Windows 10 and its imminent launch have fuelled many discussions within tech circles. In this context we decided to share our thoughts on one interesting Windows 10 security provision.
Windows has had long-term issues with security. Hence over the last couple of years Microsoft has devoted extra resources on bumping up its security focus and image. With recent versions of Windows, Microsoft has added security-centric features like Secure Boot, ELAM, Windows Store Apps and AppLocker, and introduced SmartScreen at a desktop level. In addition, Windows Defender was upgraded from an antispyware solution to an antimalware solution in an attempt to make Windows more secure than before.
With Windows 10, Microsoft is trying to up the ante in terms of security. MMPC recently published an article explaining their new Antimalware Scan Interface (AMSI) which aims to curb malware at the memory level. The article goes on to explain how obfuscation is employed even in script-based malware, from string concatenation to a simple XOR to more complex encryption. AMSI will provide an interface to Anti-Virus products to contextually scan for specific mal-content in a target memory region. An obfuscated mal-script must be fully deobfuscated before it is fed to a scripting engine. Any bonafide security product can register for a callback in this context to invoke a scan of this deobfuscated content using the AMSI APIs provided by Microsoft.
This would aid security vendors since there is no current documented way to intercept a dynamic script buffer. Hence, security products have had to occasionally resort to undocumented methods to attempt intercepting the content fed into the script engine, which could entail stability and performance issues. Microsoft’s AMSI should prove a more reliable alternative to DIY solutions for script-interception.
Please refer to our earlier blog post for a detailed example of obfuscation in script-based malware.
K7 is getting ready for the Windows 10 release, and we will ensure that all our products are automatically upgraded through regular updates to remain compatible with Windows 10. As a K7 user, there is no effort required from you to prepare for this upgrade.
Images courtesy of:
royalwise.com
encrypted-tbn2.gstatic.com
Kaarthik RM
K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: https://labs.k7computing.com/feed