So what is Krypton anyway?
At the end of January, some of you may have seen a notification from us about a new IPS engine that we released for Symantec Endpoint Protection. So what’s special about it, and why do you need it anyway?
Firstly, let’s take a high level overview at how IPS works. The Intrusion Prevention Signature engine in SEP looks at all the network traffic as it flows through your computers network card. It’s looking for strange occurrences, both in individual packets and also in the reassembled stream (all the packets combined). Typically, we tell the IPS engine what to look for with signatures but with SEP you can also write your own custom signatures (more on that in a later article). These signatures are updated every few weeks in response to things like the Microsoft security vulnerability and patch announcements.
By writing clever signatures, we are able to look at actually preventing a malicious piece of code from exploiting the VULNERABILITY, rather than blocking the malicious code itself (which is a nice side effect). These types of signatures are called “Generic Exploit Blocking” and with a single signature we can block hundreds of different threats which use the same Microsoft vulnerability to propagate themselves. A quick example of this is the Microsoft patch MS08-067 - BID 31874 Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. This has been widely exploited by the W32.Downadup variants across the world, using GEB signatures we have been able to significantly slow the spread of Downadup. In addition to this sort of protection, we also look at such attack vectors as Drive-by-downloads, attack toolkits (such as MPack) planted on third party websites using SQL injection attacks and additional protection against Metasploit attacks and fake codec type of threats like Zlob.
Now, lets take a look at why IPS is so important to your protection strategy. Lets look at the traditional way of AV detection:
This very basic graph shows the detections of a fake codec type threat. At point 1, a new variant of the threat is released and detections in SEP go down. Point 2 is when we release a new AV signature to cover the variant, 3 is when another variant is released and 4 is when we updated our signatures again. So you can see the ebb and flow of detections vs. new variants. This happened many times over in the space of a few days in June last year, so we started to look at different ways to protect our customers. What we did was add a single IPS signature into our list. The result was the graph below - you can see the AV detections dropped hugely.
How do we know thats what it was? Well, as you can see from the next graph, IPS detections shot up
Whats that steady trickle of AV detections still occurring? Well thats those people who arent running IPS on their systems - SAV customers, or SEP customers who aren't running IPS.
Hopefully from this, you can see that IPS is a great way to protect machines from network borne threats (most use the network these days to get onto your machine in some way) and that you really should be installing IPS onto all your SEP clients.
So now let’s look at Krypton.
Krypton is our newest IPS engine. It’s been in the consumer Norton products for a little while now and has proven itself to be very effective so we decided to release it early into the corporate world. We released Krypton as part of the Security Update 95 package for SEP – this was downloaded via LiveUpdate (or from your SEPM) and it’s the first time we have delivered any engine update outside of AV via LiveUpdate – it works great!
With Krypton, we added the ability for the IPS engine to do the following:
- Improved vulnerability protection
o Stopping exploits of browser based plugins, multimedia applications and ActiveX controls
- Network Threat Evasion Resistance
o Krypton can now decode traffic encoded in GZIP and chunk, enabling it to detect threats that try to hide themselves
- For more accurate and efficient
o Stateful protocol decoding and identification means that breaking apart traffic by its protocol, the engine can apply a selected portion of the signatures to the selected piece of traffic which leads to faster throughput and better detection
So as you can see, Krypton brings about some MAJOR improvements to performance, efficiency and detection rates. Let’s see how the old IPS engine would deal with some traffic:
BEFORE
We would write a signature that says “Find the malicious traffic 67 bytes into the packet”
AFTER (with Krypton)
We can now refine that signature and say the following “Find the malicious traffic ONLY in the HTTP client bound traffic AND only 8 bytes from the beginning of the JPEG and NOT in SQL traffic”
Also, in the event that malicious packets pretend to be an .XLS file for example but are really PDF files, we will accurately identify the PDF and process the detection accordingly
Some quick FAQS:
How can I get Krypton?
If you are running Network Threat Protection and your protection signatures are dated past Jan 28th then you have Krypton now
How can I confirm I have Krypton?
Take a look at the file “WpsHelper.sys” in the System32\Drivers folder under where you have Windows installed, its version should be 12.0.0.27
Why Krypton? Do you like superman?
No, it’s just that we name our latest IPS engines after the inert gases. The previous engine (which wasn’t in SEP) was called Argon.
Can I just run IPS in SEP, I don’t want the firewall?
At the moment, the IPS engine and the firewall are both combined in the “Network Threat Protection” component, but you can run the firewall with an open set of rules (either by creating allow all rules or “withdrawing” the firewall policy from the group your client is in) which will give you benefit of Krypton without the effort of looking at the firewall rules at this moment.
So are you guys stopping writing AV signatures for these threats now then?
Absolutely not, we will continue to write signatures for AV. However, AV is a reactive technology and as more and variants are released it is difficult to keep up. Krypton and IPS is a proactive technology, one early written signature for a vulnerability can block many network borne infection attempts.