PPSAM: Proactive PowerShell Anti-Malware: Customizable Comprehensive Tool to Supplement Commercial AVs

摘要

This research first explores the different types of Anti-Malware solution approaches, evaluating the pros and cons, and concentrating on their potential weaknesses and drawbacks. The malware technologies analyzed include Windows Direct Kernel Object Manipulation (DKOM), Kernel Patch Protection, Data Execution Prevention, Address Space Layout Randomization, Driver Signing, Windows Service Hardening, Ghostbuster, Assembly Reverse Analysis, and Virtual CloudAV. Furthermore, a proactive comprehensive solution is provided by utilizing the Windows PowerShell 2.0 utility that is available for Windows Vista, 7, 2008 and 2008 R2. The proposed Proactive PowerShell Anti-Malware (PPSAM) is a utility that monitors the system via health checks with shell scripts that can be fully customized and have the ability to be executed on remote systems. PPSAM is designed to be a proactive complement that attempts to promote early discovery of intrusions and malicious applications, and to provide triggers and reports utilizing the scripts' output.