adaptive defense guide - amazon web servicespandasecurity.s3.amazonaws.com › enterprise ›...

Adaptive Defense Guide

1


2

Table of Contents

Table of Contents................................................................................................. 2

1. Prologue ............................................................................................................ 6

1.1. Who is this guide for? ......................................................................................... 6

1.2. Icons ..................................................................................................................... 6

2. Introduction ...................................................................................................... 8

2.1. Main features of Adaptive Defense. ............................................................... 8

2.2. Adaptive Defense User Profile .......................................................................... 9

2.3. General architecture of the Adaptive Defense service ............................... 9

2.3.1. Adaptive Defense server ......................................................................................... 10 2.3.2. Administration console Web server ....................................................................... 11 2.3.3. Computers protected with Adaptive Defense ................................................... 11 2.3.4. Logtrust accumulated knowledge server ............................................................ 11 2.3.5. Customer SIEM servers compatible with Adaptive Defense ............................ 12

3. Basic concepts of Adaptive Defense. ....................................................... 14

3.1. Features of the endpoint protection service ............................................... 14 3.1.1. The detection ratio ................................................................................................... 14 3.1.2. The classification ratio .............................................................................................. 14 3.1.3. Classification reliability ............................................................................................. 14

3.2. Adaptive Defense model................................................................................ 14

3.3. Process clasification in Adaptive Defense .................................................... 15

3.3.1. Known processes ....................................................................................................... 15 3.3.2. Unknown processes .................................................................................................. 15 3.3.3. Types of known processes ....................................................................................... 15

3.4. Event analysis .................................................................................................... 16

3.5. Customer data confidentiality ....................................................................... 17

3.5.1. Guidelines on data collected by the service...................................................... 17 3.5.2. Information collected from machines. ................................................................. 17 3.5.3. Privacy of information collected ........................................................................... 18

4. Installation and start-up of Adaptive Defense service ............................ 21

4.1. Checklist of steps and necessary requirements........................................... 21

4.2. Learning phase ................................................................................................. 28

4.3. Malware blocking phase (hardening) .......................................................... 29

5. Security status and computer visibility ........................................................ 31

5.1. Adaptive Defense service status ................................................................... 31

5.2. Security status of the IT infrastructure ............................................................ 31

5.2.1. Malicious programs .................................................................................................. 32 5.2.2. Under investigation at our lab ................................................................................ 32 5.2.3. Vulnerable programs ............................................................................................... 33 5.2.4. Potentially Unwanted Programs ............................................................................. 34 5.2.5. Top Risk Users .............................................................................................................. 34 5.2.6. Top Risk Computers................................................................................................... 35

5.3. Detailed activity reports of threats ................................................................ 36

5.3.1. Malicious programs .................................................................................................. 36


3

5.3.2. Under investigation at our lab ................................................................................ 37 5.3.3. Vulnerable programs ............................................................................................... 39 5.3.4. Potentially Unwanted Programs ............................................................................. 39 5.3.5. Top Risk Users .............................................................................................................. 40 5.3.6. Top Risk Computers................................................................................................... 40

5.4. Executive report ............................................................................................... 41

6. Configuration of Adaptive Defense behavior .......................................... 43

6.1. Classified programs .......................................................................................... 43

6.1.1. Running specific programs classified as malware .............................................. 43

6.2. Unclassified programs ...................................................................................... 43

6.2.1. Audit mode ................................................................................................................ 44 6.2.2. Blocking mode for programs being classified (Extended Mode) ................... 44 6.2.3. Limited execution mode for programs being classified (Deep Hardening

mode) .................................................................................................................................... 44 6.2.4. Complete execution mode for programs being classified (Hardening mode)

................................................................................................................................................. 45

7. Forensic analysis and attack prevention ................................................... 47

7.1. Deep Hardening mode and infection by unknown malware ................... 47

7.2. Forensic analysis and prevention of attacks from infected computers ... 47

7.2.1. Forensic analysis through action tables ................................................................ 47 7.2.2. Forensic analysis through execution graphs ........................................................ 51 7.2.3. Diagrams ..................................................................................................................... 52 7.2.4. Nodes .......................................................................................................................... 52 7.2.5. Lines and arrows ........................................................................................................ 54 7.2.6. The timeline ................................................................................................................ 54 7.2.7. Zoom in and Zoom out ............................................................................................. 55 7.2.8. Timeline ....................................................................................................................... 55 7.2.9. Filters ............................................................................................................................ 55 7.2.10. Movement of nodes and general zoom ............................................................ 56

7.3. Interpretation of the action tables and activity graphs ............................. 57

7.3.1. Example 1: Display of actions executed by the malware Trj/OCJ.A .............. 57 7.3.2. Example 2: Communication with external computers in BetterSurf ............... 58 7.3.3. Example 3: Access to the registry with PasswordStealer.BT .............................. 60 7.3.4. Example 4: Access to confidential data by Trj/Chgt.F ...................................... 61

8. Analysis of knowledge and advanced searches ..................................... 64

8.1. Access to the Logtrust environment .............................................................. 64

8.2. Description of the Adaptive Defense tables ................................................ 64

8.2.1. Alert Table ................................................................................................................... 65 8.2.2. Drivers Table ............................................................................................................... 70 8.2.3. Filesdwn Table ............................................................................................................ 71 8.2.4. Hook table .................................................................................................................. 75 8.2.5. Install Table ................................................................................................................. 77 8.2.6. Monitoredopen Table .............................................................................................. 78 8.2.7. Notblocked Table ..................................................................................................... 79 8.2.8. Ops Table .................................................................................................................... 82 8.2.9. Registry Table ............................................................................................................. 84 8.2.10. Socket Table ............................................................................................................ 86


4

8.2.11. Toast Table ............................................................................................................... 91

9. Appendix I: Integration with SIEM products ............................................... 95

10. Appendix II: Service Level Agreements ................................................... 97

10.1. Pre-sales and Migration Service ................................................................... 97

10.2. Technical Support Service............................................................................. 97

10.3. Our infrastructure in the Cloud ..................................................................... 98

10.4. Unreliable software classification service ................................................. 100


5

1. Prologue Who is this guide for?

Icons


6

1. Prologue

This guide contains information and procedures for use to get the most out of the Adaptive

Defense product.

1.1. Who is this guide for?

This document is designed for network administrators who need to protect Windows computers in

the company's IT infrastructure against Advanced Persistent Threats (APTs).

Although Adaptive Defense is a managed service which offers guaranteed safety without the

involvement of the network administrator, it also provides very detailed and easy to understand

information on processes and programs run by users on company computers, whether these are

known or unknown threats or legitimate programs.

So that the network administrator can correctly interpret the information offered, and draw

conclusions that provide new initiatives to strengthen the company's security, it is necessary to

have a technical knowledge of Windows environments at a process, file system and registry level,

as well as to understand the most frequently used network protocols.

1.2. Icons

The following icons appear in this guide:

Additional information, such as an alternative method for performing a certain task.

Suggestions and recommendations.

Important tips on correctly using Adaptive Defense options.


7

2. Introduction Main features

User profile

General architecture


8

2. Introduction

Adaptive Defense is a security service based on the monitoring, control and classification of

processes run in the infrastructure according to their behavior and nature.

Unlike traditional antiviruses, Adaptive Defense uses a new security concept which allows it to

adapt precisely to the particular environment of each company, monitoring the execution of all

applications and learning constantly from actions triggered by each of the processes.

After a brief learning period, Adaptive Defense is able to offer a far superior protection level to

that of a traditional antivirus, and provide valuable information on the context in which the

security problems arose in order to determine their scope and implement the necessary measures

to prevent their recurrence.

Adaptive Defense is a Cloud service so it does not require new control infrastructure in the

company, helping to maintain a low TCO.

2.1. Main features of Adaptive Defense.

Adaptive Defense is a managed service that offers guaranteed security against targeted attacks

and APTs, based on four cornerstones:

Display in real time of each action performed by the running applications.

Detection of threats by automatically classifying all network files and processes using

Machine Learning techniques in Big Data information operating environments.

Response through forensic analysis to fully investigate the scope of each intrusion

attempt.

Prevention through information that will help the network administrator to prevent similar

targeted attacks in the future.


9

2.2. Adaptive Defense User Profile

Although Adaptive Defense is a managed service that offers security without the involvement of

the network administrator, it also provides very detailed understandable information about the

activity of processes run by users in the whole of the company's IT infrastructure. This information

can be used by the administrator to clearly identify the impact of possible problems and to

adapt their security protocols, and so prevent equivalent situations in the future.

All users with an Adaptive Defense Agent installed on their computer will enjoy a guaranteed

security service, preventing the execution of programs that pose a threat to the company's

activity.

2.3. General architecture of the Adaptive Defense service

Adaptive Defense is an advanced security service based on analyzing the behavior of processes

run on each customer's infrastructure.

Processes are analyzed by applying Machine Learning techniques in Big Data infrastructures

housed in the cloud, so that the customer does not have to install hardware or additional

resources in their offices.

The general schema of Adaptive Defense is shown below:


10

According to the figure, Adaptive Defense is made up of various elements:

Adaptive Defense Server

Administration console Web server

Computers protected with Adaptive Defense

Network administrator's computer which accesses the Web console

Logtrust server providing real-time service on accumulated knowledge

Customer's SIEM servers compatible with Adaptive Defense

The different roles of the architecture shown are detailed below.

2.3.1. Adaptive Defense server

The Adaptive Defense server compiles all actions performed by the user's processes and sent from

the Agents installed on the customer's computers. It assesses their behavior using learning

techniques and issues a classification for each process being run, which is returned to the Agent

to execute a decision.

The Adaptive Defense server is made up of a cloud-based server farm which configures a Big

Data operating environment where Machine Learning rules are applied continuously to classify

each process run.

Compared to the model adopted by traditional antiviruses, based on the sending of samples to

the provider and manual analysis, there are several advantages of this new cloud-based process

analysis model:

The error percentage when classifying a process run in multiple endpoints over time is

99.9991% (less than 1 error for every 100,000 files analyzed) so the number of false

positives and false negatives is virtually zero.

The delay in classifying processes seen for the first time is minimal, as the Adaptive

Defense Agent sends the actions triggered by each process, and the server analyzes

them looking for suspicious patterns. In addition, for executable files found in the user's

computer that are unknown to the Adaptive Defense platform, the Agent will send the

file to the server for its analysis.

The impact on the performance of the customer's network due to the sending of unknown

executables is configured to go completely unnoticed. An unknown file is sent only once to all

customers that use Adaptive Defense. Mechanisms have also been implemented to manage

broadband usage and Agent and time limits to minimize the impact on the customer's network.

There is minimal consumption of CPU resources in the user's computer, being estimated

at 2% compared to the 5%-15% of traditional security solutions, as the entire analysis and

classification process is carried out in the cloud. The Agent installed simply collects the

classification sent by the Adaptive Defense server and runs a corrective action.

Cloud analysis frees the customer from installing and maintaining hardware and software

infrastructures, paying licenses and managing warranties, so the TCO drops significantly.

See Annex 2 for information on the availability of the Adaptive Defense platform and classification

times.


11

2.3.2. Administration console Web server

Adaptive Defense is fully managed through the Web console accessible to the administrator from

the following URL:

https://paps.pandasecurity.com/paps

The Web console is compatible with the most common browsers and accessible from any

location at any time, using any device with a compatible browser installed.

See Chapter 4: Installation and start-up of the Adaptive Defense service to check whether your

browser is compatible with the service.

The Web console is responsive, so it is accessible from smartphones and tablets at anytime and

anywhere.

2.3.3. Computers protected with Adaptive Defense

The Adaptive Defense Agent is a small software component which occupies less than 20MB and

which must be installed on all machines in the infrastructure likely to suffer security problems.

The Agent's operating mode consists in collecting information on all events that occur in the

machines, sending them to the Adaptive Defense Server. All the information collected concerns

software events and the components that produce them. No information or documents are

collected from the user.

The Agent will send all information to the Adaptive Defense Server in real time for its use and

classification.

The Adaptive Defense Agent is installed problem-free on machines with other security solutions

2.3.4. Logtrust accumulated knowledge server

Adaptive Defense is provided optionally with a storage service for all knowledge generated by

the customer's computers, recording each action performed by the processes run in the IT

infrastructure, whether goodware or malware. It is therefore possible to list and display flexibly all

data collected to obtain additional information on threats and how users are using the

company's computers.

The Logtrust service is accessible from the Web console dashboard.

See Chapter 8 to configure and take advantage of the knowledge analysis service and advanced

searches.

https://paps.pandasecurity.com/paps


12

2.3.5. Customer SIEM servers compatible with Adaptive Defense

Adaptive Defense integrates with external providers’ SIEM solutions, sending data collected

about the activity of applications run in workstations. This information is sent to the SIEM server

along with all the knowledge of the Adaptive Defense platform and can be used by the

customer's systems.

Listed below are SIEM systems compatible with Adaptive Defense:

QRadar

AlienVault

ArcSight

LookWise

Bitacora

See Annex 1 Integration with SIEM products to obtain more information on the integration of

Adaptive Defense with third-party SIEM systems.


13

3. Basic

concepts of

Adaptive

Defense Features of the endpoint protection service

Adaptive Defense model

Process classification

Event analysis

Data confidentiality


14

3. Basic concepts of Adaptive Defense.

Adaptive Defense is a guaranteed security service based on a completely different protection

model to that used in traditional antiviruses, whether On Premise, Cloud or standalone.

3.1. Features of the endpoint protection service

In terms of protecting computers in the network, there are three main parameters when it comes

to offering a reliable security product: the detection ratio, the classification ratio and the

classification accuracy of the files analyzed. To these three parameters should be added a fourth

which covers them: the time factor.

3.1.1. The detection ratio

The detection ratio answers the question: “How many viruses does the security solution know?”

This is the percentage of different samples recognized by the security provider, compared to the

total number of samples in circulation.

3.1.2. The classification ratio

The classification ratio answers the question: “How many files do you know?”

It indicates the percentage of files already recognized by the provider to be able to issue a

classification, compared to the total number circulating in the customer's network.

3.1.3. Classification reliability

The classification reliability measures the level of certainty in the verdict given when classifying an

element as goodware or malware. Or rather it is the likelihood that a known element changes its

classification, either because it was initially classified as goodware and subsequently reclassified

as malware or vice versa.

3.2. Adaptive Defense model

In the proposed model, the malware is classified and detected locally with the known heuristic

methods of the traditional system, but the main novelty is the automatic collection of actions

triggered by each process run on the customer's computers, and their subsequent study using

Machine Learning techniques in the Big Data environments deployed in the security provider's

infrastructure.

In this way, each Agent installed on the customer's computer records all actions and changes in

the system produced by each of the processes run by the user. These perfectly detailed actions

are sent to the provider, producing continuous data mining of process behavior in real time. This is

how Adaptive Defense knows the characteristics and behavior of each and every file circulating

on its customers' networks.


15

Given that the same software solution run in many customers can generate different groups of

actions depending on how it is used, the provider will have access to a multitude of executions of

the same program. This provides Adaptive Defense with a volume of highly valuable additional

evidence that is impossible to replicate in the traditional model, and which, once crossed and

exploited with statistical analysis technologies on Big Data platforms, will enable almost

instantaneous automatic classification in most cases of each and every process run by each

customer, with almost 100% reliability.

3.3. Process clasification in Adaptive Defense

The classification process consists in determining the threat of each program run in the customer's

company.

At a first level, the system distinguishes between two statuses.

Known processes

Unknown processes

3.3.1. Known processes

These are processes already recorded and analyzed by Adaptive Defense, or with certain

characteristics that turn them into known processes without having to analyze them. This group

would include programs that form part of the operating system or programs digitally signed by a

known certification body.

All processes known by Adaptive Defense have an associated hash so that the Agent can ask

the Adaptive Defense Server whether it is known or not and, if it is, to be able to reuse its

classification.

3.3.2. Unknown processes

These are new processes for the system so they do not have a hash identifier or associated

classification. Allowing the service to run or not on the customer's computer will depend on its

configuration. If it can be run, the Agent will send to the server the events generated by each

running of the process on each of the user's computers. When there a sufficiently relevant

number of events in the Adaptive Defense Server, a classification will be issued and the process

will change to Known status.

3.3.3. Types of known processes

There are two types of known processes: goodware and malware/PUPS.

Goodware: Goodware is a known process that has displayed safe behavior since the first time it

was seen on a computer. A process can be goodware for various reasons:


16

For belonging to the base distribution of the operating system and being digitally signed

by a trustworthy certification body.

For having been monitored once or more than once, so the events generated have

already been studied by Adaptive Defense.

Malware/PUP: Adaptive Defense analyzes the behavior of running processes and assesses the

threat level of their actions. If a program has performed actions in the past that are a threat to

the computer or network where Adaptive Defense was running, it will classify it as Malware or a

potentially unwanted program for all customers of the service.

3.4. Event analysis

The working of Adaptive Defense is based on three cornerstones: an Agent installed on the

customer's endpoint, a cloud-based automated analysis system, and a team of experts at

PandaLabs which studies the most complicated threats that the automatic systems cannot

resolve alone.

The Agent installed on each customer computer monitors each of the processes being run and

sends all the events to the cloud, where this knowledge is used to automatically determine for

most cases the threat of the running processes.

The number of types of actions recorded and sent to the provider is very exhaustive, with a list of

the most important detailed below:

Download of files

Installation of software

Download URLs

Modification of Hosts file

File age

Creation/installation of drivers

Capture of screenshots

Communications of processes (IP address, ports, protocols)

Creation and modification of executable files

Loading DLLs

Creation of services

Mapping executable files

Deleting and renaming files

Creation of folders


17

Creation and opening of files

Creation and modification of registry branches

Creation of threads in remote processes

Destruction of processes

Access to SAM

Access to data (around 200 file formats)

3.5. Customer data confidentiality

The new Adaptive Defense protection model requires obtaining information on the actions

performed by the applications installed on the customer's computers.

3.5.1. Guidelines on data collected by the service

Data collected in Adaptive Defense strictly follows the general guidelines listed below:

Only information on Windows executable files (.exe, .dll files etc.) run/loaded on the

user's computer is collected. No information on data files is collected.

The attributes of the files are sent normalized, removing information referring to the

logged-on user. For example, the file paths are normalized as

LOCALAPPDATA\name.exe instead of c:\Users\USER_NAME \AppData

\Local\name.exe)

The URLs collected are only those of the download of executable files. User browsing URLs

are not collected.

There is no data-user relationship in the data collected.

In no case will Adaptive Defense send personal information to the cloud.

3.5.2. Information collected from machines.

The service collects the following information on the execution environment (computer hardware

and software):

Computer name.

Operating system.

Service Pack.

Group in which the protected PC is included.

Machine's default IP address.

MAC address.


18

IP addresses assigned to the PC in different network adapters.

MAC address for the different network adapters.

RAM memory in MBytes.

As essential information for supporting the new protection model, Adaptive Defense sends

information on the actions performed by the applications run on each user's computer.

Attribute Data Description Example

File Hash File hash to which the event refers N/A

URL Url Address from where an executable

file has been downloaded

http://www.Malware.com/execu

table.exe

Path Path Normalized path in which the file to

which the event refers is found APPDATA\

Registry Key/Value Windows registry key and its related

content

HKEY_LOCAL_MACHINE\SOFTWA

RE\Panda Security\Panda

Research\Minerva\Version =

3.2.21

Operation Operation ID

ID of event operation

(creation/modification/loading/.. of

executable file, executable file

download, communication...)

A type 0 event indicates the

execution of an executable file

Communication Protocol/Port

/Address

Collects the communication event of

a process (not its content) together

with the protocol and address

Malware.exe sends data by UDP

on port 4865

Software Installed

software

Collects the list of software installed

ot the endpoint according to the

Windows API

Office 2007, Firefox 25, IBM Client

Access 1.0

It may also be necessary to send executable files to our Collective Intelligence platform. To

reduce bandwidth consumption, executable files are only sent to the Collective Intelligence

platform in case they are not yet present. Sending only executable files ensures that in no case

will they contain confidential user/customer information.

3.5.3. Privacy of information collected

All information collected is only stored in our Windows Azure cloud platform.

The information is not shared with third parties unless customers:

Want to receive in their SIEM system information on security alerts and data collected by

Adaptive Defense. The information collected will be sent to the customers' SIEM system

through a secure protocol established by the customer.


19

They use the Logtrust platform, the accumulated knowledge real-time operating

platform with which Adaptive Defense is integrated by default. The information is sent to

Logtrust by HTTPS and stored in Logtrust data centers.

All the information sent to the cloud is encrypted with strong encryption algorithms such as

BlowFish.

Finally, the information collected on the user's computer by the Agent is temporarily stored in an

encrypted storage folder.


20

4. Installation

and start-up Checklist of steps and necessary requirements

Learning phase

Malware blocking phase


21

4. Installation and start-up of Adaptive Defense service

The necessary steps for correctly completing the installation of the service and its subsequent

start-up are outlined in this chapter.

4.1. Checklist of steps and necessary requirements.

1. Check compatibility of the Adaptive Defense Agent with the computers to be protected.

The following Windows systems are compatible with the Agent:

Operating systems (stations): Windows XP SP2 or higher (Vista, Windows 7, 8 and 8.1) in 32

and 64 bit platforms.

Operating systems (servers): Windows Server 2003, Windows Server 2008, Windows Server

2012 in any of their configurations and architectures.

2. Check that the prerequisites are met on each computer to be protected

The Agent is an application that requires the following standard components, generally already

installed on the user's computer:

.NET Framework version 2.0 SP2 or any of the higher versions that include it. It will need to

be installed manually if it is not found

Visual C++ 2008 Redistributable Package. If it is not found, the installer will download and

install it itself.

3. Check that the connectivity prerequisites are met

The Agent communicates by default with the server through the HTTPS protocol so it requires

access through port 443 to the Internet with the following destinations:

https://paps.pandasecurity.com

https://rpuws.pandasecurity.com

https://rpkws.pandasecurity.com

https://prws2.pandasecurity.com/PAPS/Login.aspx/

In case a proxy server is used to access the Internet, the corresponding credentials must be

configured on the Web portal before downloading the installer (see step 4).

The Agent also has the capacity to switch from a proxy connection to a direct connection and

vice versa, automatically enabling the sending of events for mobile computers connected to

non-corporate networks (no proxy).

4. Creation of the installation package

The creation of the installation package introduces certain information in the installer that will

help the administrator with the subsequent deployment and configuration of the Agent.


22

Configuration of outbound Internet proxy: If Internet access from the network is via a proxy server,

you must firstly configure the information for its use on the Web console. This will generate an MSI

installer to be used in the network.

If several different proxies are going to be used, you must create a custom installer for

each of them and manage the deployment in each corresponding network.

To create an installation package click Add computers on the dashboard and complete the

proxy fields if the agents are going to access the Internet in this way.

After entering and saving the data, you can download the MSI installer on the local computer to

start its deployment.

The installer is unique and contains both the Agent versions compatible with 32-bit and 64-bit

systems.

Installation of the Agent on computers with other antiviruses installed: Adaptive Defense is

compatible with traditional endpoint antiviruses and can be installed as an accessory to protect

the customer's computers against targeted and sophisticated attacks.

5. Download and distribution of the installer

The MSI installer file can be distributed in various ways in the customer's network, depending on

the number of computers, their location and other factors.

Manual installation: The MSI installer can be shared in a network folder from where users will

collect it and install it manually, or it can also be sent by email.


23

Installation of the Agent requires local administrator permissions on the computer. Depending on

the configuration of the computer, the USC will require confirmation of the installation or entering

the administrator's password.

The installation program does not need any additional information.

If the Visual C++ 2008 Redistributable Package is not installed on the computer, the installer will

download and install it automatically.

After completing the installation process, the Adaptive Defense Agent will be updated with the

new knowledge.

The Adaptive Defense Agent is designed to go unnoticed by the user and not support any

configuration from the same computer.

Centralized installation through Group Policy Object (GPO): If there is a very large IT infrastructure,

the current Active Directory infrastructure can be used to deploy the installer or any other remote

installation software. In this way the network administrator won't have to actually go to each of

the computers, but will be able to perform a silent installation on those computers in the network

that they consider necessary.

The steps for performing an installation through a GPO are set out below.

Download the Adaptive Defense installer and share it: Place the Adaptive Defense

installer in a shared folder that is accessible to all those computers that the Agent will

receive.

Open the “Active Directory Users and Computers” applet and create a new OU

(Organizational Unit) called “Adaptive Defense”.


24

Open the Group Policy Management snap-in. In Domains, select the newly created OU

to block inheritance.

Create a new GPO in the “Adaptive Defense” OU


25

Edit the GPO


26

Add a new installation package that will contain the Adaptive Defense Agent. For this

you will be asked to add the installer to the GPO.

Once added, show the properties. In the Deployment tab, click Advanced and select

the checkbox that prevents the checking between the destination operating system and

that defined in the installer.


27

Finally, add in the Adaptive Defense OU previously created in “Active Directory Users and

Computers” all network computers that you want to send the Agent to.

6. Checking installation of the Agent

Installing the Agent creates the following items in the computers:

INSTALLATION PATH: Files for the services installed.

- %programfiles%\Panda Security\Minerva Suite\

WORK PATH: It contains the cache and various temporary files of machine events

collected

- %ProgramData%\Minerva

SERVICES: The installation registers 2 new services whose executable files are digitally

signed by Panda Security, S.L. as with all the solution files:

- Minerva Agent (RMMsvc.exe): Collects and sends the events observed in the

computer.

- Minerva Updater (MinervaUpdater.exe): Creates agent updates.

REGISTRY: The following registry branch is created with various configurations, including the

customer ID, service front end URL, proxy data, etc.

- HKEY_LOCAL_MACHINE\SOFTWARE\Panda Security\Panda Research\Minerva

Change of proxy connection data: Once the Agent is installed and working, it is no longer

possible to change the proxy connection data from the service console. The SetMinervaProxy.zip

program downloadable from

http://www.pandasecurity.com/resources/tools/paps/setminervaproxy.zip is used instead.

Once downloaded, unzip the file (password: panda) in the Adaptive Defense installation folder

and launch a command prompt window with Administrator permissions. Enter the following

command, indicating the information for the new proxy configuration data:

SetMinervaProxy.exe [Domain] [User] [password] [proxy server] [proxy port] [PROXYAUTH (1/0)]

If you want to disable the proxy and use a direct connection, you can run the following

command:

SetMinervaProxy.exe Activate=0

http://www.pandasecurity.com/resources/tools/paps/setminervaproxy.zip


28

7. Agent update

The Agent has a service called Minerva Updater. Among other tasks, this service is responsible for

updating the Agent, downloading the update data published from the Adaptive Defense Server.

The update is completely transparent to the end user and can be monitored through the

Dashboard and daily reports accessible on the Web console.

See Chapter 5: Security status and computer visibility, for more information about the reports and

dashboards.

Having completed the installation of the Agents on all the computers, the service will start to

audit the processes run on the machines in order to classify them.

4.2. Learning phase

The learning phase is a period of time that starts when the installation of the Agent has been

completed and lasts anywhere from 2 days to 1 week depending on the number of applications

run on that computer. During this time, the Agent starts to monitor all the events that occur on the

machine, sending those considered relevant to the Adaptive Defense server.

The Agents will send to the front ends only those samples not yet registered in the Panda Security

knowledge base. A file will only be sent once from a machine. The Agent will limit and monitor

bandwidth usage.

Once received in the Server, the information collected by the Agents is passed to the service

backend where different technologies are applied to resolve unknown and/or potentially

malicious elements and identify potentially vulnerable software.

During the learning phase, Adaptive Defense will behave as follows with respect to goodware,

malware and unknown files:

Goodware: It can be run as normal

Malware: Its running is blocked

Unknown files: They can be run initially until Adaptive Defense concludes that they are

either goodware or malware. Once the item is classified, the knowledge is disseminated

to all computers that use the protection service. If a computer runs a program without

classifying it at the time and it later turns out to be malware, the system will block any

subsequent execution attempt and mark the computer as infected in the Alerts section.

See Chapter 5: Security status and computer visibility for more information about Alerts. See

Chapter 3: Basic concepts of Adaptive Defense for more information about goodware, malware

and unknown files.

At the end of the learning phase, 100% of the applications run by users are classified as

goodware or malware.


29

4.3. Malware blocking phase (hardening)

At the end of the learning phase, Adaptive Defense will start to protect the computer according

to the configuration chosen by the network administrator.

See Chapter 6: Configuration of Adaptive Defense behavior for more information.


30

5. Security status

and

computer

visibility Service status

Security status

Detailed activity reports of threats

Executive report


31

5. Security status and computer visibility

The different ways of displaying the security status of the IT infrastructure in Adaptive Defense and

the service status are explained in this chapter.

5.1. Adaptive Defense service status

The Dashboard is the Adaptive Defense home screen and its purpose is to graphically represent

both the security status of the customer's network and the contracted service. This facilitates the

location at a glance of the main problems found in the network.

To show the service status, Adaptive Defense uses 3 widgets that report the information indicated

below to the administrator:

- The widget situated on the left-hand side shows the “Active” or “Inactive” service

status

- The central widget shows the number of devices protected by Adaptive Defense. To

add new devices, click the “Add computers” button, as explained in Chapter 4:

Installation and start-up

- The right-hand widget indicates the customer's computers which, having an Adaptive

Defense Agent correctly installed, have not communicated with the server in the past

3, 7 and 30 days.

5.2. Security status of the IT infrastructure

The central part of the Dashboard graphically represents the security status through 6 widgets

that are updated in real time and show a particular aspect of the customer's network at a

specific moment. You can click on each widget to obtain a detailed breakdown of data.

All counters included in the Dashboard show the number of various unique threats or programs

found in the customer's IT infrastructure in the period of time determined by the administrator.

This means that if the same threat or vulnerable program is detected several times in different

computers in the set period of time it will only be counted once.


32

Use the filtering tool located at the top to change the time interval established for showing data:

last day, last week, last month and last year.

Disinfected threats or updated vulnerable programs do not disappear from the counters or

dashboards in the chosen time interval; however, when choosing a time interval after the

disinfection they will no longer be shown.

5.2.1. Malicious programs

This widget shows the number of Malware threats found. It offers the following data:

- Number of unique threats found in the customer's IT infrastructure

- Run: Threats that were actually run on the user's computer

- Access data: Threats found that access the user's files

- Devices affected: Number of computers that contain malware

- Outbound connection: Number of threats that access other computers to send or

receive data

5.2.2. Under investigation at our lab


33

This widget shows the unknown programs found in the customer's network whose preliminary

analysis has revealed suspicious behavior, although they have yet to be definitively classified by

Panda Security technicians. These programs are classified as goodware or malware within 24

hours.

It offers the following data:

- Number of suspicious programs that are being analyzed in Panda Security’s

laboratory, and which were found after the installation and start-up of the Adaptive

Defense service

- Run: Potentially dangerous programs that were actually run on the user's computer

- Access data: Potentially dangerous programs found that access the user's files

- Devices affected: Number of computers that contain potentially dangerous programs

- Outbound connection: Number of potentially dangerous programs that access other

computers to send or receive data

5.2.3. Vulnerable programs

This widget shows the number of programs that contain any vulnerability that can be exploited

by malware and PUPs to infect computers in the customer's network.

- Number of programs that contain some type of vulnerability that can be exploited by

malware and PUPs, and which were found after the installation and start-up of the

Adaptive Defense service

- Run: Vulnerable programs that were actually used on the user's computer


34

- Access data: Vulnerable programs found that access the user's files

- Devices affected: Number of computers that have vulnerable programs installed

- Outbound connection: Number of vulnerable programs that access other remote

computers to send or receive data

5.2.4. Potentially Unwanted Programs

This widget shows PUPS (Potentially Unwanted Programs) found in the customer's network. It offers

the following data:

- Number of potentially dangerous programs found after the installation and start-up of

the Adaptive Defense service

- Run: Potentially dangerous programs that were actually run on the user's computer

- Access data: Potentially dangerous programs found that access the user's files

- Devices affected: Number of computers that contain potentially dangerous programs

- Outbound connection: Number of potentially dangerous programs that access

remote computers to send or receive data

5.2.5. Top Risk Users


35

This widget shows the four network users whose devices have a higher risk of infection. For this,

the four concepts previously seen and grouped by user are displayed:

- Number of Malicious programs

- Number of Potentially Unwanted Programs (PUP)

- Number of Under investigation at our lab programs

- Number of Vulnerable programs

5.2.6. Top Risk Computers


36

This widget shows the four computers in the network with highest risk of infection. For this, the four

concepts previously seen and grouped by computers are displayed:

- Number of Malicious programs

- Number of Potentially Unwanted Programs (PUP)

- Number of Potentially malicious programs

- Number of Vulnerable programs

5.3. Detailed activity reports of threats

Reports and detailed lists of the malware or vulnerable software found in the customer's network

are displayed by clicking on the various Dashboard panels.

You can order the content of all the tables displayed by clicking on the header fields, and at the

bottom there is a pagination system for easier browsing.

5.3.1. Malicious programs

A list of the threats found in computers protected with Adaptive Defense is shown in this report.

The search tool is located at the top:

The filter (1) restricts the search indicated in the textbox (2) situated to the right of the selected

field:


37

All: The search string will be applied to the Computer, Name and Date fields

Computer: The search string will be applied to the computer name

Name: The search string will be applied to the Malware name

Date: The search string will be applied to the date of detection

The filter (3) shows the threats that meet the selected criteria

Executed: The Malware was executed and the computer is infected

Not Executed: Malware detected by the vulnerability protection

Blocked: Malware known by Adaptive Defense and blocked

Allowed: Malware known by Adaptive Defense but its execution is allowed as it is

included in the Exceptions tab of the Settings menu.

Access to data files: The malware accessed the disk to collect information from the

computer, or to create files and resources necessary for its execution

Communications: The malware opened communication sockets with any machine,

including localhost

The table fields are as follows:

- Computer: Computer where the detection took place

- Name: Name of the malware

- Path: Full path where the infected file resides

- Run: The malware was run and the computer might be infected

- Accesses data: Indicates whether the threat sends or receives data from other

computers.

- Establishes an outbound connection: The threat has communicated with remote

computers to send or receive data.

- Date: Date when the malware was detected in the computer

5.3.2. Under investigation at our lab

This report shows a list of those files in which, without their classification having been completed,

Adaptive Defense has preliminarily detected some risk.


The filter (2) allows you to restrict the search indicated in the textbox (1) indicating the likelihood

of the potentially malicious program actually being a threat:

Medium


38

High

Very high


- Name: Name of the malware

- Run on (computers): Number of computers that ran the potentially dangerous

program. Click on the number to obtain a list of computers with their name and the

potentially dangerous file path. Click on each computer name to display the

machine information.

- Not run (computers): Number of computers in which Adaptive Defense found the

potentially dangerous program but it was not actually run. Click on the number to

obtain a list of computers with their name and the potentially dangerous file path.

Click on each computer name to display the machine information.

- Accesses data: Indicates whether the threat sends or receives data from other

computers.

- Establishes an outbound connection: The threat has communicated with remote


- Likelihood of being malicious: Very high, High, Medium


39

5.3.3. Vulnerable programs

This report shows a list of those programs that contain known vulnerabilities that can be exploited

by malware and advanced threats for infecting the computer.



- Name: Name of the program considered vulnerable

- Version: Full path where the infected file resides

- Vendor: The company that created the infected software

- Run on (computers): Number of computers that ran the program considered

vulnerable. Click on the number to obtain a list of computers with their name. Click

on each computer name to display the machine information.

- Not run (computers): Number of computers in which Adaptive Defense found the

program considered vulnerable but it was not actually run. Click on the number to

obtain a list of computers with their name. Click on each computer name to display

the machine information.

5.3.4. Potentially Unwanted Programs

A list of the PUPs (Potentially Unwanted Programs) found in the computers protected with

Adaptive Defense is shown in this report.

A search tool is found at the top:

The filter (1) restricts the search indicated in the textbox (2) situated to the right of the selected

field:

All: The search string will be applied to the Computer, Name and Date fields

Computer: The search string will be applied to the computer name

Name: The search string will be applied to the PUP name

Date: The search string will be applied to the date of detection

The filter (3) shows the threats that meet the selected criteria

Executed: The PUP was executed and the computer is infected


40

Not Executed: PUP detected by the vulnerability protection

Blocked: PUP known by Adaptive Defense and blocked

Allowed: PUP known by Adaptive Defense but its execution is allowed by the system

administrator.

Access to data files: The PUP accessed the disk to collect information from the computer

or to create files and resources necessary for its execution

Communications: The PUP opened communication sockets with other machines,

including localhost


- Computer: Computer where the detection took place

- Name: Name of the PUP

- Path: Full path where the PUP file resides

- Run: The PUP was run and the computer might be infected

- Accesses data: Indicates whether the PUP sends or receives data from other

computers.

- Establishes an outbound connection: The PUP has communicated with remote


- Date: Date when the PUP was detected in the computer

5.3.5. Top Risk Users

This report shows a list ordered by importance of network users with the most threats found in their

computer.

The report table fields are as follows:

- User: User associated with the process run

- Malicious programs: Number of malicious programs run by the user

- Potentially malicious programs: Number of potentially malicious programs run by the

user

- Vulnerable programs: Number of programs considered vulnerable and used by the

user

- Potentially unwanted programs: Number of PUPs run by the user

5.3.6. Top Risk Computers

This report shows a list of all computers audited in the network.

The report table fields are as follows:


41

- Computer: Audited computer. Click on the name to display information about the

computer.

- Malicious programs: Number of malicious programs run on the computer

- Potentially malicious programs: Number of potentially malicious programs run on the

computer

- Vulnerable programs: Number of programs considered vulnerable and used on the

computer

- Potentially unwanted programs: Number of PUPs run on the computer

- Last connection: Timestamp of the last connection of the computer to the Adaptive

Defense server

5.4. Executive report

There is a button at the top of the Dashboard to create an executive report. This report

summarizes all information shown on the Dashboard and in the reports, ready for download in

PDF format or printing.


42

6. Configuration

of behavior Classified programs

Unclassified programs


43

6. Configuration of Adaptive Defense behavior

Adaptive Defense is a managed service which frees the network administrator from most of the

workload associated with products based on white/black lists and exceptions. In this way, Panda

Security automatically classifies the security of all processes run on each of the customer's

computers, without requiring any manual intervention.

Adaptive Defense's behavior is configurable for two groups of programs:

For classified programs

For unclassified programs

The network administrator must request from Panda Security any change in configuration of

Adaptive Defense's behavior that it considers appropriate, depending on the use of their

company's IT devices.

6.1. Classified programs

Programs known by Adaptive Defense are classified as goodware or malware. Depending on the

classification of the program attempting to be run, the default action will be:

Goodware: The service allows the program or process to run

Malware: By default, the service prevents the program or process from running.

6.1.1. Running specific programs classified as malware

Whenever the user needs to use any program classified as malware or an unwanted program

(hacking tools, browser bars, etc.), it may be advisable to allow its controlled running even if

Adaptive Defense has classified it as a potential threat.

6.2. Unclassified programs

More than 99% of the programs found in user computers are classified in Adaptive Defense;

however, those not yet classified can be run or temporarily blocked until their classification.

If blocked, Adaptive Defense informs the user of the reason for the block, enables conditional

execution depending on the decision made by the user, or for the program to be blocked

silently.

The classification process is a continuous task on the Adaptive Defense servers. Afterr a brief

period of time, the programs blocked initially for not having a classification can be run if Adaptive

Defense has determined that they are legitimate.


44

6.2.1. Audit mode

In audit mode, Adaptive Defense only reports threats detected but does not block the malware

found. This mode is useful for testing the security solution and to ensure that product installation

does not compromise the proper functioning of the computer.

6.2.2. Blocking mode for programs being classified (Extended Mode)

In environments where security is a priority and in order to offer fully guaranteed protection,

Adaptive Defense must be configured in Extended Mode to block the running of software that is

being classified. This will ensure that only legitimate software is run.

When configuring this operating mode on computers or servers where the software changes

regularly, these programs will not be allowed to run until they are classified. The classification

process is instantaneous on some occasions although on others it will be automatically performed

on our BigData platform in a matter of minutes. If the program is particularly complex, the

classification task is carried out by experts, normally in less than 24 hours. For this reason, this mode

is recommended for computers and servers where new software is not usually installed.

Adaptive Defense can be configured so that the Extended Mode asks the computer user if they

want to allow or not the running of programs being classified. This mode involves the risk of the end

user allowing the running of malware, believing it to be legitimate software; that is why its

configuration is only recommended in computers managed by advanced users.

6.2.3. Limited execution mode for programs being classified (Deep

Hardening mode)

In Deep Hardening Mode, unknown programs already installed on the user's computer can be

run although their actions will be sent to the Adaptive Defense Server for analysis. To prevent zero-

day and similar type attacks, unknown programs from outside the network (Internet, email, etc.)

will be blocked until they have been classified. Once a sufficient amount of evidence has been

collected and used, Adaptive Defense will classify these programs as goodware or malware,

creating an alert in the latter case for the administrator for subsequent forensic analysis.

Once programs from outside the network have been classified, their entry and running will be

allowed or blocked depending on the classification (goodware or malware) received.

Deep Hardening Mode is recommended in environments where there are constant changes in

the software installed on users' computers, or where many unknown programs are run, such as

proprietary programs. In these scenarios, it may not be viable to wait for Adaptive Defense to

learn from them to classify them.


45

6.2.4. Complete execution mode for programs being classified (Hardening

mode)

Unknown programs can be run in Hardening mode, although Adaptive Defense will always

collect evidence until completing their classification. After the program has been classified, the

Agent will block it if it turns out to be malware, generating an alert for the administrator for

subsequent forensic analysis in order to assess the impact on the company.


46

7. Forensic

analysis and

attack

prevention Deep Hardening mode and infection by

unknown malware

Forensic analysis and attack prevention

Interpretation of action tables and activity

graphs


47

7. Forensic analysis and attack prevention

Adaptive Defense is a managed service that adapts to the particular application ecosystem of

each company. The protection it provides makes it possible to classify 100% of the software used

by each customer; however, it is possible that security incidents related to the configuration

mode chosen by the network administrator or due to infections prior to the start-up of the service

may arise.

7.1. Deep Hardening mode and infection by unknown malware

In Deep Hardening mode, it is possible that some of the programs unknown to Adaptive Defense

and which reside on the user's computer might be run, so if the program contained malware the

computer could be compromised.

Adaptive Defense will classify unknown programs when it has sufficient evidence, generally within

the first 24 hours after the program is first run, generating an alert for the administrator, and

blocking from that moment the program classified as a threat.

7.2. Forensic analysis and prevention of attacks from infected computers

When the customer's network has been infected, it needs to be determined to what extent it has

been compromised and how to protect it from future attacks.

New-generation malware is characterized by going undetected for long periods of time, taking

advantage of this to access sensitive data or company intellectual property. Its objective is

economic gain, either through blackmail by encrypting company documents or selling the

information obtained to the competition, among other strategies common to these types of

attacks.

Whatever the case, it is vital to determine the actions that triggered the malware on the network

in order to take appropriate measures. Adaptive Defense is able to continuously monitor all

actions triggered by threats and store them to show their path, from their initial appearance in

the network until their neutralization.

Adaptive Defense displays this type of information in two ways: through tables of actions and

graphs.

7.2.1. Forensic analysis through action tables

The action tables are visible from the Malicious programs and Under Investigation at our lab

reports by clicking any column in the table, apart from the Computer column, which will open a

dialogue with information on the selected computer. Click on any other column to display a

drop-down panel with the content of the action table.


48

The fields included to generally describe the threat are:

Path: Path of the executable file that contains the malware.

Dwell time: Time that the threat has remained in the system.

User: Name of the user who launched the process classified as Malware or PUP.

MD5: Adaptive Defense shows the malware hash that it will use for later reference in

VirusTotal or Google through the Search in Google and Search in VirusTotal buttons

Life cycle of the malware in the computer: This is a table that details each of the actions

triggered by the threat.

In the table of actions for the threat, only relevant events are included because the amount of

actions triggered by a process is so high that it would prevent the extraction of useful information

for a forensic analysis.

The table content is initially presented in date order, making it easier to follow the development

of the threat.

The fields included in the action table are detailed below:

Date: Date of the action

Times: Number of times the action was run. A single action run several times

consecutively only appears once in the list of actions with the times field updated.

Action: Action implemented. Below is a list of actions that can appear in this field:

- File Download

- Socket Used

- Accesses Data

- Executed By

- Execute

- Created By

- Create

- Modified By

- Modify

- Loaded By

- Load

- Installed By

- Install

- Mapped By

- Map

- Deleted By

- Delete

- Renamed By

- Rename


49

- Stopped By

- Stops Process

- Remote Thread Created By

- Creates Remote Thread

- Stops Process:

- Remote Thread Created By

- Creates Remote Thread

- Opened Comp By

- Open Comp

- Created Comp By

- Create Comp

- Creates Reg Key To Exe

- Modifies Reg key To Exe

Path/URL/Registry key/IP:port: This is the action entity. Depending on the type of action it

can contain:

- Registry key: For all actions that involve modifying the Windows registry

- IP:port: For all actions that involve communicating with a local or remote computer

- Path: For all actions that involve access to the computer hard disk

- URL: For all actions that involve access to a URL

File Hash/Registry Value/Protocol-Direction/Description: It is a field that complements the

entity. Depending on the type of action it can contain:

- File Hash: For all actions that involve access to a file

- Registry Value: For all actions that involve access to the registry

- Protocol-Direction: For all actions that involve communicating with a local or remote

computer. The possible values are

- TCP

- UDP

- Bidirectional

- Unknown

- Description

Trusted: The file is digitally signed

Subject and predicate in the actions

To correctly understand the format used to present the information in the list of actions, a parallel

needs to be drawn with the natural language:

All actions have the file classified as malware as the subject. This subject is not indicated

in each line of the action table because it is common throughout the table.


50

All actions have a verb which relates the subject (the classified threat) with an object,

called the entity. The entity is the Path/URL/Registry key/IP:port field of the table.

The entity is complemented with a second field which adds information to the action,

which is the Hash/Registry Value/Protocol-Direction/Description field.

Here are two example actions of the same hypothetical malware:

Date Times Action Path/URL/Registry

key/IP:port …

Hash/Registry Value/Protocol-

Direction/Description Trusted

3/30/2015

4:38:40 PM 1

Connects

to 54.69.32.99:80 TCP-Bidirectional NO

3/30/2015

4:38:40 PM 1 Loads

PROGRAM_FILES|\M

OVIES

TOOLBAR\SAFETYNUT

\SAFETYCRT.DLL

9994BF035813FE8EB6BC98EC

CBD5B0E1 NO

The first action indicates that the malware (subject) connects (Action) to the IP address

54.69.32.99:80 (entity) through the TCP-bidirectional protocol.

The second action indicates that the malware (subject) loads (Action) the library

PROGRAM_FILES|\MOVIES TOOLBAR\SAFETYNUT\SAFETYCRT.DLL with hash

9994BF035813FE8EB6BC98ECCBD5B0E1

As with the natural language, two types of sentences are implemented:

Active: These are predicative actions (with a subject and predicate) related by an

active verb. In these actions, the verb of the action relates the subject, which is always

the process classified as a threat, and a direct object, the entity, which can be different

actions.

Passive: These are actions where the subject (the process classified as malware)

becomes the passive subject (which receives rather than executes the action) and the

verb is passive (to be + participle). In this case, the passive verb relates the passive

subject which receives the action with the entity, which performs the action.

Examples of active actions are:

Connects to

Loads

Creates

Examples of passive actions are:

Is created by

Downloaded from


51

An example of a passive action is:

Date Times Action Path/URL/Registry

key/IP:port …

Hash/Registry Value/Protocol-

Direction/Description Trusted

3/30/

2015

4:51:4

6 PM

1 Is executed

by WINDOWS|\explorer.exe

7522F548A84ABAD8FA516DE5

AB3931EF NO

In this action, the malware (passive subject) is executed (passive action) by the

WINDOWS|\explorer.exe program (entity) with hash 7522F548A84ABAD8FA516DE5AB3931EF

Active type actions let you inspect in detail the steps taken by the malware. By contrast, passive

type actions usually reflect the infection vector used by the malware (which process executed it,

what process copied it to the user's computer, etc.)

7.2.2. Forensic analysis through execution graphs

Execution graphs visually display the information shown in the action tables, emphasizing the

temporal approach.

The graphs are initially used to provide, at a glance, a general idea of the actions triggered by

the threat.


52

7.2.3. Diagrams

The string of actions in the execution graphs view is represented by two elements:

Nodes: They mostly represent actions or information elements

Lines and arrows: They unite the action and information nodes to establish a temporal

order and assign each node the role of “subject” or “predicate”.

7.2.4. Nodes

The nodes show the information through their associated icon, color and descriptive panel on the

right of the screen when selected with the mouse.

The color code used is as follows:

- Red: Unreliable element, malware, threat.

- Orange: Unknown element, unclassified.

- Green: Reliable element, goodware.

Listed below are the action type nodes with a brief description:

Symbol Node

Type Description

Action - Downloaded file

- Compressed file created

Action - Socket / communication used

Action - Monitoring initiated

Action - Process created

Action

- Executable file created

- Library created

- Key created in the registry

Action - Modified executable file

- Modified registry key

Action - Mapped executable file for write


53

Action - Deleted executable file

Action - Loaded library

Action - Installed service

Action - Renamed executable file

Action - Stopped or closed process

Action - Remotely created thread

Action - Compressed file opened

Listed below are the descriptive type nodes with a brief description:

Symbol Node

Type Description

Final

Node

- File name and extension

o Green: Goodware

o Orange: Unclassified

o Red: Malware/PUP

Final

Node

- Internal computer (it is in the

corporate network)

o Green: Reliable

o Orange: Unknown

o Red: Unreliable

Final

Node

- External computers

o Green: Reliable

o Orange: Unknown

o Red: Unreliable

Final

Node

- Country associated with the IP

address of an external computer


54

Final

Node - File and extension

Final

Node - Registry key

7.2.5. Lines and arrows

The lines of the graphs relate the different nodes, and help to establish the order of the actions

executed by the threat.

The two attributes of a line are:

Line thickness: The thickness of a line which joins two nodes indicates the number of

occurrences that this relationship has had in the graph. The greater number of

occurrences, the greater the size of the line.

Arrow: Marks the direction of the relationship between the two nodes.

7.2.6. The timeline

The timeline helps control the display of the string of actions carried out by the threat over time.

Using the buttons at the bottom of the screen you can position yourself at the precise moment

where the threat carried out a certain action and retrieve extended information that can help

you in the forensic analysis processes.

The timeline of the execution graphs looks like this:

Initially, you can select a specific interval on the timeline dragging the interval selectors to the left

or right to cover the timeframe of most interest to you.

After selecting the timeframe, the graph will only show the actions and nodes that fall within that

interval. The rest of the actions and nodes will be blurred on the graph.

The actions of the threat are represented on the timeline as vertical bars accompanied by the

timestamp, which marks the hour and minute where they occurred.


55

7.2.7. Zoom in and Zoom out

The + and – buttons of the time bar let you zoom in or zoom out for higher resolution if there are

many actions in a short time interval.

7.2.8. Timeline

To view the full string of actions executed by a threat, the following controls are used:

Start: Starts the execution of the timeline at a constant speed of x1. The graphs and lines

of actions will appear while passing along the timeline.

1x: Establishes the speed of travelling along the timeline

Stop: Stops the execution of the timeline

+ and -: Zoom in and zoom out of the timeline

< and >: Moves the selection of the node to the immediately previous or subsequent

node

Initial zoom: Restores the initial zoom level if modified with the + and – buttons

Select all nodes: Moves the time selectors to cover the whole timeline

First node: Establishes the time interval at the start, a necessary step for initiating the

display of the complete timeline.

To display the full path of the timeline, first select “First node” and then “Start”. To set the travel

speed, select the button 1x.

7.2.9. Filters

The controls for filtering the information shown are at the top of the graph.

The filter criteria available are:

Action: Drop-down menu which lets you select a type of action from all those executed

by the threat. This way, the graph only shows the nodes that match the type of action

selected and those adjacent nodes associated with this action.


56

Entity: Drop-down menu which lets you choose an entity (Path/URL/Registry key/IP:port

field content)

7.2.10. Movement of nodes and general zoom

To move the graph in four directions and zoom in or zoom out, you can use the controls in the top

right of the graph.

To zoom in and zoom out more easily, you can use the mouse scroll wheel.

The X symbol allows you to exit the graph view.

If you would rather hide the timeline buttons zone to leave more space on the screen for the

graph, you can select the symbol situated in the bottom right of the graph.

Finally, the behavior of the graph when presented on screen or dragged by one of its nodes can

be configured using the panel shown below, accessible by selecting the button in the top left of

the graph.


57

7.3. Interpretation of the action tables and activity graphs

Certain technical knowledge is required to correctly interpret the action tables and activity

graphs, as both resources are representations of the dumping of evidence collected, which must

be interpreted by the company's network administrator.

In this chapter, some basic interpretation guidelines are offered through various real malware

examples.

The name of the threats indicated here can vary among different security providers. You should

use the hash ID to identify specific malware.

7.3.1. Example 1: Display of actions executed by the malware Trj/OCJ.A

Essential information about the malware found is included in the table shown in Malicious

programs. In this case the important data is as follows:

Date: 06/04/2015 3:21:36

Computer: XP-BARCELONA1

Name: Trj/OCJ.A

Status: Executed

MD5: EEEEEEEEDDDD

Path: TEMP|\Rar$EXa0.946\appnee.com.patch.exe

Computer status

The malware status is Executed due to the fact that the Adaptive Defense mode configured was

Deep hardening: the malware already resided in the computer when Adaptive Defense was

installed and was unknown at the time of its execution.

Hash

The hash string can be used to obtain more information on sites such as VirusTotal to gain a

general idea of the threat and how it works.

Malware path:

The path where the malware was detected for the first time on the computer belongs to a

temporary directory and contains the RAR string, so it comes from a RAR file temporarily

uncompressed in the directory, and which gave the appnee.com.patch.exe executable file as

the result.

Action table


58

Step Date Action Path

1 3:17:00 Created by PROGRAM_FILES|\WinRAR\WinRAR.exe

2 03:17:01 Executed by PROGRAM_FILES|\WinRAR\WinRAR.exe

3 03:17:13 Create TEMP|\bassmod.dll

4 03:17:34 Create PROGRAM_FILES|\Adobe\ACROBAT 11.0\Acrobat\AMTLIB.DLL.BAK

5 03:17:40 Modify PROGRAM_FILES|\Adobe\ACROBAT 11.0\Acrobat\amtlib.dll

6 03:17:40 Delete PROGRAM_FILES|\ADOBE\ACROBAT 11.0\ACROBAT\AMTLIB.DLL.BAK

7 03:17:41 Create PROGRAM_FILES|\Adobe\ACROBAT

11.0\Acrobat\ACROBAT.DLL.BAK

8 03:17:42 Modify PROGRAM_FILES|\Adobe\ACROBAT 11.0\Acrobat\Acrobat.dll

9 03:17:59 Execute PROGRAM_FILES|\Google\Chrome\Application\chrome.exe

Steps 1 and 2 indicate that the malware was uncompressed by WinRar.Exe and executed from

the same program: the user opened the compressed file and clicked on its binary.

Once it is executed in step 3, the malware creates a DLL file (bassmod.dll) in a temporary folder

and another (step 4) in the installation directory of the Adobe Acrobat 11 program. In step 5 it

also modifies an Adobe DLL file, to take advantage perhaps of some type of program exploit.

After modifying other DLL files, it launches an instance of Chrome which is when the timeline

finishes; Adaptive Defense classifies the program as a threat after that string of suspicious actions,

and has stopped its execution.

In the timeline no actions appear on the registry, so it is very likely that the malware is not

persistent or has not been executed up to that point to survive a restart of the computer.

The Adobe Acrobat 11 program has been compromised so a reinstallation is recommended;

However, thanks to the fact that Adaptive Defense monitors both goodware and malware

executable files, the execution of a compromised program will be detected when it triggers

dangerous actions, and ultimately be blocked.

7.3.2. Example 2: Communication with external computers in BetterSurf

BetterSurf is a potentially unwanted program that modifies the browser installed in the user's

computer and injects ads in the Web pages that it visits.

Essential information about the malware found is included in the table shown in Potentially

Unwanted Programs. In this case the important data is as follows:

Date: 30/03/2015

Computer: MARTA-CAL

Name: PUP/BetterSurf

Path: PROGRAM_FILES|\VER0BLOCKANDSURF\N4CD190.EXE

Dwell time: 11 days 22 hours 9 minutes 46 seconds


59

Dwell time

In this case, the exposure time was very long: for almost 12 days the malware was dormant on the

customer's network. This is increasingly normal behavior and may be for various reasons: perhaps

because the malware has not carried out any suspicious action until very late or simply because

the user downloaded the file but did not execute it at the time.

Action table

Step Date Action Path / IP Hash / Protocol

1 08/03/2015

11:16 Created by TEMP|\08c3b650-e9e14f.exe EB0C9D2E28E1EE

2 18/03/2015

11:16 Executed by SYSTEM|\services.exe 953DF73048B8E8

3 18/03/2015

11:16 Load

PROGRAM_FILES|\VER0BLOF\N4Cd190.d

ll CE44F5559FE618

4 18/03/2015

11:16 Load SYSTEM|\BDL.dll D7D59CABE1270

5 18/03/2015

11:16 Socket used 127.0.0.1:13879 0-UnKnown

6 18/03/2015

11:16 Socket used 37.58.101.205:80 0-Bidrectional

7 18/03/2015


8 18/03/2015


9 18/03/2015


Here it can be seen how the malware establishes communication with several different IP

addresses. The first of them (step 5) is the computer itself and the rest are external IP addresses to

which it connects via port 80 and from which the advertising content is probably downloaded.

The main prevention measure in this case will be to block the IP addresses in the corporate

firewall.

Before adding rules to block IP addresses in the corporate firewall, you should consult the IP

addresses to be blocked in the associated RIR (RIPE, ARIN, APNIC, etc.) to see the network of the

provider to which they belong. In many cases the remote infrastructure used by the malware is

shared with legitimate services housed in providers such as Amazon and similar, so blocking their

IP addresses would be the same as blocking access to normal Web pages.


60

7.3.3. Example 3: Access to the registry with PasswordStealer.BT

PasswordStealer.BT is a Trojan that records the user's activity in the computer and sends the

information obtained to the exterior. Among other things, it is able to capture the user's screen,

record the keystrokes and send files to a C&C (Command & Control) server.

Essential information about the malware found is included in the table shown in Malicious

programs. In this case, the important data is as follows:

Path: APPDATA|\microsoftupdates\micupdate.exe

Due to the name and location of the executable file, the malware poses as a Microsoft update.

This particular malware is not able to infect computers by itself; it requires the user to execute the

virus manually.

Computer status

The malware status is Executed due to the fact that the Adaptive Defense mode configured was

Deep hardening: the malware already resided in the computer when Adaptive Defense was

installed and was unknown at the time of its execution.

Action table

Step Date Action Path Path / Hash

1 31/03/201

5 23:29

Executed

by

PROGRAM_FILESX86|\internet

explorer\iexplore.exe 7477021D17D781B24

2 31/03/201

5 23:29 Created by

INTERNET_CACHE|\Content.IE5\QGV8PV8

0\ index[1].php C9D4C32DF27B3CDEF

3 31/03/201

5 23:30

Creates

Reg Key To

Exe

\REGISTRY\USER\S-1-5[...]9-

5659\Software\Microsoft\Windows\

CurrentVersion \Run?MicUpdate

C:\Users\vig03\AppData

\ Roaming\

MicrosoftUpdates\

MicUpdate.exe

4 31/03/201

5 23:30 Execute SYSTEMX86|\notepad.exe D378BFFB70864AA61C

5 31/03/201

5 23:30

Remote

Thread

Created by

SYSTEMX86|\notepad.exe D378BFFB70864AA61C

In this case, the malware is created in step 2 by a Web page and executed by the browser

Internet Explorer.

The order of actions has a granularity of 1 microsecond. For this reason several actions executed

within the same microsecond may not appear in order in the timeline, as in step 1 and step 2.

Once the malware has been executed, it becomes persistent in step 3 adding a branch in the

registry branch that belongs to the user and which will launch the program in the system start-up.


61

It then starts to execute malware actions such as starting a notepad and injecting code in one of

its threads.

As a remedial action in this case, and in the absence of a known disinfection method, you can

minimize the impact of this malware by deleting the registry entry. It is quite possible that in an

infected machine the malware prevents you from editing that entry; depending on the case, you

would have to either start the computer in safe mode or with a bootable CD to delete that entry.

7.3.4. Example 4: Access to confidential data by Trj/Chgt.F

Trj/Chgt.F was published by wikileaks at the end of 2014 as a tool used by government agencies

in some countries for selective espionage.

In this example, go directly to the action table to observe the behavior of this advanced threat.

Action table

Step Date Action Path Info

1 4/21/2015 2:17:47

PM Is executed by

SYSTEMDRIVE|\Python2

7\pythonw.exe

9F20D976AFFFB2D0B9BE38

B476CB2053

2 4/21/2015 2:18:01

PM Accesses Data #.XLS

Office Excel document

access

3 4/21/2015 2:18:01

PM Accesses Data #.DOC

Office Word document

access

4 4/21/2015 2:18:01

PM Creates TEMP|\doc.scr

4DBD8393522CD5DA7364

ACEA35E80719

5 4/21/2015 2:18:01

PM Executes TEMP|\doc.scr

4DBD8393522CD5DA7364

ACEA35E80719

6 4/21/2015 2:18:37

PM Executes

PROGRAM_FILES|\Micro

soft

Office\Office12\WINW

ORD.EXE

CEAA5817A65E914AA178B

28F12359A46

7 4/21/2015 8:58:02

PM Connects to 192.168.0.1:2042 TCP-Bidirectional

The malware is initially executed by the Python interpreter (step 1) to later access an Excel and

Word document (steps 2 and 3). In step 4, a file with an SCR extension is executed, probably a

screensaver with some type of fault or error that causes an anomalous situation on the computer

and which might be exploited by the malware.

A TCP type connection occurs in step 7. The IP address is private so it would be connecting to the

customer's network.


62

In this case, the content of the files accessed must be checked to assess the loss of information,

although looking at the timeline the information accessed in principle has not been extracted

from the customer's network.

Adaptive Defense will automatically block subsequent executions of the malware in that

customer and in other customers.


63

8. Analysis of

knowledge and

advanced

searches Access to the LogTrust environment

Description of the Adaptive Defense tables


64

8. Analysis of knowledge and advanced searches

The LogTrust environment is an optional module of Adaptive Defense. If you do not have access to

this environment contact your sales rep.

Logtrust is a real-time service on complementary accumulated knowledge which imports and

automatically analyzes in real time all information generated by Adaptive Defense.

Logtrust facilitates information searches on the safety of the customer's IT resources and helps

generate colorful graphics to interpret the data registered by the Adaptive Defense Agents.

This chapter will show in detail the organizational scheme designed to store the information

generated by Adaptive Defense and the procedures necessary to use this information.

The objective of the Logtrust platform is to complement the information offered by Adaptive

Defense when it comes to establishing new remediation protocols and look closely at the forensic

analysis techniques shown in chapter 7.

The Logtrust environment has an online help accessible from the top panel Help.

8.1. Access to the Logtrust environment

To access the Logtrust environment you need to select the Advanced Search link on the

Adaptive Defense Dashboard.

After accessing it, the preconfigured environment will be displayed with the Dashboard shown in

the Adaptive Defense console.

8.2. Description of the Adaptive Defense tables

Adaptive Defense sends all the information collected from the Agents installed in the customer's

computers to the Logtrust service, which will organize it into easy-to-read tables.

Each line of a table is an event supervised by Adaptive Defense. The tables contain a series of

specific fields as well as common fields that appear in all of them, and which offer information

such as when the event occurred, the machine where it was registered, its IP address, etc.

Many fields use prefixes that help refer to the information shown. The two most used prefixes are:


65

Parent: The fields that begin with the Parent tag (parentPath, parentHash,

parentCompany…) reflect the content of a characteristic or attribute of the parent

process.

Child: The fields that begin with the Child tag (childPath, childHash, childCompany…)

reflect the content of a characteristic or attribute of a child process created by the

parent process.

Besides these prefixes in many fields and values, abbreviations are also used; knowing their

meaning helps interpret the field in question:

Sig: Signature (digital signature)

Exe: Executable

Prev: Prevalence

Mw: Malware

Sec: seconds

Op: Operation

Cat: Category

PUP: Potential Unwanted Program

Ver: Version

SP: Service Pack

Cfg: Configuration

Svc: Service

Op: Operation

PE: Executable Program

Cmp and comp: Compressed

Dst: Destination

Listed below are the available tables indicating the type of information they contain and their

specific fields.

8.2.1. Alert Table

This table contains a line for each threat detected in the customer's network with information on

the computer involved, the type of alert, the timestamp and the result of the alert.

Name Explanation Values

eventdate Date of the event in the customer's machine Date


66

machineIP IP address of the customer's machine that

triggered the alert IP address

date Date when the event is received in the

Adaptive Defense server Date

alertType Category of the threat that triggered the alert Malware, PUP

machineName Name of the customer's machine String

version Version of the Adaptive Defense Agent

installed on the machine x.x.x

executionStatus The threat was executed or not executed Executed or Not Executed

dwellTimeSecs Time in seconds from the first time the threat

was seen in the customer's network Seconds

itemHash Hash of the known threat String

itemName Name of the known threat String

itemPath Complete path of the file that contains the

threat String

Thanks to the information contained in this table, it is very simple to obtain statistics from the most

infected computers:

10 most attacked and infected computers

A simple list can be obtained of the 10 most attacked computers by clicking on the header of

the machineName or machineIP column.


67

This list spans from the first moment when Adaptive Defense starts to work in the customer; if you

want to reduce the range you can simply narrow the interval with the Search limits controls.

These limits include both malware blocking and executions; if you want to only show infected

computers, you will need to add a filter by clicking on the icon in the toolbar.

You will also need to configure a data filter using the executionStatus field and equaling to

Executed, as shown in the image.


68

10 most viewed threats

Similarly, by clicking on the itemHash or itemName columns you can display quick statistics on the

10 most viewed threats on the customer's network.

Another way of obtaining far more visual information is to generate a graph of the most viewed

malware. The name of the malware is shown on the coordinate axis and the number of

occurrences on the abscissa axis.

For this, you need to follow the steps below:

Add an aggrupation to the itemName field without any time limit (No temporal

aggrupation)

Add a counter function to determine how many occurrences there are in each

itemName group.


69

Add a filter to determine the aggrupation of 2 or fewer occurrences. This will clean the

graphic of those threats that have only been viewed twice

Add a Chart Aggregation type graphic and use the Count column as a parameter.

In this point there is already a list of alerts grouped by threat and with the number of occurrences

for each threat. You can build a simple graph with this data:


70

Other useful information

There are several interesting fields in the Alerts table that can be used to extract valuable

information on the attacks received on the customer's network:

Eventdate: Grouping by this field you can see the number of daily attacks and determine

if there is an ongoing epidemic.

dwellTimeSecs: This field provides the detection window of the threats received, i.e. the

time from when the threat was first seen in the customer's network to its classification.

itemHash: Given that the name of the threat varies among security providers, the hash

field can be used to group threats instead of the itemName. This also helps to distinguish

malware that is labelled with the same name.

8.2.2. Drivers Table

This table includes all operations performed on drivers that are detected in processes executed in

the user's computers.



serverdate Date when the event is received in the


machine Name of the customer's machine String

machineIp IP address of the customer's machine IP address

ver Version of the Adaptive Defense Agent String

user Username of the process that performs the

registered operation on the driver String

muid Internal identifier of the customer's computer xxxxxxxx-xxxx-xxxx-xxxx-

xxxxxxxxxxxx

op Operation performed by the process on the

driver

Open

Creation

hash Hash / digest of the file String

driveType Type of drive where the process that triggered

the registered operation on the driver resides

Fixed, Remote, Removable

path Path of the process that triggered the

registered operation on the driver String

validSig Digitally signed process Boolean

company Content of the Company attribute of the

process metadata String

imageType Internal architecture of the executable file EXEx32, EXEx64, DLLx32, DLLx64


71

exeType Type of executable file

Delphi, DOTNET, VisualC, VB,

CBuilder, Mingw, Mssetup,

Setupfactory, Lcc32,

Setupfactory, Unknown

prevalence Historical prevalence in Panda Security

systems HIGH, LOW, MEDIUM

prevLastDay Previous day prevalence in Panda Security


cat Category of the file that performed the

operation on the driver

Goodware, Malware, PUP,

Unknown, Monitoring

mwName

Name of the malware if the file is classified as

a threat

String, (Null if the element is not

Malware)

serviceDriveType

Type of drive where the driver that receives

the registered operation resides


servicePath Path of the driver that received the registered

operation String

This table indicates the operations carried out by all the processes on the drivers installed. Since

the malware which creates or modifies drivers is considered particularly dangerous because it

attacks basic elements of the system, the ideal solution in this case is to filter the Cat field and

discard anything that is classified as “Goodware” or “Monitoring”.

8.2.3. Filesdwn Table

This table contains information on the downloading of data via HTTP by processes seen in the

customer's network (URL, downloaded file data, computers that performed the downloading,

etc.).


eventdate Date of the event on the customer's machine Date


72




machineIP IP address of the customer's machine IP address


muid Internal identifier of the customer's computer xxxxxxxx-xxxx-xxxx-xxxx-

xxxxxxxxxxxx

type Type of file downloaded Zip, Exe, Cab, Rar

url Download URL URI resource

hash Digest / hash of the downloaded file String

validSig Digitally signed downloaded file Boolean

company Content of the Company attribute of the

downloaded file metadata String

imageType Internal architecture of the downloaded file EXEx32, EXEx64, DLLx32, DLLx64

exeType Type of executable of the downloaded file





prevalence Historical prevalence in Panda Security systems HIGH, LOW, MEDIUM



cat Category of the downloaded file Goodware, Malware, PUP,

Unknown, Monitoring

mwName

Name of the malware if the downloaded file is

classified as a threat


Malware)

Since this table shows all downloads of network users irrespective of whether they are malware or

goodware, apart from locating with a simple filter the download information in the case of

malware, it will also be possible to graphically display the domains that receive most downloads.


73

Domains that receive most downloads

To show this type of information, you need to use the content of the url field to clean the part of

the string not of interest to you and end up with the domain.

Create a new column with the Split field set to url.

Group by different url and select No temporal aggrupation

Add a count type aggregation column.


74

This results in a list for each grouped domain and the number of occurrences of each domain

within each group. With this information you can easily obtain a graph with the most visited

domains for download.

In this case a pie chart, simpler to interpret for the type of information shown here. For this, pre-

filter the aggrupations of 10 or fewer occurrences to be able to look in more detail at the rest of

the domains.

In pie charts, the different sections are active, so when you pass the mouse over them they show

the percentages and name of the series represented.

Other useful information

Similarly, other fields can be combined to enrich or filter the lists and obtain more refined tables.

You can use:

Machine or machineIP: Grouping these fields you can see the computers in the

customer's network that start the most downloads.


75

Cat: Filtering by this field you can clear the table and only show what is classified as

malware. You can therefore obtain domains considered as malware emitters to block

them in a firewall enabling layer 7 analysis.

8.2.4. Hook table

This table contains all tasks in which hooks were created or used in the user's system


eventdate Date of the event in the customer's

machine Date






user Process username String

muid Internal identifier of the customer's

computer

xxxxxxxx-xxxx-xxxx-xxxx-

xxxxxxxxxxxx

hooktype Type of hook made by the process Keyboard_ll, mouse_ll,

keyboard, mouse

hash Digest of the process that made the hook in

the system String

driveType

Type of drive where the process that makes

the hook resides


path Path of the process that makes the hook String

validSig Process that makes the digitally signed hook Boolean

company Content of the Company attribute in the

metadata of the process that makes the

hook

String

imageType Architecture of the file that makes the hook EXEx32, EXEx64, DLLx32, DLLx64

exeType Type of executable file of the process that

makes the hook






76

prevalence Historical prevalence in the Panda Security

systems of the process that makes the hook HIGH, LOW, MEDIUM


systems of the process that makes the hook HIGH, LOW, MEDIUM

cat Category of the process that makes the

hook in the system

Goodware, Malware, PUP,

Unknown, Monitoring

mwName

Name of the malware if the process that

makes the hook in the system is classified as

a threat


malware)

hookPEhash Digest / hash of the hooked process String

Hook

Type of drive where the hooked process

resides


hookPEpath Path of the hooked process String

hookPEvalidSig Digitally signed hooked process Boolean

hookPEcompany Content of the Company attribute in the

metadata of the hooked process String

hookPEimageType Internal architecture of the hooked process

file EXEx32, EXEx64, DLLx32, DLLx64

hookPEexeType Type of executable file of the hooked

process





hookPEprevalence Historical prevalence in Panda Security’s

systems of the hooked process HIGH, LOW, MEDIUM

hookPEprevLastDay Previous day prevalence in Panda

Security’s systems of the hooked process HIGH, LOW, MEDIUM

hookPEcat Category of the hooked process Goodware, Malware, PUP,

Unknown, Monitoring

hookPEmwName Name of the malware if the hooked process

is classified as a threat String


77

This table shows the operations carried out by all the processes that make hooks. Since the

malware that performs this type of operation is considered particularly dangerous because it

intercepts communications, the ideal solution in this case is to filter the Cat field and discard

anything that is classified as “Goodware” or “Monitoring”.

8.2.5. Install Table

This table contains all the information generated in the installation of the Adaptive Defense

Agents in the customer's machines.



serverdate Date when the event is received in the Adaptive Defense server Date



machineIP1 IP address of an additional network card if it is installed IP address






op Operation performed Install, Uninstall, Upgrade

osVer Operating System version String

osSP Service Pack version String

osPlatform Operating System platform WIN32, WIN64

Agent uninstall

Apart from the graphs shown in the Adaptive Defense Dashboard on the versions of the agents

installed or uninstalled, it can be very useful to quickly locate computers that have uninstalled

their agent in a given time period.


78

For this, you need to select the date and simply add a filter to the op field to select all the rows

that have the “Uninstall” string. With this operation you can obtain a list of all the machines whose

protection has been uninstalled and are vulnerable to threats.

8.2.6. Monitoredopen Table

This table contains the data files accessed by the applications executed in the user's computer

and the processes that accessed the data.


eventdate Date of the event on the customer's machine Date

serverdate Date when the event is received in the Adaptive

Defense server Date





muid Internal identifier of the customer's computer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

parentHash Digest / hash of the file that accesses data String

parentPath Path of the process that accesses data String

parentValidSig Process that accesses digitally signed data Boolean

parentCompany Content of the Company attribute in the

metadata of the file that accesses data String

parentBroken The file that accesses data is corrupted/defective Boolean

parentImageType Type of internal architecture of the file that

accesses data EXEx32, EXEx64, DLLx32, DLLx64

parentExeType Type of executable file that accesses data



Setupfactory, Lcc32, Setupfactory,

Unknown

parentPrevalence Historical prevalence of the file that accesses

data in Panda Security’s systems HIGH, LOW, MEDIUM

parentPrevLastDay Previous day prevalence of the file that accesses

data in Panda Security’s systems HIGH, LOW, MEDIUM

parentCat Category of the file that accesses data Goodware, Malware, PUP,


79

Unknown, Monitoring

parentMWName

Name of the malware if the file that accesses

data is classified as a threat


malware)

parentPid

ID number of the process that accesses data in

the customer's computer String

childPath

Name of the data file accessed by the process.

By default only the file extension is indicated to

preserve the privacy of the customer's data

String

loggedUser

User logged on the computer at the time of file

access String

Access to user's documents

This table shows the access to files of all processes executed in the user's computer, it is quite

simple to locate an information leak in case of infection.

Filtering by the parentCat field to distinguish goodware from the rest of the possibilities, you can

obtain a list of accesses to data files by processes that are unclassified or classified as malware.

This way, you can see at a glance the impact of data leakage and take the necessary measures.

8.2.7. Notblocked Table

This table includes a record for each element that Adaptive Defense has not analyzed due to

exceptional situations such as a timeout of the service on the endpoint, configuration changes,

etc.



machine Date

serverdate Date when the event is received in

the Adaptive Defense server Date



ver Version of the Adaptive Defense

Agent String



80


computer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

parentHash Digest / hash of the parent file String

parentValidSig Digitally signed parent process Boolean

parentCompany Content of the Company attribute in

the parent process metadata String

parentBroken The parent file is corrupted Boolean

parentImageType Internal architecture of the parent

process EXEx32, EXEx64, DLLx32, DLLx64

parentExeType Type of executable file of the parent

process




Unknown

parentPrevalence Historical prevalence in Panda

Security’s systems of the parent

process

HIGH, LOW, MEDIUM

parentPrevLastDay

Previous day prevalence in Panda

Security’s systems of the parent

process

HIGH, LOW, MEDIUM

parentCat Category of the parent file Goodware, Malware, PUP,

Unknown, Monitoring

ParentmwName

Name of the malware if the parent

file is classified as a threat

string, (Null if the element is not

malware)

childHash Digest / hash of the child file String

childValidSig Digitally signed child process Boolean

childCompany Content of the Company attribute of

the child process metadata String

childBroken The child file is corrupted Boolean

childImageType Internal architecture of the child

process EXEx32, EXEx64, DLLx32, DLLx64

childExeType Type of executable file of the child

process




Unknown


81

childPrevalence Historical prevalence in Panda

Security’s systems of the child file HIGH, LOW, MEDIUM

childPrevLastDay Previous day prevalence in Panda

Security’s systems of the child file HIGH, LOW, MEDIUM

childCat Category of the child process Goodware, Malware, PUP,

Unknown, Monitoring

childmwName Name of the malware if the child file

is classified as a threat


malware)

cfgSvcLevel Configuration of the agent service

Learning: The agent enables

the execution of unknown

processes

Hardening: The agent

prevents the execution of

processes classified as threats

Block: The agent prevents the

execution of processes

classified as threats and

unknown processes

realSvcLevel

Agent operating mode. The agent

may temporarily have a

configuration established that is

different to the configuration being

used for various reasons in the

execution environment. Eventually

cfgSvcLevel and realSvcLevel must

coincide.

Learning: The agent enables

the execution of unknown

processes

Hardening: The agent

prevents the execution of

processes classified as threats

Block: The agent prevents the

execution of processes

classified as threats and

unknown processes

responseCat File category returned by the cloud

Unknown = 0

Goodware = 1

Malware = 2

Suspect = 3

Compromised =4

GoodwareNotConfirmed = 5

PUP = 6

GoodwareUnwanted = 7

numCacheClassifiedElements

No. of elements classified in cache Numeric value


82

8.2.8. Ops Table

This table contains a record of all operations performed by the processes seen in the customer's

network.


eventdate Date of the event in the

customer's machine Date

serverdate Date when the event is received

in the Adaptive Defense server Date


machineIP IP of the customer's machine IP address

ver Version of the Adaptive Defense

Agent String


op Operation performed

CreateDir, Exec, KillProcess, CreatePE, DeletePE,

LoadLib, OpenCmp, RenamePE, CreateCmp

muid Internal identifier of the

customer's computer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx


parentPath Path of the parent process String

parentValidSig Digitally signed parent process Boolean

parentCompany Content of the Company

attribute in the parent file

metadata

String

parentImageType Type of internal architecture of

the parent file EXEx32, EXEx64, DLLx32, DLLx64

parentExeType Type of executable parent

Delphi, DOTNET, VisualC, VB, CBuilder, Mingw,

Mssetup, Setupfactory, Lcc32, Setupfactory,

Unknown

parentPrevalence Historical prevalence of the

parent file in Panda Security’s

systems

HIGH, LOW, MEDIUM

parentPrevLastDay Previous day prevalence of the


HIGH, LOW, MEDIUM


83

systems

parentCat Category of the parent file Goodware, Malware, PUP, Unknown, Monitoring

parentMWName Name of the malware found in

the parent file String, (Null if the element is not malware)


childPath Path of the child process String


childCompany Content of the Company

attribute inthe child file

metadata

String

childImageType Type of internal architecture of

the child file EXEx32, EXEx64, DLLx32, DLLx64

childExeType Type of child executable file



Unknown

childPrevalence Historical prevalence of the child

file in Panda Security’s systems HIGH, LOW, MEDIUM

childPrevLastDay

Previous day prevalence of the

child file in Panda Security’s

systems

HIGH, LOW, MEDIUM

childCat Category of the child file Goodware, Malware, PUP, Unknown, Monitoring

childMWName Name of the malware found in

the child file String, (Null if the element is not malware)

ocsExec Software considered as

vulnerable was executed or not Boolean

ocsName Name of software considered

vulnerable String

ocsVer Version of software considered

vulnerable String

peCreationSource

Executable process creation

source. Equivalent to the

DriveType field

String

params Execution parameters of the

executable process String

toastResult Result of the popup message OK


84

shown Timeout

Angry

Block

Allow

clientCat Category in cache of the

element agent Goodware, Malware, PUP, Unknown, Monitoring

action Action carried out Allow, Block, BlockTimeout

serviceLevel

Agent mode

Learning: The agent enables the execution

of unknown processes

Hardening: The agent prevents the

execution of processes classified as threats

Block: The agent prevents the execution of

processes classified as threats and unknown

processes

winningTech Technology that caused the

action

Unknown

Cache

Cloud

Contect

Serializer

User

Legacyuser

Netnative

certifUA

8.2.9. Registry Table

This table contains a record of all operations performed by the processes seen in the customer's

network on each system registry.



machine

Date

serverdate Date when the event is received in

the Adaptive Defense server

Date



ver Version of the Adaptive Defense String


85

Agent

user Username of the process that

modified the registry

String

op Operation performed on the

computer registry

ModifyExeKey, CreateExeKey

hash Digest / hash of the process that

makes the change in the registry

String


computer

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

targetPath

Path of the executable file noted in

the registry.

Type of drive where the process that makes the hook

resides

regKey Registry key String

driveType Type of drive where the process that

accesses the registry resides

String

path Path of the process that modifies the

registry

String

validSig Registry key Boolean

company Registry key String

imageType Architecture of the file that accesses

the registry

String

exeType Type of executable file Delphi, DOTNET, VisualC, VB, CBuilder, Mingw,


Unknown

Prevalence Historical prevalence in Panda

Security’s systems of the process

HIGH, LOW, MEDIUM

prevLastDay Previous day prevalence in Panda

Security’s systems of the process

HIGH, LOW, MEDIUM

Cat Category of the process Goodware, Malware, PUP, Unknown, Monitoring

mwName Name of the malware if the process

is classified as a threat

String, (Null if the element is not malware)


86

Persistence of installed threats

As this table shows the access to the registry of all processes executed in the user's computer, it is

quite simple to see the malware that managed to run and achieve persistence in the system.

There are many different registry branches that invoke a program in the start-up but the most

used by Trojans and other types of threats are:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Looking at the keys, almost all share the “Run” branch, so by filtering by the regKey field and

searching for the “Run” substring you can view all the information on the process which added

the branch to or removed it from the registry.

After filtering the processes that manipulate the start-up system, you can then apply subsequent

filters that refine the initial search, using the Cat field to remove all programs classified as

goodware from the list, as shown in the above examples.

8.2.10. Socket Table

This table contains a record of all network operations performed by the processes seen in the

customer's network.


87



machine Date







hash Digest / hash of the process that makes the

connection String


computer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

driveType Type of drive where the process that makes

the connection resides


path Path of the process that makes the

connection String

protocol Communications protocol used by the

process TCP, UDP, ICMP, ICMPv6,IGMP, RF

port Communications port used by the process 0-65535

direction Communication direction Upload, Download, Bidirectional, Unknown

dstIp Destination IP address IP address

dstPort Destination port 0-65535

dstIp6 Destination IP v6 IP address

validSig File that makes the digitally signed

connection Boolean

company Content of the Company attribute in the

metadata of the file that makes the

connection

String

imageType Internal architecture of the process that

makes the connection EXEx32, EXEx64, DLLx32, DLLx64


88

exeType Type of executable file of the process that

makes the connection



Unknown

prevalence Historical prevalence in Panda Security’s


prevLastDay Previous day prevalence in Panda

Security’s systems HIGH, LOW, MEDIUM

cat Category of the process that makes the

connection

Goodware, Malware, PUP, Unknown,

Monitoring

mwName

Name of the malware if the process that

makes the connection is classified as a

threat

String, (Null if the element is not malware)

Programs that most connect to the exterior

In a similar way to the console graph that geolocates the destinations of the connections made

by the malware installed on the customer's network, you can obtain the destinations most

connected by the legitimate software that is run on the computers. For this, you need to follow

the steps below:

Add a filter that removes all programs that are not considered legitimate. For this, you

need to equal the Cat field to the “Goodware” string.

Add a filter that removes all the connections to private IP addresses. For this, you need to

create a column with the Is Public IPv4 function in the dstIp field, as shown in the figure.

Add both latitude and longitude columns that extract the longitude and latitude from

the dstIP field with the functions Geolocated Latitude / Longitude.


89

In this point of the procedure there is a list of connections from legitimate software to public IP

addresses and the latitude and longitude of each IP address. The coordinates obtained will be

shown on the map-type graph as dots.

As the intention is to show the number of connections to the same IP address, you will need to

form an aggrupation and add a counter to obtain the number of IP addresses repeated in an

aggrupation.

Add an aggrupation in the dstIP table and the newly created latitude and longitude

fields, without time limit.

Add a counter type function.

Add a Flat world map by coordinates or Google heat map type graph using the count,

latitude and longitude columns as data.


90

When dragging the columns to the boxes indicated, the map chosen will be shown with the data

represented by dots in different colors and sizes.


91

8.2.11. Toast Table

The Toast table records an entry every time a message appears from the customer’s agent.


eventdate Date of the event in the

customer's machine Date

serverdate

Date when the event is

received in the Adaptive

Defense server

Date

machine Name of the customer's

machine String

machineIP IP address of the customer's

machine IP address

ver Version of the Adaptive

Defense Agent String


muid Internal identifier of the

customer's computer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx


parentPath Path of the parent process String

parentValidSig Digitally signed parent

process Boolean

parentCompany

Content of the Company

attribute in the parent file

metadata

String

parentImageType Type of internal architecture EXEx32, EXEx64, DLLx32, DLLx64


92

of the parent file

parentExeType Type of executable parent file

Delphi, DOTNET, VisualC, VB, CBuilder,

Mingw, Mssetup, Setupfactory, Lcc32,


parentPrevalence

Historical prevalence of the


systems

HIGH, LOW, MEDIUM

parentPrevLastDay

Previous day prevalence of

the parent file in Panda

Security’s systems

HIGH, LOW, MEDIUM

parentCat Category of the parent file Goodware, Malware, PUP, Unknown,

Monitoring

parentMWName Name of the malware found

in the parent file String, (Null if the element is not malware)


childPath Path of the child process String


childCompany

Content of the Company

attribute in the child file

metadata

String

childImageType Type of internal architecture

of the child file EXEx32, EXEx64, DLLx32, DLLx64

childExeType Type of child executable file

Delphi, DOTNET, VisualC, VB, CBuilder,

Mingw, Mssetup, Setupfactory, Lcc32,


childPrevalence

Historical prevalence of the

child file in Panda Security’s

systems

HIGH, LOW, MEDIUM

childPrevLastDay

Previous day prevalence of

the child file in Panda

Security’s systems

HIGH, LOW, MEDIUM

childCat Category of the child file Goodware, Malware, PUP, Unknown,

Monitoring

clientCat Category in the cache of the

element agent

Goodware, Malware, PUP, Unknown,

Monitoring

childMWName Name of the malware found

in the child file String, (Null if the element is not malware)

serviceLevel Agent mode

Learning: The agent enables the

execution of unknown processes

Hardening: The agent prevents the

execution of processes classified as

threats

Block: The agent prevents the execution

of processes classified as threats and


93

unknown processes

winningTech Technology that caused the

action

Unknown

Cache

Cloud

Contect

Serializer

User

Legacyuser

Netnative

certifUA

cloudAccessOk Access to the cloud Boolean

SonFirstSeen

First time that the system saw

the process that caused the

popup message to appear

Date

SonLastQuery

Last time that the process that

caused the popup message

launched a query to the

cloud

Date

PreviousClientCat

Previous category of the

element that caused the

popup message

Numeric value

ToastResult Result of the popup message

OK: The customer accepts the message

Timeout: The popup message disappears

due to non-action by the user

Angry: The user rejects the block

Block

Allow


94

9. Appendix I:

Integration

with SIEM

products


95

9. Appendix I: Integration with SIEM products

Adaptive Defense is integrated with SIEM solutions, adding detailed information about the activity

of the applications running in protected workstations.

The information sent to the customer's SIEM system comes from the Adaptive Defense server,

which is why it is pre-prepared information (category, prevalence, etc.) and not simply raw data

collected from the agents installed on the users' machines.

Listed below are the SIEM systems compatible with Adaptive Defense:

QRadar

AlienVault

ArcSight

LookWise

Bitacora

QRadar

Adaptive Defense supports QRadar (Live format).

AlienVault and ArcSight

Integration with AlienVault and ArcSight adds information to SIEM systems under CEF (Common

Event Format).

LookWise and the former Bitacora

LookWise and the former Bitacora can receive alert events and prevalence information from

Adaptive Defense, that is, information on when and on which computers of the IT infrastructure

the detected malware has been seen.

Integration open to other manufacturers (Splunk, etc.)

Integration with new SIEM platforms is a process that is undertaken on demand, so there is a

possibility of integration with manufacturers such as Splunk and others.


96

10. Appendix II:

Service Level

Agreements Pre-sales and Migration Service

Technical Support Service

Our infrastructure in the Cloud

Unreliable software classification service


97

10. Appendix II: Service Level Agreements

At Panda Security we consider it essential to clearly indicate the services included with your

purchase. Below is a description of the service levels offered with the purchase of our solutions.

10.1. Pre-sales and Migration Service

The pre-sales migration service includes a service demonstration, information and answers to all

customer doubts and queries, coordination with Panda Security internal departments, active

support in migration, and uninstallers for the solution replaced with Panda Adaptive Defense.

Customer information service providing email or telephone responses to all customer

doubts and questions.

Internal coordination and open communication with all Panda Security internal

departments to provide a response to all customer doubts and queries, and

communication of customer needs so that they can be incorporated in the service in

future reviews.

Active support in migration. Active support in migration, collecting data, preparing

proposals and collaborating in deployments.

Uninstallers for replaced solution. If the company that purchases Panda Adaptive

Defense wants to replace its traditional antivirus solution, Panda offers uninstallers for

different antivirus products/solutions. These uninstallers will be launched automatically on

the workstations and servers where the Panda Adaptive Defense protection is installed,

provided this is established in the configuration of the service. If no uninstaller is available,

Panda agrees to create the uninstaller in a maximum period of 2 weeks after receiving

the necessary information. It will be possible to create the uninstaller in all cases unless

the product to be uninstalled includes self-protection methods that prevent it from being

uninstalled.

10.2. Technical Support Service

The Panda products support service establishes the maintenance and technical assistance

necessary to ensure the correct working of all Panda programs in all of the customer's

workstations and servers.

Service Packs and hotfixes: Access to the best product techniques during the service

period.

Support website: Access to forums, blogs, support website, information on latest threats,

virus map, Panda ThreatWatch, virus encyclopedia, etc.

Technical support: Telephone and email support from technicians certified in PANDA

SECURITY solutions.

Access to beta programs to access the latest versions of PANDA security products and

share experiences and feedback with us.

Unlimited access to the HelpDesk: No limit on reported incidents.

The following conditions define the service:


98

Personal technical support service. Customer telephone service managed by product

experts. Personal resolution of any query or incident related to virus detection or product

configuration.

10.3. Our infrastructure in the Cloud

Service Availability

Panda Security ensures that the service will be available 99.5% of the time, and covers the

infrastructure used by the Panda Adaptive Defense solution, specifically applied to the following

systems:

Management console.

The downloading of packages for installing both the agent and the protection on

Windows laptops, workstations and servers.

Availability will be calculated annually according to the following equation:

{(𝑡𝑜𝑡𝑎𝑙 − 𝑛𝑜𝑛𝑒𝑥𝑐𝑙𝑢𝑑𝑒𝑑 − 𝑒𝑥𝑐𝑙𝑢𝑑𝑒𝑑

𝑡𝑜𝑡𝑎𝑙 − 𝑒𝑥𝑐𝑙𝑢𝑑𝑒𝑑) | ∗ 100} ≥ 99,5%

Where:

- Total is the total number of minutes per year.

- Nonexcluded is the downtime which is not excluded, i.e. the time during which there

has been a service downtime in which the management console and/or downloads

of the packages for installing the agent and the protection have not been available.

- Excluded time is that which is included in the following cases:

- Planned stops for maintenance, installation of new versions (major and minor),

and for the installation of hotfixes. This time will never exceed 48 hours per

quarter.

- Any stop for maintenance where Panda Security provides 48h to 96h notice by

email to the partner. That notification will indicate the approximate start and

finish time of the maintenance tasks.

- Any planned stop for installing Major Releases, limited to a maximum of 3 a

year.

- Any planned stop for installing Minor Releases, limited to a maximum of 3 a

year.

- Any planned stop for installing hotfixes.

- Any service downtime caused by Force Majeure, and generally any

circumstances beyond the control of Panda Security, including but not limited

to, any external event that could not be foreseen or even if it could be foreseen

was inevitable, preventing the performance of the obligations of one of the

parties, such as storms, floods, fires, war or sabotage.


99

Availability calculations will be produced for the whole year, even in cases in which the customer

has contracted the service for less time or during the same year. During 2013, our cloud platform

had 99.9% availability.

What security does the platform hosting the data have?

Windows Azure, the platform where Panda Adaptive Defense is hosted, provides maximum

confidentiality and security for the stored data. The security and control policies established in

Azure are described in the “Windows Azure Security Overview” White Paper. See

http://download.microsoft.com/download/6/0/2/6028B1AE-4AEE-46CE-9187-

641DA97FC1EE/Windows%20Azure%20Security%20Overview%20v1.01.pdf

What security certifications does the platform hosting the data have?

As indicated in the .PDF in the above section, Windows Azure runs on Microsoft Global

Foundation Services (GFS): “Windows Azure operates in the Microsoft Global Foundation Services

(GFS) infrastructure”.

The following document shows information on how security is managed in Global Foundation

Services (GFS), the Microsoft Cloud infrastructure in which Windows Azure operates:

http://cdn.globalfoundationservices.com/documents/InformationSecurityMangSysforMSCloudInfr

astructure.pdf

Windows Azure certifications are indicated in the .PDF document:

ISO/IEC 27001:2005

Statement on Auditing Standards No. 70 (SAS 70) Type I and II

Sarbanes-Oxley (SOX)

Payment Card Industry Data Security Standard (PCI DSS)

Federal Information Security Management Act (FISMA)

We also have more detailed information on the 27001 certification at:

http://blogs.msdn.com/b/windowsazure/archive/2011/12/19/windows-azure-achieves-is0-27001-

certification-from-the-british-standards-institute.aspx

Finally, there is a White Paper at http://www.microsoft.com/download/en/details.aspx?id=26647

which describes how Windows Azure fulfils the security requirements defined by Cloud Security

Alliance, Cloud Control Matrix. A paragraph from the White Paper is included below:

“Our security framework based on ISO 27001 enables customers to evaluate how Microsoft meets

or exceeds the security standards and implementation guidelines. ISO 27001 defines how to

implement, monitor, maintain, and continually improve the Information Security Management

System (ISMS). In addition, the GFS infrastructure undergoes an annual American Institute of

Certified Public Accountants (AICPA) Statement of Auditing Standards (SAS) No. 70 audit, which

will be replaced with an AICPA Statement on Standards for Attestation Engagements (SSAE) No.

http://download.microsoft.com/download/6/0/2/6028B1AE-4AEE-46CE-9187-641DA97FC1EE/Windows%20Azure%20Security%20Overview%20v1.01.pdf

http://download.microsoft.com/download/6/0/2/6028B1AE-4AEE-46CE-9187-641DA97FC1EE/Windows%20Azure%20Security%20Overview%20v1.01.pdf

http://cdn.globalfoundationservices.com/documents/InformationSecurityMangSysforMSCloudInfrastructure.pdf

http://cdn.globalfoundationservices.com/documents/InformationSecurityMangSysforMSCloudInfrastructure.pdf

http://blogs.msdn.com/b/windowsazure/archive/2011/12/19/windows-azure-achieves-is0-27001-certification-from-the-british-standards-institute.aspx

http://blogs.msdn.com/b/windowsazure/archive/2011/12/19/windows-azure-achieves-is0-27001-certification-from-the-british-standards-institute.aspx

http://www.microsoft.com/download/en/details.aspx?id=26647


100

16 audit and an International Standards for Assurance Engagements (ISAE) No. 3402 audit.

Planning for an SSAE 16 audit of Windows Azure is underway.”

10.4. Unreliable software classification service

Panda Adaptive Defense is based on innovative technologies that feed off information collected

from the continuous monitoring of applications running on workstations and servers, reputation

information, information from the Panda community itself and information obtained in the

controlled execution of these applications in physical machines located in Panda's infrastructure.

All these inputs power a Big Data analysis engine in our cloud infrastructure, where the inputs are

added, correlated and processed. The end result is a diagnosis which determines whether the

application is reliable or not for Panda. This diagnosis is determined with almost 100% accuracy,

calculated based on all the goodware and malware classifications made by Panda to date.

In any case, the level of reliability of the applications is recalculated continuously as new events

arrive in the system.

Our experts from PandaLabs, with all the information collected from the continuous monitoring of

applications running on endpoints, and with the results of the BigData analysis carried out in our

infrastructure in the cloud, will manually classify those applications that are not automatically

classified by the system.


101

adaptive defense guide - amazon web servicespandasecurity.s3.amazonaws.com › enterprise ›...

Documents