Beruflich Dokumente
Kultur Dokumente
Blocking Malware
Without a SOC
How to Sabotage Attack Chains and
Block Infections Before They Start
Table of Contents
3 Introduction
To make sure we’re all up to speed, here’s a quick recap of current threat landscape in
a nutshell: Attacks are advancing rapidly; everyone from hospitals to local governments
to law firms, banks, and mom-and-pop shops is getting whacked; hacking tools have
become so commoditized a grandmother can use them; even the average spam campaign
is doing evasive things; ransomware is still everywhere; traditional solutions are failing;
and to top it off your users are still using passwords that got leaked in the 2012 LinkedIn
data breach (and in a dozen other mega breaches since).
Right. So what exactly do we do about all that? One option is to give into the futility.
To stock up on Bitcoin and cyber insurance. After all, a lot of people say infections are
inevitable. But where’s the fun in that? Besides, giving up isn’t your style. You’d rather
fight back, and that’s exactly what this guide is about.
If you’re tired of reacting to malware infections, here you’ll find tips for getting more
proactive. The key is understanding how modern attacks work, so you can lay the
groundwork for sabotaging them before they have the chance to do any damage.
Your job as malware saboteur is to make the easy things difficult. This
guide will help you set up roadblocks on the paths most commonly used for
infection. Raising the barriers to entry even slightly can often be enough to
repel a large number of malware campaigns.
2 They prefer using your tools to theirs. If you’ve been following along recent evolu-
tions in attack techniques, you may have noticed a common refrain — more and more
attacks are hijacking legitimate tools and applications and putting them to malicious
use. As a tactic, it makes sense. Why trip alarms with malicious executables when you
can use whitelisted programs to do your dirty work? This approach, which security ex-
perts refer to as “living off the land,” isn’t new, but whereas it was once used primarily
by advanced attackers, now it’s being used in more widespread campaigns.
3 They conduct attacks in stages. Malware infections are rarely instantaneous. The
majority take place by chaining together a series of commands and functionality. The
reason many security solutions fail to identify infections until after the fact is because
they are built to inspect the individual links in the chain, only, and in many cases, the
individual links are legitimate tools and applications. Building a clever infection chain
can help an attacker evade detection, but it also carries risks. If any link in the chain is
disrupted, the attack will fail.
Best of all, this approach doesn’t require a fully staffed security operations center (SOC)
or complex, enterprise-grade security technology to accomplish (though we’ll explain
throughout the guide how the right kind of technology can help).
More specifically, this guide is written for busy IT and security pros who prefer practical
quick wins and killing as many birds with as few stones as possible.
Then, in Part 2, we’ll shift the focus to steps you can take to make it harder for criminals
to accomplish their goals, even if they do gain initial access to an endpoint. Again, the
emphasis will be on preventing attackers from abusing powerful, legitimate tools and
applications already present on your systems.
Perimeter defenses such as firewalls and email filtering play a key role here, but don’t
forget the parts you and your users (for better or worse) have to play. It’s also important
to realize that in many attacks, malware delivery is actually broken up across multiple
stages, with initial email attachments often serving as downloaders that retrieve the
actual attack payloads in a subsequent step. That provides defenders with another
chance to sabotage the delivery before the payload touches the device.
CHAPTER 1:
• The two most common ways companies are currently getting infected
with malware are via email and remote desktop protocol (RDP) access
• Attackers have proven ways of getting past both, but don’t worry,
there’s still hope
While there are certainly companies out there getting infected via sophisticated spear-
phishing campaigns and zero-day exploits, there are many, many more getting infected
via more basic methods. Remember, the vast majority of malware campaigns are
launched indiscriminately and are aimed at picking off low-hanging fruit. When it comes
to preventing malware delivery, your first job should be making sure “low-hanging fruit”
isn’t referring to you.
To that end, here are two basic scenarios you should be well prepared to face:
In fact, these are currently two of the most common ways malware is being distributed.
Take steps to prevent these two scenarios and you’ll already be well on your way to
reducing your risk and enjoying more peace and quiet on the malware front. Let’s take a
closer look at how to do that for each.
Email
Considering email represents direct access to the most vulnerable part of your network
(your users), it’s no surprise it’s criminals’ preferred channel for distributing malware.
According to Verizon’s 2018 Data Breach Investigations Report, an astounding 92.4% of
malware was delivered via email. Compare that to 6.3% that was delivered via malicious
or compromised websites.
In addition, Symantec’s 2018 Internet Security Threat Report asserts that, of the malicious
emails the company observed in 2017, 88% utilized email attachments while only 12%
utilized malicious URLs. So attackers clearly don’t mind playing favorites. When it comes
to distributing malware, emails and, more specifically, email attachments are their
obvious go-to.
But what types of attachments are they using? According to Symantec, the most popular
file types are script files (.vbs and .js), followed by .exe’s, .jar files, and Microsoft Word
documents. Webpage files (.html, .htm), Windows script files (.wsf), PDFs, Excel files, and
.rtf files also make the cut.
Second, many of the attachments on the Symantec 10 .rtf (rich text format file,
list are widely-used legitimate file types that often used by Office)
can’t be categorically blocked. That’s obviously a
strategic decision on the part of attackers, who know
their best chance of sneaking malicious code past
gateway filters is by smuggling it inside legitimate file types. While you likely won’t be
able to filter out all of these file types at the email level (Office files, especially), we’ll cover
additional actions you can take to prevent attackers from abusing them in Chapter 2.
In addition to using legitimate file types users are used to receiving over email, criminals
have also become increasingly effective at making it look like their emails are coming from
legitimate sources. In some cases, they’ve even been reported hijacking the email accounts
of previous victims and replying to existing email chains with booby-trapped attachments.
The good news is that, in many cases, opening an attachment doesn’t result in immediate,
full-blown compromise. The majority of email attachments will provide attackers with
some of the functionality they need, but not all of it. For that reason, the majority serve
as downloaders for the attack’s real payload. That means even if a malicious attachment
is opened, the game typically isn’t over yet. We’ll cover steps you can take to preemptively
sabotage the payload retrieval process in Chapter 2.
RDP was developed by Microsoft as a remote management tool particularly useful for
offsite admins. It is commonly exposed in internal networks for use in administration
and support, but when exposed to the wider Internet it can be a dangerous beacon for
attackers. Identifying servers with vulnerable RDP connections (port 3389 is default) has
been made incredibly easy thanks to scanning tools like Shodan and masscan. From
there, it’s simply a matter of applying brute-forcing tools like NLBrute to crack the RDP
account credentials, and attackers are in.
Alternatively, if attackers are feeling especially lazy they can simply head over to the
underground marketplace xDedic, where RDP access to a compromised server can cost
as little as $6.
RDP has become a favorite infection vector for ransomware criminals, in particular, with
the actors behind SamSam, CrySiS, LockCrypt, Shade, Apocalypse, and other variants all
getting in on the act. Of these, SamSam has generated the most attention, infecting such
high-profile targets as the City of Atlanta, electronic health records provider Allscripts,
the Colorado Department of Transportation, and others.
The good news is there are relatively simple steps you can take to make RDP off limits
to attackers:
• Restrict access behind firewalls and by using a RDP Gateway and/or VPNs
Taking these precautions is critical since attackers who gain access via RDP typically then
have a strong foothold on the machine with local admin privileges. Once initial access
has been established, attackers typically don’t waste time scouting out the network and
laying the groundwork for a large-scale infection.
• Web filtering
Web (including URLs in emails) • Ad blocking
• Patch management
CHAPTER 2:
Now that we’ve covered a few basic steps toward making malware delivery more difficult,
let’s turn our attention back to the challenge of email attachments you can’t practically
filter out. What happens when a malicious attachment successfully makes its way into a
user’s inbox and that user gets fooled into opening it?
Well, it’s not game over yet. In the vast majority of cases, that attachment isn’t going
to do anything inherently malicious on its own. Its main role is to serve as a dropper
that retrieves the primary malware payload from a C2 server or compromised website.
Luckily, that means there’s still time to nip this attack in the bud.
Here’s a simple diagram to illustrate that point. It depicts one of the most common
infection scenarios — a spam email with a Word document attachment, weaponized with
a macro designed to launch PowerShell and download a malicious payload. As you can
see, there are multiple opportunities for disrupting the process, even after a user makes
the unfortunate mistake of opening the attachment.
The point is, malware infections aren’t single events, they’re chain reactions. Each link
represents an opportunity for you to break the chain.
In this chapter, we’ll look at specific ways you can disrupt the payload retrieval process by
taking away the tools and functionality attackers are used to abusing.
For attackers, part of the draw of macros is how simple they are to build and configure,
but they have their drawbacks, too. For one thing, macros are disabled by default, so
utilizing them requires tricking a user into enabling them.
Macros also don’t provide attackers with all the functionality they need to accomplish
their goals, so they’re typically used to send a request out to a command-and-control
server or compromised website to grab a second-stage payload.
Like macros, one downside from the attacker’s perspective is OLE-embedded objects
require user interaction. First, the user has to interact with the object (often disguised as
a file icon), then respond to a warning prompt by confirming that they do want to open it.
OLE-EMBEDDED OBJECTS ARE OFTEN DISGUISED AS FILE ICONS TO ENTICE A USER INTO CLICKING THEM.
— IMAGE SOURCE: HEALTHCARE IT NEWS
Once again, the good news is DDE requires user interaction. When a user opens a
document with DDE fields they will receive a warning notifying them that the document
contains links that may refer to other files. To continue, the user then has to confirm that
they do want to update the document with data from the linked files.
It’s important to note that DDE functionality does still remain active in Excel and Outlook,
however. To disable it, admins need to make the following registry changes to disable the
programs from updating automatic links at open:
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\OFFICE\<VERSION>\EXCEL\SECURITY]
WORKBOOKLINKWARNINGS(DWORD) = 2
Note: This will prevent Excel spreadsheets from updating dynamically, so it may not be a
practical mitigation for everyone.
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\OFFICE\<VERSION>\WORD\OPTIONS\WORDMAIL]
DONTUPDATELINKS(DWORD)=1
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\OFFICE\12.0\WORD\OPTIONS\VPREF]
FNOCALCLINKSONOPEN_90_1(DWORD)=1
In this section, we’ll look at how scripting engines and other legitimate applications and
command interpreters can be abused to download malware, and what you can do to
preemptively make those methods ineffective.
In order to protect users from inadvertently executing malicious script files, Microsoft
recommends making changes to the registry so a warning prompt is issued prior to
allowing a script file to run. When feasible, admins can also take things one step further
and prevent users from running VBScript or JScript scripts altogether by disabling
Windows Script Host.
Alternatively, an additional trick admins can use to mitigate the risk of malicious .js files
in particular is to tell Windows to always open them with Notepad.
Microsoft to make admins’ lives easier, it can be used to automate an enormous variety
of tasks on both local and remote systems. It’s not exactly a mystery why attackers love it.
PowerShell can be abused to carry out a broad array of malicious activity, from
downloading and executing malware payloads to helping attackers gain persistence,
privilege escalation, and lateral movement. It also features prominently in penetration
testing frameworks like Metasploit and Empire, which provide ready-made attack
modules designed to exploit system weaknesses while evading detection.
PowerShell abuse is a meaty topic and there are certainly plenty of rabbit holes to fall
into. If you’re interested in more in-depth information, we recommend checking out
Symantec’s guide, “The Increased Use of PowerShell in Attacks” as a good place to start.
For our purposes here, however, we’re going to keep things simple and suggest that you
strongly consider disabling PowerShell across the board unless you have specific users or
scenarios that require it. As one security researcher puts it, “just as just as you wouldn’t
leave a 28” heavy-duty cable cutter next to a padlock, you probably don’t want to allow, or
at least make it much more difficult for, hackers get their hands on PowerShell.”
If disabling PowerShell isn’t an option, there are steps you can take to restrict it.
Unfortunately, many of the restriction options built into PowerShell have well-documented
workarounds (there’s even literally a “ –ExecutionPolicy Bypass” command). A more
effective method is to take the whitelisting approach by using Microsoft’s Software
Restriction Policies (SRP) or, better yet, AppLocker. The benefit of using AppLocker is it
allows you to implement more granular controls like, for example, enabling PowerShell
for a select group of power IT users only. You can find a walkthrough of setting up
PowerShell restrictions using AppLocker here.
• mshta.exe: HTA is short for HTML application, which consists of HTML and
one or more scripting languages supported by Internet Explorer (ex: VB-
Script or JScript). The danger with .hta files is that they behave as an exe-
cutable and run as a fully trusted application (mshta.exe). So by leveraging
mshta.exe, attackers can launch files that function as executables while
circumventing application whitelisting policies.
To prevent these three legitimate tools from being used to download payloads, we
recommend either disabling them altogether (in the case of mshta.exe) or blocking
them from making outbound requests. That can be accomplished with Windows Firewall
(instructions here) or any other firewall you have in place.
In December 2017, for example, we saw attackers use Microsoft’s Background Intelligent
Transfer Service (BITS) to download the SmokeLoader trojan. BITS was also abused by
a different group of attackers in March, this time as part of a campaign that hijacked
MailChimp accounts to distribute the Gootkit trojan.
In non-malicious cases, BITS is used to create valid download or upload jobs, primarily
for Windows and third-party software updates. As is the case with the other tools we’ve
mentioned, because BITS is a valid component of Windows, use of it can blend into
legitimate system activity and be very difficult for many security solutions to detect. If
your organization isn’t actively using BITS, your best move is to disable it.
We’ve also seen campaigns use curl.exe, a command-line tool for transferring data that
is open source. Curl stands out in our list of tools since it doesn’t come pre-installed in
Windows. Because it is widely-used tool with legitimate use cases, however, it is still unlikely
to be blocked by security solutions. In addition to providing the ability to perform file
transfers from the command line, curl also offers file extraction capabilities — something
attackers can certainly put to good (bad) use. Once again, unless your organization actively
uses this tool, it’s recommended you proactively adjust policy settings to block it.
Once again, unless your organization actively uses this tool, it’s recommended you
proactively adjust policy settings to block it.
MICROSOFT OFFICE
WINDOWS APPLICATIONS
By watching for malicious process patterns that are allowed by Microsoft but abused by attackers, Barkly detects and
blocks attempts to misuse Office programs and scripting engines to launch attacks.
In Part 1, we shared how you can ensure attackers have fewer openings and tools to work
with when they attempt to deploy malware, but proactive prevention doesn’t stop there.
You still have to be prepared for the possibility of malware being successfully deployed
on your endpoints. Here in Part 2, we’ll provide tips to help you address that possibility
by seeing to it that nothing malware wants to do when it lands on one of your machines
comes easy.
CHAPTER 3:
Blocking malicious executables prior to them executing has been the job of antivirus
solutions for years. Unfortunately, performance has been slipping. According to research
from the Ponemon Institute, 54% of organizations reported they were compromised by
attacks in 2017, despite having antivirus solutions installed.
As the techniques covered in Part 1 suggest, the average cyber criminal is more concerned
with developing tricky new ways of sneaking droppers past firewalls and email filtering
than they are with evading AV. They know that if they successfully manage to get a payload
onto an endpoint, there’s a very good chance AV won’t catch it. The problem lies in AV’s
traditional reliance on signature-matching.
— PONEMON INSTITUTE
A real life case-in-point is the ransomware infection that crippled the Colorado Department
of Transportation (CDOT) in February 2018. The CDOT was infected with a variant of
SamSam ransomware, despite having McAfee antivirus installed on its machines. McAfee
responded by updating its software with a new signature designed to block that particular
new SamSam sample. Just eight days later, however, attackers proved how trivial it is to
bypass signature-based detection by infecting the CDOT again, this time with a “new”
SamSam variant that had been slightly modified.
The event caused a CDOT spokesperson to respondin exasperation. “Sure enough, the
variant of SamSam keeps changing,” she said. “The tools we have in place didn’t work. It’s
ahead of our tools.”
While that innovation has greatly improved the ability of endpoint solutions to detect
even new or modified malware, it still presents one glaring limitation — it relies on there
being a file to scan and analyze. Attackers have adjusted accordingly, increasingly moving
away from using malicious executable files and adopting “fileless” attack techniques,
instead. When all the action during an infection takes place directly in memory or under
the guise of legitimate system processes, for example, neither AV nor NGAV solutions
stand much of a chance.
For that reason, the latest innovations in endpoint protection are being geared toward
gaining greater visibility into system activity and blocking malicious behavior in real-time.
When thinking about endpoint protection, it’s therefore important to recognize which
solutions offer file-based security, which ones can block “fileless” malicious activity, and
which ones cover both.
Application whitelisting
This section wouldn’t be complete without mentioning application whitelisting, which
some IT pros swear by, but which can also have practical limitations. Your mileage will
really vary based on how complex your environment is and how much time/tolerance
you have for keeping a whitelist properly managed and up-to-date.
If you’re looking for advice on whitelisting, here are two posts that provide helpful tips for
leveraging Microsoft’s built-in whitelisting tools:
It’s also important to point out that while application whitelisting can be a healthy deterrent,
attackers have unfortunately developed ways of bypassing it, too. How? Based on the
recurring theme of this guide you can probably guess — by abusing legitimate programs.
With the help of independent researchers, Microsoft has created a list of applications
attackers can use to circumvent application whitelisting policies and recommends that
you proactively block them.
• DLL injection: One of the most common ways attackers insert malicious
code into a legitimate process is through DLL injection. Dynamic Link Library
(DLL) files contain instructions that multiple programs can call on as need-
ed during runtime. By writing a path to a malicious DLL in a host process,
attackers can trigger that process to execute it. As researchers at ReaQta
discovered, there is even a legitimate, trusted Microsoft program called
Mavinject.exe attackers can use to conduct malicious DLL injection without
raising red flags.
• Reflective DLL injection: With reflective DLL injection, attackers are able to
copy an entire DLL into process memory, which avoids that DLL residing on
disk (making it easily detectable) and being registered with the process it’s
being injected into. Reflective DLL injection has become a popular technique
heavily incorporated into attacks as well as penetration testing tools such as
Metasploit, Cobalt Strike, Empire, etc. which make deploying it easy.
• Early Bird: A new technique discovered in the wild in late 2017 and publicly
disclosed in April 2018, Early Bird involves attackers injecting malicious code
in a very early stage of process thread initiation, prior to where many security
products place hooks (code sections that help them monitor API calls).
Malicious process injection isn’t just a tactic for advanced attackers. We’ve even seen it
utilized by such commodity ransomware as GlobeImposter and GandCrab. One of the
major hurdles in defending against these techniques is that they abuse features and
functionality baked into the way Windows was designed (it’s sort of similar to billionaires
taking advantage of controversial tax loopholes). As a result, prevention is unfortunately
difficult and putting controls in place can run the risk of disrupting legitimate software.
That leaves actively monitoring processes and API calls, which, depending on how many
hours you have in your day, may or may not also be a realistic option. If you do choose
to go that route, Microsoft’s Sysinternals Process Explorer is a good place to start. It
provides a variety of info on active processes, including DLLs and memory-mapped files
they’ve loaded. The PowerShell script Get-InjectedThreads, which scans active threads
on the system for suspicious start addresses, can also help. Last but not least, there are
specific calls in the PowerShell operational log that can provide strong indication of an
attack, and one way of spotting traditional process hollowing activity is by monitoring for
processes being spawned with the CREATE_SUSPENDED flag.
PAYLOADS PREVENTION
Malicious behaviors
• DLL injection
• Reflective DLL injection
Prevention is difficult without disrupting
• Process hollowing legitimate programs.
• AtomBombing The alternative is monitoring processes and API calls
• Process doppelgänging (Microsoft Process Monitor can help), though that can
also be difficult due to the noise.
• Early Bird
• Etc.
Barkly blocks a variety of malicious process injection techniques by preventing processes from mapping new
executable code into the memory of other running processes.
• addinprocess.exe, • kd.exe
addinprocess32.exe
• ntkd.exe
• addinutil.exe
• lxssmanager.dll
• bash.exe
• msbuild.exe
• bginfo.exe (versions prior to 4.22)
• mshta.exe
• cdb.exe
• ntsd.exe
• csi.exe
• rcsi.exe
• dbghost.exe
• regsvr32.exe
• dbgsvc.exe
• system.management.automation.dll
• dnx.exe
• windbg.exe
• fsi.exe, fsiAnyCpu.exe
CHAPTER 4:
• To continue operating under the radar, attackers prefer “living off the
land,” using legitimate tools and processes already present on the system
For attackers, gaining initial access to a machine is just the beginning. From there,
attention can shift to accomplishing a wide variety of post-exploitation goals, from
elevating privileges and moving laterally throughout the network to gaining persistence
and settling in for a long haul of surveillance, remote control, and data exfiltration. In this
chapter, we’ll cover some of the most popular techniques attackers use for each, and
ways you can spoil the party by taking away commonly-abused functionality and tools.
One way to combat malicious WMI abuse is to… use WMI. As Graeber
explains, WMI event subscriptions can be created that log and respond to
suspicious WMI activities (examples here and here). In addition, if you don’t
need to use remote WMI, set a fixed port for it and block it.
There are many methods attackers have developed for bypassing UAC, but the majority
require dropping a file to disk (ex: dropping a DLL to perform a DLL hijack). That makes
them vulnerable to detection from strong endpoint protection software. To get around
that, attackers can instead attempt to hijack legitimate Microsoft programs and tasks
that are designed to auto-elevate — meaning they can be launched by unprivileged users
but will run with elevated privileges. In doing so, attackers can execute PowerShell scripts
and commands they otherwise couldn’t, and launch high-privilege programs without
triggering UAC prompts. Security researcher Matt Nelson has documented several of
these workarounds, including using SilentCleanup, eventvwr.exe, and sdclt.exe.
By using Mimikatz, an incredibly popular and versatile penetration testing tool, attackers
can scrape cleartext passwords and NTLM hashes from the memory of lsass.exe (the
process responsible for Windows authentication), or extract saved credentials from
Windows Credential Manager (even domain credentials). Thanks to this PowerShell
script, Mimikatz can be run entirely in memory.
Mimikatz isn’t the only option available to attackers. Metasploit’s Meterpreter payload
can be used to pull account info from the NTDS.dit file (the database for Active Directory),
including not only the current NT and LM hashes, but the saved history going back to
20 previous passwords. Windows Credential Editor is another option. This legitimate
penetration testing tool can be abused by attackers to grab NTLM credentials and
Kerberos Tickets as well as dump cleartext passwords stored by Windows authentication
packages. Additional techniques can be found here.
• Adhere to the usual best practices around least privilege and avoiding
credential overlap
One of the most common ways of achieving persistence is by planting malicious scripts
in the Windows registry. Poweliks and later Kovter are two examples of malware that
has evolved to take that one step further by becoming completely “registry resident,”
spreading code across multiple registry keys and designing it to be extracted and run on
the fly whenever the machine restarts or a shortcut or batch files are triggered.
The good news is because registry contents are stored on disk they can be monitored.
Microsoft’s Sysinternals Autoruns program can help with inspecting registry keys and
even has VirusTotal integration to make identifying malicious entries easier.
You can mitigate this risk by monitoring for scheduled task creation (event ID 4698). This
PowerShell script from Netwrix can help make that more manageable by creating instant
alerts.
As mentioned at the beginning of this section, WMI can provide attackers with similar
capabilities, allowing them to trigger scripts to execute based on various events. For that
reason, monitoring WMI and/or creating defensive event subscriptions is recommended,
as well.
It should be noted that the theme of each of these mitigations is monitoring, which
unfortunately means malicious activity is already under way. While preparing for these
situations is critical, the goal should always be to prevent them in the first place.
Creating malicious scheduled tasks • Monitor for Windows Security Log Event ID 4698
It should go without saying that this guide is by no means exhaustive. There are plenty
of additional attack tactics that aren’t covered here, with more popping up by the day. To
top it off, attackers are also constantly developing bypasses around popular controls. That
said, it’s important to keep in mind that each one you put in place actively raises the bar.
In other words, following the advice in this guide won’t protect you from all malware
infections, but it will help protect you from the majority of campaigns you’re likely to face,
and it will give you a solid foundation to build on.
The overall idea is that you don’t need to have a foolproof answer for every single tactic
an attacker can throw your way. By simply giving them fewer openings and taking away
the tools they rely on most, you can make things significantly more difficult for attackers,
and in contrast, significantly easier for you. You’ll lower your risk, reduce the number of
alerts and noise you have to filter through, save your organization from downtime and
recovery costs, and ultimately get more time back in your day.
Barkly’s unique 3-level architecture provides unmatched visibility and control to see and block attacks
other solutions can’t. As a result, Barkly prevents the delivery and detonation of malware; identifies
and blocks malicious executables, scripts, and behaviors; and provides real-time protection against
fileless attacks and memory exploits.
• Block malware:
Barkly identifies and blocks malicious executables with unsurpassed accuracy, but also
prevents malware from landing on machines in the first place by blocking the most common
malware delivery and retrieval methods.
• Prevent attackers from abusing legitimate Microsoft applications: Barkly protects against
the misuse of valid Microsoft applications and scripting tools by dynamically observing system
behaviors and blocking usage patterns that are allowed by Microsoft but abused by attackers.
RE QUE S T A D EM O
About Barkly®
The Barkly Endpoint Protection Platform™ is advancing endpoint security by
combining the strongest, smartest protection with the simplest management.
Barkly is independently certified for antivirus replacement, HIPAA, PCI DSS
& NIST by Coalfire and AV-TEST. Barkly is formed by an elite team of security
and SaaS experts from IBM, Cisco and Intel, and is backed by investors NEA
and Sigma Prime. Learn more by visiting us at barkly.com or follow us on
Twitter @BarklyProtects.