How to use Trellix IPS to combat Advanced Evasion Techniques

Technical Articles ID: KB87308
Last Modified: 2023-02-24 09:38:34 Etc/GMT

Environment

Trellix Intrusion Prevention System (Trellix IPS)

Problem

In recent years, security analysts have reported a significant increase in attackers using advanced evasion techniques (AETs) to gain unauthorized entry into enterprise networks. AETs use concealed methods to penetrate target networks undetected, and deliver malicious payloads. Using AETs, an attacker can split an exploit into multiple segments, and bypass a traditional network security device. When inside the network, the attacker can reassemble the code to unleash malware and start advanced persistent threats (APTs) from a remote location.

Cause

Each AET is designed to use inherent features in a protocol to pass through the IPS system undetected. An AET combines several known evasion methods to create a new technique that is delivered over multiple network layers simultaneously. A few examples of such advanced evasions are as follows:

SMB or MSRPC fragmentation
SMB padding
Application layer evasion through document obfuscation
JavaScript obfuscation
HTTP UTF-8 encoded content
HTTP evasion (URL encoding)
TCP Urgent Pointer
TCP split handshake
IP fragmentation
IP fragmentation with chaff

Solution

Trellix IPS products provide several mechanisms to perform advanced inspection on such traffic.

For example, chunked transfer encoding is a data transfer mechanism of HTTP that uses the HTTP response header. It uses this header in place of the content-length header, which the protocol would otherwise require. Chunked transfer encoding supports sending dynamically generated content to clients without having to buffer it. These payload chunks can evade network inspection devices.

To enable inspection of this traffic in your network, configure the Inspection Options in your Manager.

NOTE: Advanced Traffic Inspection is disabled by default and inspects traffic per interface or sub-interface.

You can also configure your IPS Sensor for other advanced traffic inspection such as the following:

HTTP Response Traffic Scanning
HTML-Encoded HTTP Response Decoding
X-Forwarded-For (XFF) Header Parsing
Base64 SMTP Decoding
Quoted-Printable SMTP Decoding
MS RPC/SMB Fragment Reassembly

For more details, see the chapter Advanced Traffic Inspection in the IPS Administration Guide for your version. See the "Related Information" section below for links.

We also recommend that you read article KB92003 - Combating Advanced Evasion Techniques.
This article documents AETs and the mechanisms that Trellix IPS uses to handle these evasions.

Workaround

Regularly patching the systems in your network provides protection against most of the attacks, including AETs. Evasions can only help the attacker to bypass the network security system, but they don't help with an attack against a patched system.

Related Information

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

How to use Trellix IPS to combat Advanced Evasion Techniques

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

How to use Trellix IPS to combat Advanced Evasion Techniques

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Choose your region

Title

Title