This week, Sophos took part in Microsoft’s Windows Endpoint Security Ecosystem Summit. In light of the recent global crisis caused by a kernel-driver replacement crash that affected hundreds of thousands of machines worldwide, representatives from various industries and authorities gathered for an in-depth exploration of topics such as kernel architectures, update-deployment processes, and most critically, how this previously obscure security ecosystem can evolve transparently and with full community engagement to safeguard the world. Notwithstanding its early nature, this initial discussion yielded several noteworthy motifs that deserve attention.
As the Windows platform continues to advance, a significant theme emerged: how it can organically evolve to minimize the need for security companies to employ kernel drivers, user-space hooking, or other tactics to seamlessly integrate and proactively interact with the platform’s fundamental architecture, thereby denying adversaries opportunities to exploit its core. Collaboration across industries is crucial for driving innovation, as combined expertise and efficient approaches from previous experiences are essential for achieving desired outcomes. Here is the rewritten text:
Another critical theme is deployment, which involves ensuring the safe and seamless delivery of software updates to millions of users, minimizing any potential disruptions.
Microsoft commended our exemplary work and outstanding results as a shining example within their conversation.
This publication examines Sophos’ current interoperability with the Windows platform, delving into the how and why behind this integration. It also explores potential avenues of evolution for the Windows platform that could rebalance the strategies and access necessary for third-party security vendors to effectively interact with it. At the summit, Microsoft and Sophos led discussions on Protected Deployment Practices (SDP). As a wrap-up to this publication, we will outline three key takeaways from our journey of implementing foundational changes for both Mac and Linux products, offering valuable insights for future industry discussions.
This text doesn’t purport to be a comprehensive guide or a detailed atlas; rather, it functions as a brief directory, providing essential information and background context about the scenery. While a comprehensive examination of the precise requirements necessary to achieve far-reaching resilience and safety goals exceeds the purview of this publication, it is still pertinent to provide a cursory overview of the broader landscape in this era of thoughtful discourse. Keep tuned.
Sophos antivirus software leverages kernel-mode drivers to enhance its detection and removal capabilities for malware. By installing these drivers within the operating system’s kernel, Sophos gains low-level access to memory and file systems, allowing it to identify and neutralize threats that might evade detection by other methods. This strategy enables Sophos to provide robust protection against sophisticated attacks, zero-day exploits, and rootkits.
Sophos seamlessly integrates with the underlying Windows platform through a combination of techniques that delve deeply into its internal workings: leveraging kernel drivers, user-space hooking, and other tactics. Each safety agency possesses its unique methodologies for accomplishing this task. As we’ve previously disclosed, our approaches at Sophos are transparent. Nonetheless, typically speaking, the system entry furnished by kernel drivers is crucial to deliver the security features expected by customers of a modern cybersecurity product. This performance contains:
- Providing seamless, near-real-time monitoring of complex system operations?
- Preventing potential threats from unfolding, rather than just witnessing them unfold.
- Implementing a mechanism that enables swift response to detected malicious or non-compliant activities, allowing for prompt restoration or reversal of affected operations.
- Ensuring unshakeable confidence in the efficacy of our safety products, even when faced with the unprecedented challenge of compromised components within the very system they are designed to protect.
- Ensuring seamless integration of our safety solutions, we guarantee they will not compromise the integrity of the Windows operating system or impact third-party software and hardware.
- Ensuring seamless integration of advanced features while minimizing the impact on overall system performance.
- Enabling seamless performance across all power levels, our technology ensures uninterrupted visibility and safety features even during low-power modes.
Windows platforms should seamlessly execute various capabilities and resolve dependencies in real-time to prevent deadlocks during low-power mode operations.
Present Sophos Home windows drivers
Currently, Sophos employs five Windows kernel drivers: one Early Launch Anti-Malware (ELAM) driver, two drivers that intercept file and process execution, and two drivers that intercept network activity. Since we’ve previously covered kernel drivers in detail, let’s provide a concise recap below. To recap:
- The Endpoint Protection (EPP) driver, known as the ELAM driver, is a mandatory requirement for Windows; safety vendors must provide an ELAM driver to register as an endpoint-protection product, typically referred to as antivirus software in older terminology, and disable Windows Defender on individual devices.
- Two file drivers provide unparalleled journaling and event logging capabilities not currently available through the Windows API, in addition to advanced features such as anti-tampering functionality, process hooking, and robust ransomware protection.
- Two community drivers enable internet security by providing packet inspection for intrusion detection, ensuring Domain Name System (DNS) safety, and redirecting community streams to guarantee a zero-trust community entry point.
Upon completing this portion, we will examine how Sophos addresses injecting DLLs into kernel-mode and user-space processes.
To recap, a summary of each of the five drivers’ exercises will be provided, with an invitation for readers to refer back to the original article for further details.
SophosEL.sys
The Sophos Endpoint Labelling (EL) driver, designated as SophosEL.sys, serves as the ELAM component for Sophos anti-malware solutions. As with all trusted providers interacting with Microsoft Windows, Sophos supplies an ELAM driver to enable the launching of Anti-Malware Protected Process Light processes and services. Some solely AM-PPL processes may inadvertently register as an AV, thereby disabling Windows Defender on individual devices. As a result, AM-PPL generates revenue from inherent safeguards, effectively rendering it “invulnerable” through its user interface. The SophosEL.sys driver prevents Windows kernel drivers from loading during the early stages of the boot process if they have been blocked. SophosEL.sys features “fingerprints” of Sophos-specific code signing certificates, enabling the company to run AM-PPL processes for its clients.
SophosED.sys
The primary file-system driver, also serving as the essential Sophos anti-malware driver, is designated by “ED” in its filename, referencing Endpoint Protection. The SophosED.sys module handles interactions with the Sophos System Safety service (SSPService.exe), leveraging both synchronous callback mechanisms (whereby SophosED.sys pauses execution until SSPService.exe responds) and asynchronous event processing (involving serialised event data and related parameters being enqueued for subsequent notification). The software driver possesses various functionalities that encompass:
- The institution will maintain an ongoing thread/module monitoring system that continuously tracks the progression and performance of all students enrolled in the “Shadow” course, providing real-time data to instructors for informed decision-making and timely interventions.
- Capturing detailed logs of low-level system events in Sophos event journals facilitates forensic analysis and evaluation.
- Protecting Sophos configurations from tampering through a neutral authentication framework.
- Can we establish a tamper-evident verification process for software delivered by Sophos?
- The following code snippet uses the `OpenProcess` and `WriteProcessMemory` APIs to inject a DLL (SophosED.dll in this case) into any process that starts running on your system.
- Ensuring seamless startup performance of our embedded Sophos software, ensuring timely activation during system initialization.
- Enhancing secure interactions among Sophos entities, organizations, and drivers through robust encryption protocols; continuously hashing sensitive data to ensure integrity; and providing seamless assistance for memory scanning capabilities.
hmpalert.sys
The HitmanPro Alert driver serves as the outlier among our five kernel drivers, uniquely responsible for enforcing CryptoGuard’s security measures. Its capabilities encompass detecting and thwarting the bulk encryption of information by ransomware, while also injecting hmpalert.dll into newly initiated processes to ensure effective mitigation.
sntp.sys
The Sophos Network Protocol (Sntp.sys) driver delivers the fundamental community filtering capabilities mandated by Sophos to enable community-based threat detection, where “Sntp” abbreviates Sophos Community Malware Protection. Sophos internet security enables this driver’s capabilities, including filtering HTTP and HTTPS traffic to enforce internet safety, prevent knowledge leakage, and implement acceptable use policies; capturing and recording HTTP or HTTPS traffic, DNS queries and responses, and basic TLS stream activity in Sophos event journals and the Sophos Central data lake. Additionally, L2 packet interception and injection support Sophos’ Intrusion Prevention System, as well as dropping or delaying outgoing flows for further inspection or cross-system coordination purposes?
SophosZtnaTap.sys
SophosZtnaTap.sys is a Sophos-built OpenVPN TAP driver that serves as the second network-filter driver, designed to provide robust filtering capabilities for optimized network performance. Sophos leverages this technology to deploy its ZTNA (Zero Trust Network Access) agent, thereby enhancing the security posture of its customers. The driving force intercepts DNS requests; if they relate to ZTNA-protected functions, it responds by sending a tunnel IP address, subsequently forwarding IP traffic directly to those functions.
About DLL injection
There is currently no supported mechanism available either in user space or the kernel that enables DLL injection requests. Injected DLLs ensure the transparency and security of API calls executed by functions.
Embracing Safer Operations: A Step-by-Step Guide
The subsequent two sections outline Sophos’ strategic selections in its replace and rollout processes, followed by an exploration of high-level approaches that could enable the Windows platform to reduce its reliance on third-party kernel drivers, aligning with discussions suggesting this as a desirable goal.
What’s the desired outcome for your users when you deploy new features?
A key topic of discussion at the Summit was the adoption of Protected Deployment Practices (PDPs), which aimed to safeguard software releases from potential vulnerabilities. Like Microsoft, Sophos has strategically invested in its software framework to facilitate seamless software rollouts and introduce new features with flags. Our primary objective at Sophos is to ensure that our products are as secure and reliable as can be, while providing our customers with unparalleled visibility and control. Collaborating with Microsoft and industry peers to share our processes and expertise will likely yield a comprehensive, rich set of best practices that can be applied across the entire Windows ecosystem.
As described elsewhere, Sophos has established a robust framework for introducing new software applications and enabling incremental feature enhancements across our customer base. Our mechanism allows for the temporary disabling of options for a specific customer, a particular software product, or all users worldwide with just a brief intervention by Sophos. In addition to its comprehensive features, Sophos Central provides users with a holistic view and the capability to govern software updates and configurations within their organization.
While any safety product leveraging personal kernel drivers or integrating with Windows services demands periodic updates to adapt to changing system behaviors? Systems requiring habit adjustments must be introduced incrementally to ensure the changes are stable and feasible. The highlight of our Summit was a discussion on sharing best practices for secure deployment, serving as a catalyst for ecosystem growth that can lead to significant boosts in customer confidence in patches and updates, ultimately fortifying web security for all stakeholders.
Decreasing third-party kernel-driver dependence
To bolster security on Home windows platforms, it would be beneficial to provide a sanctioned mechanism for security providers to monitor access to files and directories by processes, allowing them to permit or block such interactions. This could involve receiving notifications about attempted file openings and maintaining management of options for handling subsequent file entry, as well as updating and managing these choices accordingly.
For enhanced security on the Windows platform, consider providing a sanctioned framework that enables threat analysts to inspect registry key access and value manipulation by processes, with the ability to approve or deny such interactions.
For enhanced security on the Windows platform, it would be beneficial to provide a native mechanism enabling trusted security vendors to monitor process activity and respond accordingly. The functionality would closely mirror the assistance provided by the Windows kernel to kernel-mode drivers, with some additional features. While the data provided serves as a starting point, it is by no means comprehensive or definitive.
The security vendor has the capability to manage a range of functions similar to those found in a child process’s life cycle, including creation, termination, thread initialization, thread termination, setting thread context, and asynchronous procedure call scheduling, as well as picture loading, allowing for granular control over each operation.
The operating system provides a suite of functionalities that enable users to manage file and directory operations, including creating, opening, modifying, and renaming files and directories.
- Sophos continuously monitors and tracks any unusual changes to documents that may indicate a potential ransomware attack. The ransomware may employ tactics to circumvent detection by encrypting files in-place or generating an encrypted duplicate alongside the original. It then attempts to evade discovery by replacing the original file with the copy, deleting the original and renaming the duplicate as the original, or rewriting the original by overwriting its contents with the encrypted data. The writes will be performed using unconventional file writing methods or by mapping the file to memory for writing. The proposed framework aims to provide adequate callback mechanisms, thereby enabling efficient evaluation processes to unfold seamlessly.
- To seamlessly integrate new features, it would be advantageous to develop an interface that enables registry key operations such as creation, deletion, renaming, linking, setting values, modifying entries, and controlling access.
- A feature enabling real-time monitoring of newly installed or updated drivers, hardware, or software components, akin to a “driver vetting” process, may be beneficial for system security; this functionality could also involve the ability to inspect processes connecting to driver devices, permitting/blocking access and offering transparency into building device stacks, filtering mechanisms, and processes issuing IOCTLs to gadgets.
A cutting-edge approach to endpoint safety incorporates community-focused safeguards. To further enhance security on the Home windows platform, it would be beneficial for Microsoft to provide a supported mechanism for cybersecurity providers to thoroughly safeguard networked devices. This could involve offering a feature that enables the download and authorization of arbitrary network flows, parsing and potentially modifying data within those flows, and taking action before communication with the destination device.
Contemporary zero-trust deployments often incorporate capabilities to intercept and redirect traffic via vendor-specific gateways, filtering and responding to DNS requests, authenticating and authorizing access to registered services, and capturing or injecting authentication tokens in redirected traffic. Conversations on this trajectory would indeed include measures to prevent exploitation of these features.
To bolster Windows security, it’s essential to provide a reliable framework for anti-malware vendors to prevent the installation of unauthorized kernel-level drivers, which can cripple critical system processes and enable malicious attacks.
To further enhance security on Windows platforms, it would be beneficial to provide a supported mechanism for administrators to prevent local and domain administrators from overriding or circumventing the safety product’s choices, except in cases where they are authorized to do so through the safety product’s API or user interface, thereby ensuring that critical security decisions remain under the control of the safety product.
On the Windows platform, it would be beneficial to provide a supported means for security providers to retrieve granular information about candidate kernel drivers, such as file name, size, hash values, and digital signatures, in addition to facilitating the blocking and loading of kernel drivers.
To bolster security on the Windows platform, it is essential to provide a sanctioned framework that permits trusted vendors to maintain an immutable record of kernel objects, such as data and processes, thereby ensuring their integrity and authenticity. The context may encompass particulars regarding whether an object is a component of Windows, a part of a given security solution, or tied to another product; details about whether the article has been scrutinized, when it was scrutinized, and what conclusion was reached; as well as file hashes or other information related to an object, such as a unique identifier for the article. While it’s important that data remains intact during system reboots, it would be more accurate to state: It is crucial to preserve the context across reboots, ensuring seamless continuity and preventing potential disruptions.
To enhance security on the Windows platform, it would be beneficial to establish a standardized process for security vendors to seamlessly integrate their DLLs, providing access to the same level of functionality currently offered through manual injection methods. As it stands, injected DLLs offer robust hooking and low-level security, exemplifying this concept as outlined above.
Injected dynamic link libraries hook diverse application programming interfaces to record information about API invocations throughout the execution of code, including instances where the method is malicious and when malware is introduced into a otherwise legitimate process. Some of these API calls are also wrapped by Event Tracing for Windows (ETW), but the data collected via ETW is missing critical parameters necessary for effective security.
Additionally, ETW’s asynchronous nature may sometimes be limiting, leaving room for the development of a synchronous alternative that would provide more flexibility in certain scenarios. A safety vendor should possess control over which API calls, at what level of granularity, and whether a particular event is synchronous or asynchronous. This would enable, for example, the Windows platform to provide a supported mechanism for intercepting system calls.
Injected DLLs also incorporate detection/safety mechanisms, featuring defences against unhooking attempts by malware, prevention of malicious hooking, enhanced memory page protection beyond what the operating system provides, and API-bypass detection, for instance, thwarting syscalls or direct access to PEB and associated data.
The Windows platform could benefit from introducing new security features, such as Windows-provided integrity controls for its own dynamic link libraries (DLLs), mirroring the “PatchGuard” functionality. Windows can provide asynchronous callbacks for in-process events like memory allocations, thread context changes, and kernel exception handling, similar to existing ETW mechanisms, as well as synchronous callbacks for events such as exceptions being returned from kernel mode. It is crucial that comparable mechanisms are designed with careful consideration of their impact on system efficiency.
To enhance security on the Windows platform, consideration should be given to implementing a built-in mechanism that safeguards critical system components from being intentionally or unintentionally disabled, terminated, or uninstalled without proper authorization. Currently, this moment is supported by both the AM-PPL and Sophos drivers, with the latter relying on the installation of an ELAM driver. Without ELAM drivers, safety distributors necessitate an additional “root of faith” to enable the initiation of secure processes.
While current security measures provided by AM-PPL are incomplete, they can still be bypassed by malicious actors who can uninstall or tamper with them unless the security product actively defends itself, for instance, protecting its binary files and registry entries. To enhance the security posture on the Home windows platform, it would be beneficial to provide a standardized means of protecting safety products and their respective components, including data, processes, registry keys, and inter-process communication mechanisms.
Ideally, the safety feature should be removable or uninstallable exclusively through its own mechanism, allowing for a seamless replacement process, while also providing an alternative means to remove it if necessary, ensuring continued operational integrity and user flexibility.
And past: Mac and Linux
As we conclude, let’s examine three areas where Windows’ evolution can draw inspiration from the approaches taken by Linux and macOS to address specific issues, respectively.
Sophos’ innovative approach to Linux 1: Unlocking XDR visibility through eBPF.
Will monitor the kernel and its various interactions. This includes examining system calls,
process execution, network traffic, and file system operations.
Originally, eBPF stood for Berkeley Packet Filter, but its core was later repurposed to provide in-kernel observability hooks within the Linux kernel. Microsoft has an experimental port of Linux to Windows, known as WSL.
On Linux, Sophos leverages eBPF probes to monitor the flow of process, file, and network activity. Probes gather information and perform foundational stateless processing; the personnel area processes a flow of events and conducts exercises analysis.
A fundamental security feature of eBPF is its rigorous verification process. eBPF packages must comply with various constraints in order to be successfully compiled into bytecode and loaded into the kernel. Linux lacks inherent string pattern-matching capabilities, as these features are typically incompatible with the complexities imposed by the eBPF bytecode verifier. Linux eBPF kprobes execute in atomic context, potentially accessing non-pageable kernel memory exclusively.
While attempting to establish an approved or blocked interface within a personal network using eBPF on Windows, these constraints pose significant challenges. Ephemeral BPF (eBPF) for Windows may offer a solution for dynamically collecting system event occurrences in the kernel and transmitting them to user space for post-hoc analysis, potentially enabling real-time monitoring and auditing capabilities.
The kernel’s file system notifications provide a powerful way to monitor and interact with files in real time. In this post we’ll explore how to use the fanotify API to scan for specific types of files, such as executable or Office documents. We’ll also cover how to integrate this functionality into your Linux-based application using Python and the FUSE library.
The fanotify system call provides a way to monitor file system changes without blocking. This allows you to efficiently track changes to files and directories in real time. The API is designed for scalability and efficiency, making it an excellent choice for monitoring large file systems or high-traffic networks.
To use fanotify, you’ll need to first create a file descriptor using the `fanotify_init` system call. You can then use this file descriptor to monitor file system changes using various fanotify API calls.
Since Linux’s release of model 5.1, the operating system has included a fanotify application programming interface (API) that enables developers to intercept file operations. Initially, Sophos employed a Linux kernel driver called Talpa for on-access file scanning. However, they were among the first to migrate to fanotify, actively contributing to its development and refinement, ultimately benefiting from the feature’s current capabilities. Presently, cutting-edge Sophos Linux products leverage fanotify to asynchronously collect file events, performing background scans as needed, and initiating response actions contingent upon the scan results.
Sophos secured significant funding to facilitate its transition to fanotify. Linux distributors delivering distinct variants of their operating systems introduced fanotify support in disparate release schedules, necessitating Sophos’s ongoing support for both the Talpa kernel driver and its various fanotify implementations. Modifications requiring fanotify kernel modifications needed to percolate down to various Linux distributions before Sophos was prepared to leverage a standardized interface? This variability necessitates consideration, especially since Microsoft’s ecosystem features multiple operating system iterations, underscoring the importance of accommodating diverse platforms when contemplating alterations.
Sophos on macOS: Leaving kexts? A Huge Sur-prise
Apple launched its new endpoint safety APIs a year ahead of making them mandatory to use. While Sophos transitioned away from using kernel extensions (kexts) in macOS to leverage newer application programming interfaces (APIs), customers remained unaffected, continuing to utilize the existing version with access to operating system and security updates. The release of macOS subsequently removed kernel access for all resellers. Once more, considering the inherent challenges in managing updates for distinct system variations and seamlessly replacing safety options after upgrading working programs can prove valuable. We propose reflecting on these retrospective factors to stimulate a smooth evolution of the Windows endpoint ecosystem, regardless of its trajectory.
- Initially, Apple’s endpoint security APIs had limitations when it came to exchanging kexts in a manufacturing setting. This hindered the utilization of APIs in industrial settings and precluded the acquisition of hands-on experience.
- Unlike Microsoft’s Canary and Dev channels, which have distinct release timelines, Apple Insider beta testers received updates simultaneously.
- Apple failed to provide comprehensive plans, recommendations, or technical guidance for their Application Programming Interfaces (APIs).
- Several critical endpoint safety APIs were delayed in their initial release during the beta testing phase, with multiple reported defects necessitating thorough retesting after each iteration to ensure stability and accuracy.
- Apple failed to provide safety distributors with any advance notice or guidance on when the major OS launch would occur for customers.
- While Apple provides limited access to kernel APIs, this flexibility comes at a cost: the need to compromise numerous critical OS security features simultaneously. This development has motivated both prospects and distributors to transition to endpoint safety APIs over legacy kernel APIs. While permitting access to these kernel APIs through a single “swap” might not have yielded the same effect,
Conclusion
Change isn’t simple. As recent cyber security events and emerging software trends have underscored, staying up-to-date is no longer optional. The long-term impact of this week’s Microsoft summit won’t be fully evident for several months or even years, as far-reaching changes can take time to unfold and settle. We must carefully consider the benefits of having Windows natively support an extensive set of operating system native security interfaces, enabling the entire endpoint security ecosystem to leverage these advantages against the risks associated with relying on a monoculture of proprietary innovations and controls currently offered by the endpoint security ecosystem. We foresee that transparent and open communication is a straightforward means to expedite successful outcomes for both defenders and prospects. Let’s get began.
