TabletWise.com
 

Analyzing Output

14 minutes
Share the link to this page
Copied
  Completed
You need to purchase the class to view this lesson.
One-time Purchase
$99.99
List Price:  $139.99
You save:  $40
د.إ367.26
List Price:  د.إ514.18
You save:  د.إ146.92
A$130.08
List Price:  A$182.11
You save:  A$52.03
৳8,500.57
List Price:  ৳11,901.15
You save:  ৳3,400.57
CA$127.03
List Price:  CA$177.84
You save:  CA$50.81
CHF 89.14
List Price:  CHF 124.80
You save:  CHF 35.66
kr615.70
List Price:  kr862.01
You save:  kr246.30
€82.77
List Price:  €115.89
You save:  €33.11
£73.58
List Price:  £103.02
You save:  £29.43
HK$775.28
List Price:  HK$1,085.42
You save:  HK$310.14
₹7,315.51
List Price:  ₹10,242.01
You save:  ₹2,926.50
RM403.60
List Price:  RM565.06
You save:  RM161.46
₦39,615.21
List Price:  ₦55,462.88
You save:  ₦15,847.67
kr856.93
List Price:  kr1,199.74
You save:  kr342.80
NZ$139.91
List Price:  NZ$195.88
You save:  NZ$55.97
₱4,804.60
List Price:  ₱6,726.63
You save:  ₱1,922.03
₨16,112
List Price:  ₨22,557.45
You save:  ₨6,445.44
S$132.98
List Price:  S$186.18
You save:  S$53.20
฿3,008.35
List Price:  ฿4,211.81
You save:  ฿1,203.46
₺747.45
List Price:  ₺1,046.46
You save:  ₺299.01
B$529.28
List Price:  B$741.01
You save:  B$211.73
R1,522.60
List Price:  R2,131.70
You save:  R609.10
Лв162.07
List Price:  Лв226.90
You save:  Лв64.83
₩110,414.95
List Price:  ₩154,585.35
You save:  ₩44,170.40
₪328.82
List Price:  ₪460.36
You save:  ₪131.54
Already have an account? Log In

Transcript

The security plus exam has a number of questions on it that are going to be covering things like, here's some output from this anti malware or here's some output from a file integrity check. What are we looking at here? And what should I do about it. So in this episode, I'm going to just call this analyzing output. And we're going to go through a number of different types of security applications and look at their output. Now, if you're expecting just to see log files here, something that's not it, a lot of times, we'll just be looking at screens and trying to figure out what this particular security application is going to be saying.

So let's go ahead and get started with probably my personal favorite anti malware. I'm going to assume at this point in your life that you've probably dealt with some anti malware so what I really want to do more than anything else, is discuss some of the output that we're going to be seeing from running anti malware or antivirus tools. Now, there are a zillion different anti malware tools out there. I'm not going to make a sales pitch for any of them. Personally, I'm going to be using the built in Windows Defender with Windows 10. I like it.

It's okay. There's possibly better ones out there. But I'm going to avoid a big argument. And a lot of people going well, Mike Myers, you never tried dah, dah, dah, dah, dah. We're going to be using Windows Defender because it's convenient. I've got it here.

And it covers everything I need for the exam. So one of the things I want to talk about is, how do we set up anti malware now, these days, it's a lot easier than it used to be. But back in my day, you'd have to have like an email anti malware and a web browser, anti malware and then something to scan your hard drives. And then something to scan your memory today what you tend to see more than anything else is really only two settings you're going to have some kind of real time setting, which basically anything coming in and out of the network card is being scanned. And then you also have a food. I think I've got a problem.

Can you go ahead and scan all my stuff. storage. So let's go ahead and take a look at this particular guy right here. So this is the initialisation screen for it. And you'll notice I've got a little problem right here. So let's go ahead and just see what kind of threat is going on.

So it finds this particular threat and it's called hack to win 32 K, and I know exactly what that is. Now, it's asking me for specific options. Do you want me to just remove that file? Do you want me to quarantine it? which will mean to copy it to a specific folder and leave it there? Or are you just gonna let it go?

Now you can actually click on details on this and you get some pretty interesting output. Now, what's happening here is I know exactly what happened because I did this on purpose. And what's taking place is I installed I didn't install I just downloaded the popular password cracker Cain and Abel. It's on Windows defenders list of naughty Eunice's. In this particular case, I want it to be there. But I also like to just let the anti malware tool Continue to yell about it.

I'm not going to do anything here. But if I wanted to, I could delete it, I could move it to a specific folder. Or I could say, ignore it. Let's just go ahead and keep it there. So, one of the big things we need to be thinking about in a situation like this, is, when we're analyzing this output, what we're actually seeing is a false positive. There's really nothing wrong with Cain and Abel, Cain and Abel isn't gonna do anything evil to my system.

It might do evil things to other people's systems. But it's for me, it's just a password cracker at a really good tool with that. The other thing we need to look at our true positives if you ever see a positive on here. You don't know whether it's a false positive or not. So you do some kind of research. Let's take a look one more time.

You see here it says hack tool colon when 32 K. It is documented in a lot of anti malware databases just like this. So even if this particular tool couldn't give me the answers I wanted, it's trivial for me to go online and take Look and be able to determine is this particularly bad or not. The other thing I'm going to mention is that a lot of anti malware tools do generate long file type outputs. I don't like those Personally, I like a GUI interface, it makes life a little bit easier for me. But the bottom line is, there's still going to be saying the exact same things, you know, remove pop off file or something like that. One more thing before we stop talking about anti malware, and that is updates.

Back in the old days, we used to have to worry about definition files and things like that. I am unaware of any anti malware today that doesn't automatically update making sure that your anti malware is ready for anything that's coming. Host based firewalls are any type of firewall that is installed on an individual host. Now this device this software is designed to do one job and that is to protect this individual host from anything evil going out or coming into The system. Because it's a host based firewall, it can actually do this based on file names because it knows all the file names on its particular system. It could also use port numbers and other things like that.

Now, the output we're going to be looking at isn't going to be a log or something like that, what you're going to be looking at is some form of output in the form of an access control list, or a rules list. The term is interchangeable at this particular case. Now what I'm using right here is the wonderful firewall that is built into Windows 10. I like this one, primarily because it's a very good firewall. And then secondly, it's graphical and easy for me to take a look at. So if we take a peek at this, now, if you look in the upper left here, it'll say things like inbound rules and outbound rules, or you can just click here under the monitoring, and you get to see all the rules at once.

So what we're looking at here is a list of all of the different applications that are right now whitelisted and this is an important issue that we got to deal with. With with a host based firewall, all host based firewalls are basically they exclude everybody. So it is called an implicit deny, no program gets in or out. Now, you begin to build up this whitelist is which what you're looking at right here in a couple of different ways. One way is with a lot of programs, when they install the actual Windows Installer comes with part of the rule being let me go ahead and put an exception into the access control list. So that's one way it does it.

The other way it does it is if you actually run a program, and that program tries to phone home or whatever it might be, you're going to get a big pop up that comes up and says, Is this okay? If you say, Okay, you've created an exception, and it's going to show up on this list. So when you're analyzing host based firewall output, what you're doing and this is this is tricky, but we do it is we scroll through here, and we make sure we understand what is all here. So march of empires war of lords. Okay? Somebody installed a game on here.

Now, do I want to keep that I probably wouldn't. I'm really big in the least privileged kind of thing. And I could come through here and delete a whole bunch of stuff. But, you know, we're going to keep it here just in case somebody else might be playing that game. Alright, so when you think about a host based firewall number one, remember, your output is really an access control list, you're going to be using least privilege, and you have a whitelist that builds up over time, to allow certain programs to do whatever they need to do on the internet. We have gazillions of files in gazillions of different places throughout our infrastructure.

A lot of these files are absolutely critical, and we need to check them from time to time to make sure that they're in good order. We do this through what is known generically as a file integrity check. Now file integrity checks. work at all kinds of places. For example, a lot of applications will actually run file integrity checks on their types of files to make sure that they're okay. operating systems can run file integrity checks to make sure that the operating system files are okay.

So there's all kinds of different places where file integrity checks take place. What's important is that a file integrity check verifies that a particular file is in good order and is ready to run. The file isn't corrupted, the file hasn't been tampered with in some way. And the file is of the version and date that's expected. Now, there's a lot of different ways to run a file integrity check. So what I'm going to do here on my windows 10 system, is I'm going to run a program.

In fact, I've already run it for you called system file checker. So I've got Windows PowerShell, open and if you take a look, I've run system file checker right here. So you see SFC space slash scan now Now it took it a while to run. So I just went ahead ran it ahead of time, we're going to see some output from it here in just a moment. System file checker is a Windows tool whose job is to check the core files that makes up the Windows operating system, the critical executables and DLLs, and a few data files that collectively must be working in order for Windows to boot and run properly. You're going to run SFC if you get strange corruptions on Windows, mainly when you're not in an application.

So if you're just booting up here to desktop and things go weird, a quick system file check is always a good idea. So how do we know a file is good? Well, first of all, well, you got a couple of choices. Number one, when you know the file is good, go ahead and hash it. So you generate a hash of a file. And then you have this hash value.

And a lot of times what they'll do is not only hash the file, but they'll hash all the attributes like the With a file and the date of the file and all that, so somebody tries to change the name, the date changes on the file, or if anything within the file changes, the hash is going to change. And these tools can instantly go, oh, there's a problem. So they're going to have to run this before there's a problem. Now windows does it another way, Windows basically just makes an extra copy of all the critical files. It's not really a backup. I mean, it is a backup.

But it's not like a backup that you run Windows does this automatically, and sets them aside in a very specific folder. So when you're running system file checker, you're actually not comparing hashes or anything, you actually have a backup copy of these individual files, and it looks at each of them. And if it's good, great, and if it's not, it'll put up a big, nasty error and warn you that something's going on. So what is interesting though, is that all file integrity check tools pretty much always generate a log. Now if you notice here, it said it didn't find any integrity violations on the screen. And let's go ahead and Pull up the log file for this particular tool, and I think you're gonna see it agrees with that.

And if you look way up at the top here, you'll see it's starting system file checker, and then system file checker terminated normally. So this one's a little boring, but it's still a good log. If there had been a problem, the issue would have popped up on the screen for a moment. But more importantly, this particular log file would be giving the names of each individual file and telling you that it had a problem. In that case, we can go ahead and we can grab a Windows installation media, and we can do a repair install that would bring the proper copies back, and we would be okay. Now, remember, this is just windows in this particular situation, if we were doing a file integrity check on, I don't know some Photoshop images that I have.

The Adobe tool itself has a file integrity checker built into it, and when it finds it, you know, it doesn't keep a backup copy. And in that particular case, guess what you are going to be restoring from the backup. It's really important for us in an enterprise environment to make sure that the applications that are running on our individual systems are the right applications. And when I say the right applications, I mean, number one, I don't want people installing unauthorized stuff. So yeah, I know you might like playing World of Warcraft, but I don't like people installing it on their individual systems. Equally.

I don't want them installing things that I may not like. For example, you could be installing some little innocuous looking game, but it actually is corrupted with malware. The other thing that comes into play when we talk about the right application is licensing. Well, even actually licensing slash inventory. If I'm using Microsoft Office, for example, and I'm still actually buying it from CDs. I'm buying X number of license copies.

Now if I want to, I could sit here and keep track of individual CDs. But in enterprise environments, what we usually do is we have some type of installation server, which then distributes out the right number of office to all the different systems. And it actually keeps track of all the licensing for me. So that's really licensing and inventory because it keeps track of the number of systems if I've got 100 user licenses, and I've only got 67 installed, it keeps track of that. So somebody comes along, hey, it'll just put another one in. The other thing that becomes important for knowing the right application is the idea of standardization.

As you might imagine, with me writing books, I go through a lot of Microsoft Word. And there's nothing more irritating than for me to have one version of Word and somebody else to have another version of Word and editor over there to have another version of Word. So in an enterprise environment, it's really important for us to be very, very standardized, and making sure everybody's running not only the same office applications, but even things like web browsers and stuff like that can become very, very important. And that's where a whole class of programs with a whole bunch of different names. They're called software management programs or desktop management programs or application whitelisting. There's, there's a gazillion names to these guys.

But basically, their job is to make sure that everybody's running the right applications we described. So when we're talking about software management, desktop management application, whitelisting, whatever you want to call them, remember, their main job is to make sure that you're running the right applications on your individual enterprise systems.

Sign Up

Share

Share with friends, get 20% off
Invite your friends to TabletWise learning marketplace. For each purchase they make, you get 20% off (upto $10) on your next purchase.