We are often asked for recommendations about the purchase and implementation of anti-virus (AV) software and, whilst we cannot provide a definitive product choice, we provide unbiased advice highlighting what to look for in an AV solution, as well as best practices for configuration. In this blog post we’re going to look at the features we’d always recommend that your chosen AV solution should provide.
This feature prohibits users from making changes to the local AV configuration without first entering additional credentials (such as a password or additional administrative user credentials). Most configurations observed during penetration tests, over a wide variety of AV products, were found not to have tamper protection. Instead, only local administrative privileges were required for AV configuration changes to be made. So a malicious user, who has obtained administrative access (either by exploitation, shared passwords, or other methods), could easily disable the AV software.
For instance, if AV is installed and operating on a Domain Controller and an attacker has obtained Domain Admin privileges yet the AV cannot be disabled or modified, then this greatly restricts the attacker’s ability to extract password hashes from the Domain without additional bypasses. However, if the AV product does not have tamper protection, the attacker is able to disable the services, possibly even remove the AV software altogether, and can continue post-exploitation attacks.
In some instances it is possible for an Administrative user to disable the antivirus on the host by stopping the services directly, essentially bypassing the Tamper Protection controls that are in place. Of course most organisations will consider that these user accounts should have full access to perform such tasks, however in the event of a system compromise, further restricting the Administrator account’s ability to disable these services directly will ensure that any malicious files are not transferable to the host.
Another feature, often overlooked, is Hardware Device Control. Some endpoint AV software allows the creation of policies that can restrict the use of hardware such as USB storage, CD/DVD-ROM access, SD cards, etc. The benefit here being that additional software does not need to be purchased, and can be centralised within the endpoint server. AV/endpoint products that have this feature would also include granular control over these devices, allowing restrictions based upon the Device ID or keywords.
Access to USB storage devices can be restricted using Windows Group Policies, however there are methods to bypass/remove these restrictions if users have administrative control of their devices. Endpoint software that offers hardware device control (along with Tamper Protection) can even prevent local administrators from accessing external storage media.
A great feature of policy deployment that is rarely seen is the ability to choose and deploy policies based upon the location of the device. As remote working has become the norm, it is imperative that IT departments enforce policies to control what users can/cannot do when outside the office. For example, if end users require USB access whilst off-site, connected via VPN or working from home, then a more lenient policy may be in place. However, when the user is next on-site, a more stringent policy is applied.
Our next blog provides some unbiased advice on Antivirus (AV) configuration best practices.
Authored by Adam Govier, Security Consultant, SureCloud Penetration Testing Team