Jump to content

Relational Databases and Anti-Malware?


Amaroq_Starwind

Recommended Posts

Something I've been wondering about for a while... If you could combine your traditional Filesystem with a relational database (for example, WinFS), how would you be able to make use of that in an anti-malware engine?

Like, is there any way that a tool could be developed which could comb database tables for anything suspicious, help track malicious files based on their relationships with each other (for example, to more easily locate them in the Filesystem), or anything else of the sort? And more importantly, what would suspicious activity on a relational database even look like?

It seems like having anti-malware engines that are able to take advantage of relational databases in some form would be a no-brainer, but it's just really hard to imagine any actual implementation or any specific applications.

Link to post
Share on other sites

Malwarebytes, and likely most modern antimalware applications, sort of already do this in many ways.  Rather than analyzing raw data/hashes, they look deeper at things like file structures, including relational patterns to other known threats (things like file metadata, ADS (that's Alternate Data Streams, not advertisements :P), version information and more, as well as info outside of the binary/on-disk data such as parent and child processes, threads and process injections, related registry entries (such as loading points and cross-filesystem indicators such as uninstall keys) and other 'connections' a detected/malicious item might have to other objects on the system.  This is actually one of the major technologies in the Malwarebytes engine that made it an early success against the kinds of complex modern threats that more traditional anti-virus/antimalware solutions so frequently failed at detecting/remediating for many years (and many still struggle with today) called Linking.  The Linking engine in the scanner is one of the most effective and robust solutions to complex threats that I've ever come across, and it's great for dealing with the kinds of threats that use more advanced techniques such as watchdog drivers and supporting DLLs and processes designed to 'resurrect'/reinfect systems with malware after the primary/original malicious file has been terminated/removed.

If you're speaking specifically about WinFS, I doubt supporting a dead, abandoned platform like that would be a good idea at this point, but if you just mean the overall concept of using relational data to detect malware more efficiently and effectively, then Malwarebytes already has it and uses it frequently in its advanced heuristics and the Linking engine I mentioned.  Aspects of this approach also exist in the more recent Machine Learning component of Malwarebytes' heuristics engine rolled out in later 3.x releases.  This powerful technology uses such pattern based 'fuzzy' detection algorithms/capabilities as well as an evolving cloud database system to constantly iterate and improve on Malwarebytes' ability to detect new and unknown threats.

Link to post
Share on other sites

Maybe I was thinking more along the lines of Sequel Server / SQL Server specifically. (Full disclosure: WinFS was basically just the Sequel engine repurposed to supplement a computer filesystem, search index, etc.)

So if we adjust our scope slightly, we might get somewhere;

  1. What could you do to protect a sequel database from attack and remediate afterwards?
  2. How could you use a sequel database to mitigate or prevent attack against the rest of the system?

I'm honestly struggling to figure out if there's actually any difference between what I'm trying to describe and what Malwarebytes already does, to be honest...

Link to post
Share on other sites

You treat it like any/all other data and open TCP/UDP ports.  There is nothing to figure out.  You protect the system as a whole and not individual parts.

EDIT:

I should have also noted that one should take full advantage of constructs built-into SQL data bases to protect the data such a data encryption and privilege assignment,

 

Edited by David H. Lipman
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.