:05.240000 --> 0:12:11.720000 Now if you are actually the network administrator, you get access to an 0:12:11.720000 --> 0:12:14.840000 administrator's dashboard to gain overall visibility into the health of 0:12:14.840000 --> 0:12:20.240000 your endpoints. Now one thing I found really cool about AMP is this thing 0:12:20.240000 --> 0:12:23.340000 right here provides file and device trajectory. 0:12:23.340000 --> 0:12:25.340000 File and device trajectory. 0:12:25.340000 --> 0:12:27.360000 So look at what this does. 0:12:27.360000 --> 0:12:34.220000 This helps you to identify all the systems in your organization that were 0:12:34.220000 --> 0:12:38.240000 impacted by malware that was downloaded, that was allowed through your 0:12:38.240000 --> 0:12:42.680000 firewalls and your web security appliance and actually made it to the 0:12:42.680000 --> 0:12:46.440000 endpoints. You can see all the endpoints that have it, you can see what 0:12:46.440000 --> 0:12:51.260000 they were doing that led up to invoking this malware, you can see how 0:12:51.260000 --> 0:12:54.780000 it spread, you can see what device it started with and where it went out 0:12:54.780000 --> 0:12:57.920000 from there. Now it's kind of interesting about this and this might give 0:12:57.920000 --> 0:13:02.880000 you pause. Now if you're the network director or the IT director, you're 0:13:02.880000 --> 0:13:03.560000 going to love this. 0:13:03.560000 --> 0:13:07.220000 But if you're the actual person sitting on the laptop per PC where AMP 0:13:07.220000 --> 0:13:11.400000 is running, this might make you feel a little nervous because the way 0:13:11.400000 --> 0:13:16.960000 AMP does this is it actually monitors every single file, every single 0:13:16.960000 --> 0:13:18.840000 call that your laptop is doing. 0:13:18.840000 --> 0:13:25.400000 It keeps a record of every single time you open up anything, move anything, 0:13:25.400000 --> 0:13:29.560000 every call you make to the web, everything is in there and upload to the 0:13:29.560000 --> 0:13:33.980000 dashboard. This is the only way the dashboard can give the network administrator 0:13:33.980000 --> 0:13:38.780000 visibility into everything that's going on in the laptops or PCs is by 0:13:38.780000 --> 0:13:40.320000 monitoring all that stuff. 0:13:40.320000 --> 0:13:44.180000 Now if you're like me when I first learned about that, I thought, wow, 0:13:44.180000 --> 0:13:46.020000 how exactly does AMP do this? 0:13:46.020000 --> 0:13:50.760000 How does it provide this trajectory of where the problem first started, 0:13:50.760000 --> 0:13:52.600000 how it spread throughout the network? 0:13:52.600000 --> 0:13:54.480000 So I'll show you right here. 0:13:54.480000 --> 0:13:58.280000 This is a great video on YouTube. 0:13:58.280000 --> 0:14:00.020000 It's a pretty short video. 0:14:00.020000 --> 0:14:02.840000 It's only about three or four minutes long. 0:14:02.840000 --> 0:14:09.680000 I'll zoom here on the actual, there you go, there's the actual URL. 0:14:09.680000 --> 0:14:12.280000 If you're curious about this, I just recommend spending four or five minutes 0:14:12.280000 --> 0:14:17.180000 watching this YouTube video here that really talks about how device trajectory 0:14:17.180000 --> 0:14:29.260000 works in AMP. So that concludes this video and I hope you found it to