Advanced protections
Stormshield also provides a set of advanced protections against some types of threats. These protections are natively built into the administration console.
Advanced protections make it possible to detect and block malicious behavior on SES Evolution agents. They are based on heuristic analyses, which can be updated without the need to update the SES Evolution software.
To view advanced protections in the console:
- Select the Security > Policies menu.
- Click on View advanced protections at the top right side of the home panel of the policies.
Refer to Configuring threat protection for information on how to implement advanced protection against the various threats.
Advanced protections have version numbers and can be updated via Stormshield when necessary. During updates, you can therefore re-import them in the Advanced protections panel. All previous versions of a protection remain available in the administration console.
Sigma advanced protection
The Sigma format is a standard unified language for describing log-based incident detection rules. You can import Sigma rules into SES Evolution via the API or via scripts. For further information, see Importing Sigma security rules.
| Rule set type | Passive protection (no blocking) |
| Log level | Depends on imported rule |
| Generate a context | No |
ARP Spoofing
Prevents network traffic from being intercepted, modified or stopped through ARP spoofing attacks. The ARP table is evaluated every 5 minutes.
| Rule set type | Audit |
| Log level | Alert by default |
| Generate a context | Up to user (Yes by default) |
Parent PID Spoofing
This protection mode prevents hackers from starting programs that they would declare as children of arbitrarily chosen existing processes with the purpose of concealing malicious processes from security analysts.
| Rule set type | Protection |
| Log level | Critical by default |
| Generate a context | Up to user (Yes by default) |
WMI Persistence
This protection prevents malware programs from persisting on computers through WMI (Windows Management Instrumentation).
It relies on the Microsoft-Windows-WMI-Activity/Operational event log. In Windows 7 and Server 2008, the Windows update KB3191566 is needed for this log to be present.
| Rule set type | Protection |
| Log level | Alert by default |
| Generate a context | Always |
Kerberos ticket
Prevents the retrieval of Kerberos tickets from memory, as they may be used later to launch pass-the-ticket attacks.
| Rule set type | Protection |
| Log level | Alert by default |
| Generate a context | Always |
Environment discovery
This protection prevents the use of the built-in Windows tools that collect information on the host and system with the aim of performing malicious operations.
| Rule set type | Protection |
| Log level | Alert by default |
| Generate a context | Always |
Protection against malicious use of certutil
This protection mode protects users from the malicious use of the Windows program certutil, which allows certificates to be managed. Using this protection may generate false positives, as the files that certutil handles need to be opened in read-only mode. If such files cannot be accessed due to insufficient privileges, the operation on the certificates will be considered malicious, even though it is legitimate.
| Rule set type | Protection |
| Log level | Alert by default |
| Generate a context | Always |
Ransomware
This protection mode keeps track of when files are modified and encrypted. If a particular number of such events occurs in the space of three seconds, the process in question will be stopped. This mode also makes it easier to retrieve data that the ransomware encrypts, by enabling:
- the identification of files modified by the ransomware,
- the restoration of the identified files, based on Windows shadow copies.
| Rule set type | Protection |
| Log level | Alert by default |
| Generate a context | Always |