Localization of Spyware in Windows Environments

Bergstrand, Fredrik, Bergstrand, Johan, Gunnarsson, Håkan

January 2004

This is a thesis about different methods that can be used to detect spyware. Methods included are Layered Service Provider, Internet Protocol Helper API, TDI filtering and API hooking. Some firewall testing applications, leak tests, that use methods that can be used by real spyware program to penetrate firewalls have also been examined. The goal was to develop a Windows 2000/XP program that is able to detect as many of our examined leak tests as possible. Our program uses the methods TDI filtering and API hooking for detection of spyware because our study showed that these methods were the best. To evaluate the program it was tested against our examined leak test programs. Our program managed to detect all leak tests except one. / Fredrik Bergstrand cfb@home.se Johan Bergstrand jb78@home.se Håkan Gunnarsson hakan.gunnarsson@klostersfalad.se

spyware

firewall

leak test

API hooking

Software Engineering

Programvaruteknik

Improving DLP system security / Förbättring av säkerheten av DLP system

Ghorbanian, Sara, Fryklund, Glenn

January 2014

Context. Data leakage prevention (DLP), a system designed to prevent leakage and loss of secret sensitive data and at the same time not affect employees workflow. The aim is to have a system covering every possible leakage point that exist. Even if these are covered, there are ways of hiding information such as obfuscating a zip archive within an image file, detecting this hidden information and preventing it from leaking is a difficult task. Companies pay a great deal for these solutions and yet, as we uncover, the information is not safe. Objectives. In this thesis we evaluate four different existing types of DLP systems out on the market today, disclosing their weaknesses and found ways of improving their security. Methods. The four DLP systems tested in this study cover agentless, agent based, hybrids and regular expression DLP tools. The test cases simulate potential leakage points via every day used file transfer applications and media such as USB, Skype, email, etc. Results. We present a hypothetical solution in order to amend these weaknesses and to improve the efficiency of DLP systems today. In addition to these evaluations and experiments, a complementing proof of concept solution has been developed that can be integrated with other DLP solutions. Conclusions. We conclude that the exisiting DLP systems are still in need of improvement, none of the tested DLP solutions fully covered the possible leakage points that could exist in the corporate world. There is a need for continued evaluation of DLP systems, aspects and leakage points not covered in this thesis as well as a follow up on our suggested solution.

Data leakage prevention (DLP)

API hooking

agent based

agentless.

Computer Sciences

Datavetenskap (datalogi)

Software Engineering

Programvaruteknik

Antivirusinių programų failinės sistemos realaus laiko stebėjimo algoritmai / Real-time Tracking System for Antivirus Engines

Talmontienė, Jūratė

19 June 2013

Šiame baigiamajame darbe yra nagrinėjami antivirusinėse programose taikomi failinės sistemos realaus laiko stebėjimo metodai – API sąsajos funkcijų perėmimas, failinių sistemų filtravimo tvarkyklės, dėklinės failinės sistemos, FUSE technologijos panaudojimas. Pateikiami metodų privalumai ir trūkumai. Darbo pabaigoje aprašoma C/C++ programavimo kalbomis sukurta realaus laiko failinės sistemos stėbėjimo programa - failinės sistemos filtravimo tvarkyklė ir vartotojo lygio modulis. Darbą sudaro šešios pagrindinės dalys: įvadas, teorinė, analitinė ir programavimo dalys, išvados ir literatūros sąrašas. Darbo apimtis – 54 p. teksto be priedų, 16 pav., 3 lent., 28 bibliografiniai šaltiniai. Atskirai pridedami darbo priedai. / In this final work antivirus file system real-time file system tracking methods – usage of file system filter drivers, API hooking, stackable file systems, FUSE technology for antivirus are analyzed. The pros and cons of these methods are given. At the end of the thesis real-time file system tracking program developed in the C/C++ programming languages is presented. Created program consists of two parts – file system filter driver and user-mode module. Structure of the work: introduction, theoretical, analysis and programming parts, conclusions, references. Thesis consists of: 54 p. text without appendixes, 16 pictures, 3 tables, 28 bibliographical entries. Appendixes included.

Informatics Engineering

Antivirusinė programa

API perėmimas

Failinė sistema

Filtravimo tvarkyklė

Libclamav

Antivirus

API hooking

File system

Filter driver

Libclamav