Developers: | Positive Technologies |
Date of the premiere of the system: | 2016/09/22 |
Last Release Date: | 2017/12/07 |
Technology: | Information Security - Antiviruses, information security - Antispam, information security - Firewalls, information security - Information leakage prevention |
Content |
PT MultiScanner is a multithreaded system for detecting malicious content.
2024: Critical vulnerability found in popular Positive Technologies products
At the end of October, FSTEC published a warning about a critical vulnerability BDU:2024-08291[1], which was found in two Positive Technologies products - Sandbox and MultiScanner. Vulnerable are versions 5.6.0 to 5.15.0 inclusive - a fix in version 5.15.1 (there is also a certified one). The danger is estimated as 8.8 out of 10 by CVSSv3. Exploitation of this vulnerability has not yet been recorded.
In the case of this vulnerability, it was found within the framework of the standard internal program Positive Technologies, eliminated by our development, all users of our products received appropriate updates and notifications about the measures that need to be taken for further work, the press service of Positive Technologies assured the readers of TAdviser. - According to the rules of responsible disclosure of vulnerabilities in Russia, information about the vulnerability was sent to FSTEC. |
The vulnerability belongs to the class of saved cross-site scripting (SXSS), which works in the web interface of an administrator or security specialist. When they are connected to the web interface, malicious JavaScript may start on behalf of the corresponding user. With its help, attackers can both hijack the administrator's computer and disable corporate security settings. Usually XSS errors are not critical, but in this case, the error allows, firstly, to penetrate the perimeter, and secondly, to affect the security system.
In this case, the vulnerability can only be exploited for APT attacks, since only the data that passes through it can be pulled out of the internal system, which means that this is a rather closed story, "Andrei Michkin, head of the information security solutions implementation department at Cloud Networks, explained the situation for TAdviser. - You need to understand that the sandbox as a product is an isolated topic, even the data of some verified letter, most likely, cannot be obtained in an easily accessible format. In addition, this product is not yet used in all companies, and the manufacturer himself has already released several recommendations for fixing the vulnerability. |
However, the fixes are mainly related to the installation of the latest[2] updates[3] of the corresponding products. Even FSTEC in its message does not provide recommendations for those users who cannot install updates. Although it is clear that the same Web Application Layer (WAF) screen may well protect against this class of errors. True, for this it must control the interface of the corresponding Positive Technologies product and filter special characters in the web application.
In this situation, the most effective way to protect would be to check the configuration and "design" of web resources, - recommended Andrey Michkin. - Also, do not forget about the use of WAF: the firewall could well protect against the consequences of exploiting this vulnerability. Theoretically, the vulnerability could be exploited in remote access mode to change or provoke a failure in the MPS settings. However, there are no special reasons for excitement yet: to the credit of the manufacturer, a list of recommendations for eliminating the vulnerability has already been released. |
2017
December update
On December 7, 2017, the company Positive Technologies announced the release of the next version of PT MultiScanner. The upgraded system can localize and block the transfer of malicious objects directly in the mail flow, combine the identified harmful ON throughout the infrastructure into one threat of infection.
PT MultiScanner allows you to find all the flows of the spread of the infection and the vital infrastructure organs affected by it, the developers said. To work with the received data, a web interface was created with information panels, statistics and configurable filters.
The advanced PT MultiScanner architecture allows you to process up to 150 thousand files per hour in streaming mode. System resources are not idle in the absence of boot (for example, during non-working hours): a retrospective analysis is automatically launched (which allows you to detect previously unknown malware), which eliminates the likelihood of an impact on system performance during peak hours.
PT MultiScanner has the ability to use "black" and "white" lists:
- You can manually create customized lists
- use blacklists supplied by Positive Technologies.
It is allowed to configure infection detection taking into account the specifics of a particular company, increasing the efficiency of detecting and blocking malware. If an object from the "black" list is found in the historical data, PT MultiScanner launches a retrospective analysis and notifies the operator in the web interface and/or by sending a notification to a dedicated mailing address or SIEM system.
Up-to-date information about objects - blocked, omitted or identified as part of retrospective analysis - is displayed in the unified statistics panel. This increases the speed of the operator's response to the threats of infection identified in the network. For the convenience of working with data, PT MultiScanner allows you to create user filters, which reduces the time to process such, for example, requests as "find all ransomware in mail, web traffic or storage" to tens of seconds.
PT MultiScanner aggregates all the same objects transmitted in different malware distribution streams into one infection threat, which reduces the operator's labor costs for analyzing the distribution scheme and significantly increases the efficiency of investigation and response to incidents.
Certification in the Ministry of Defense of the Russian Federation
The multi-level protection system against malware PT MultiScanner has been tested in the certification system of the Ministry of Defense of the Russian Federation. This means that it can now be applied in all departments of the department, Positive Technologies reported on September 5, 2017.
PT MultiScanner is used in areas where you need to scan a large incoming stream of user files for viruses - on government service portals, in banking, insurance, telecommunications and other areas. It improves the accuracy and responsiveness of threat detection by multithreaded scanning by multiple antiviruses in combination with other threat detection methods, including retrospective analysis of malicious files in the system.
Certificate No. 3710 was issued on August 22, 2017 and has been valid for three years. The document confirms that the Positive Technologies system meets the requirements of the guidance document "Protection against unauthorized access to information. Part 1. Information security software. Classification according to the level of control of the absence of undeclared opportunities "according to the 2nd level of control of the absence of undeclared opportunities. The availability of the certificate also indicates that the product meets the requirements for compliance with the real and declared functionality in the documentation.
2016: Malicious Content Detection System Established
On September 22, 2016, Positive Technologies introduced the PT MultiScanner multithreaded malicious content detection system.
The product improves the accuracy and responsiveness of detecting threats on the corporate network through parallel scanning by several antivirus cores, point analysis of the behavior of malicious files and reputation services.
Some studies show that about 400 thousand units of new and modified malware appear every month. At the same time, updates produced by antivirus companies are often delivered to users too late: weeks, and sometimes months, pass between the initial detection of the malware and its detection by other manufacturers of antivirus solutions. At the same time, we don't even have to talk about any 100% protection against all new threats. Attackers, on the other hand, actively exploit the so-called zero-day vulnerabilities, and often vulnerabilities in the antiviruses themselves (for example, implementing targeted attacks). In such cases, for additional protection, the information security service often turns to cloud cross-check services, which, in turn, increases the likelihood of leakage of confidential information. |
PT MultiScanner helps to increase the level of detection of malicious files without the risk of compromising data in cloud services. It is installed locally, inside the protected perimeter. The optional ability to update antiviruses makes it possible to work in isolated segments of the network and prevent possible data leaks: the files being scanned do not leave the system infrastructure.
PT MultiScanner performs automated file scanning on various antivirus engines, including those developed by Kaspersky Lab, ESET, Sophos, Doctor Web. At the same time, the unified internal knowledge base of Positive Technologies and reputation lists are constantly updated and reveal what antiviruses have missed.
The product can be used both to selectively check files and to protect mail traffic, file storage, archives and web portals on the stream. PT MultiScanner's point-based threat analysis module allows you to comprehensively study malicious objects and helps identify time-distributed attacks. Greatly facilitates incident investigation and a retrospective analysis module that allows you to find out which systems were exposed to malware in the past - before it became known to antiviruses. |
PT MultiScanner integrates into any IT infrastructure, which is provided by supporting standard interfaces (REST API, SMTP, ICAP, Syslog) and monitoring file resources and network traffic.
According to various estimates, the total costs of eliminating the consequences of one viral infection can amount to millions of rubles. In such a situation, even a 1% increase in the detection level due to parallel scanning will reduce the likelihood of viral infection to 0.1%. This is the level of risk that we manage and control, including thanks to the PT MultiScanner threat point learning module. |
According to a statement from the developer company, the product will help reduce the labor costs of processing employee applications for checking suspicious content.
As of September 22, 2016, the company announced the completion of a pilot implementation of the product in a number of companies in the financial, insurance and telecommunications business sectors.
Notes
- ↑ BDU:2024-08291: Vulnerability of the PT MultiScanner malware protection system and the PT Sandbox
- ↑ [https://www.ptsecurity.com/ru-ru/research/threatscape/pt-2024-27/ PT-2024-27
- ↑ : Stored XSS in PT Sandbox and PT MultiScanner]