Integrity Scan
Table of Contents
- Introducing Elastio Integrity Scan
- Checking for Security Threats
- Using Elastio Integrity Scan (iscan)
- Parsing the iscan scan output
- Downloading the iscan report
Introducing Elastio Integrity Scan
Existing approaches to ransomware detection are applied to the system being protected. These solutions combine static analysis of executables for known malware and dynamic analysis of running processes for suspicious behavior.
In addition to requiring the deployment and maintenance of software on every host (system), these ransomware detection solutions must detect ransomware before it detonates and make quick decisions to allow or block a particular process or file write. On server-class systems, in particular, this can be computationally expensive, and the cost of a false positive is high.
Elastio is agentless for Amazon EC2 and Amazon EBS and has the added advantage of access to multiple point-in-time backups of the existing data and performs its analysis off-host. Not only does this allow us to perform more complex analysis than would be practical on the host system, but it also lets us leverage prior versions of the recovery points to identify suspicious patterns of changes across the entire system, not just one process or one write operation at a time.
Combined with the optimizations built into our ScaleZ storage engine, we’re able to do a much more thorough analysis of changes; thereby, producing a high-confidence signal as to the presence or absence of detonated ransomware. The ScaleZ optimizations allow us to compute very efficiently which regions of which files have changed since an earlier point in time. This means we can detect ransomware attacks and reliably detect which recovery points are tainted and those that are not to speed recovery efforts. We also include static analysis of executables for known malware to identify undetonated ransomware and most known malware variants within a recovery point.
Elastio’s active ransomware protection is part of any defense-in-depth strategy and ensure protection and recoverability at the recovery point level.
Checking for Security Threats
Elastio provides two approaches to check recovery points for vulnerabilities. The first is by using the Elastio CLI Integrity Scan (iscan) command. The second is to enable iscan from a data protection policy. Policies are defined in the Elastio Tenant and are applied to assets and include a protection schedule and integrity scan options. You can choose to run a security check for ransomware, malware or both. The default is both.
Using Elastio Integrity Scan (iscan)
Elastio Integrity Scan capability is available using the elastio iscan command within the Elastio CLI. It can be initiated like so:
elastio iscan
Note: elastio iscan should be run on an EC2 instance in order to function properly. This restriction will soon be removed. Additionally, currently iscan might fail on amazon Linux 2 if the ntfs-3g is not installed, to install it run:
sudo yum install ntfs-3g
Integrity Scan (iscan) can be used for a certain path:
elastio iscan --path <path>
or for a recovery point, where the recovery point must be that of an EC2, EBS or block:
elastio iscan --rp <rp-id>
The output is presented on the screen and saved in a .gz file. This file contains the details of the scan.
Check a directory for malware only:
elastio iscan --malware-only <path>
Check a mount point for ransomware and malware:
elastio mount rp –rp dgwmvmc2eiqlrqmltrw4q8nk /dev/sda1:/mnt
elastio iscan /mnt
Parsing the iscan scan output
Once the iscan job completes, a json output will be provided, that can be then parsed to automate responses in case a threat is identified.
You need to look for "infected" in malware scan being > 0 and "suspicious" for ransomware scan being > 0. See the example of iscan output below:
Job output:
{
"Succeeded": {
"completion_time": "Instant { tv_sec: 224, tv_nsec: 333778469 }",
"rp_id": "rp-00000000000000000000000000",
"summary": {
"attachment_ids": [
"a-00000000000000000000000000",
"a-00000000000000000000000000"
],
"reports": [
"iscan-rp-000000000000000000000-vol-00000000000000000-2022-05-13T14:14:14Z-rans.ndjson",
"iscan-rp-000000000000000000000-vol-00000000000000000-2022-05-13T14:14:14Z-mal.ndjson"
],
"scan_summaries": [
{
"summary": {
"malware_scan": {
"clean": 81437,
"corrupted": 0,
"encrypted": 0,
"errors": [],
"incomplete": 0,
"infected": 0,
"server_errors": 0,
"suspicious": 0,
"total": 81437
},
"ransomware_scan": {
"detected_rans": [],
"errors": [],
"suspicious": 0,
"total": 81437
},
"target": {
"name": "rp-000000000000000000000",
"type": {
"rp_id": {
"asset_id": {
"kind": "AwsEbs",
"val": {
"kind": "Standard",
"val": {
"account_id": "515766137665",
"region": "us-east-2",
"volume_id": "vol-00000000000000000"
}
}
},
"rp_id": "rp-000000000000000000000"
}
}
}
}
}
]
}
}
}
Downloading the iscan report
To access the report through the CLI for an iscan check that passed for a recovery point you should run the following command:
elastio tenant reports download --rp-id <rp-id> --object <vol-id>
The example output for recovery point, where both malware and ransomware reports are present, would be as follows:
$ elastio tenant reports download --rp-id rp-01g2s973fs9wjt743bxd5p0fc7 --object vol-0e5931004aef09bca
Malware report download URL: https://s3.eu-central-1.amazonaws.com/iscan-reports20220429103128352400000001//dev.staging.elastio.us/323305539813/us-east-1/4d822ada-e050-4ddf-a8d5-85990a19a39a/26d9f91c-702b-4ed1-90c1-fca982729669.ndjson?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA5UTHRWQPNEIMZTVW%2F20220511%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20220511T105412Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFMaDGV1LWNlbnRyYWwtMSJHMEUCIQDxsFP3CEaNGuH2srJfjkWWoRDtimBZMeB3CfB5FzuSxwIgDz%2BseSm4KMhQex33Wjr9RERSyq1AxlI2s3RNUQzsArAqwQIILBAAGgw5Mzc1OTM3NzkyMzAiDNuPWvoVSMdF2g2qkiqeAt3HFubBiirisTiEfwhDF2c0w5dpxvOQE3O%2FaKx90b8YbvA1frTPPrXPNJdtvDsIicE1tyA8prviM3dlFcnN5IoDPL2iYtJHEAyXOOiXCbQzC1eabz9bi6ukecycmsnWmyj1N1WsfGq6mHewEXmzcL%2BXreZfdx8qVeTuJtF8%2Fzg7qCCR04TXbRcM%2B3zz%2Fo8iLmHx7Box0JCCU34vwgphpJbbF9usBwyzQimNXQAZdTxEv1%2FDuihFTSa9ki04MuMrXyxfZ9E7OHDO%2FFKG4TIWU6DBG%2BZXqFAZC4eLL8zIK50YKy40G4xj%2Bk8iBB63Ny3imD1hJfJjYEccrtpSLCRtjeT5HZwvNW6FQfS7%2BEASNvvhNd51TXFEq7bGSSMxfyUw1KvukwY6nQFT%2B6G6vKTkWi%2FxJ0u%2BIULMIhuF4EVriyVFOZSdSuYDHR3Zr3xtoGYC9MNpsaPCU%2Bpw7aD%2BDPK7dSd8bky7Hw4%2F1v3UjOvlRDJpXlDk%2B9K2MzObx6Djs4IzLCaHWqVSFO%2FAW7LH1%2FweS7QuuERusrR2KP6KQjCISl2xpQ27YvUd8d8Z2OQ2%2FnDabcKc44C5sDzWUAzZXaHdefOBYhZG&X-Amz-Signature=e0559423e79a0660d46b660d83bf39e462c5c2341ac02c8959db21eb701fe083&X-Amz-SignedHeaders=host
Ransomware report download URL: https://s3.eu-central-1.amazonaws.com/iscan-reports20220429103128352400000001//dev.staging.elastio.us/323305539813/us-east-1/4d822ada-e050-4ddf-a8d5-85990a19a39a/41e51b9d-5fa5-438d-b316-e74661da8ca9.ndjson?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA5UTHRWQPACUTALG6%2F20220511%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20220511T105412Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFMaDGV1LWNlbnRyYWwtMSJHMEUCIQD%2FHXK6ogDgzkmSfXk5gvcGwf7HKKYjvgQMB7qlQTj1sgIgAjofexm0pOjdV%2FNS%2FTV0I7kxpP63sX7ymzQ8W%2BUwmY0qwQIILBAAGgw5Mzc1OTM3NzkyMzAiDJK%2BLZ1cCG3NERtngSqeAobqy3pGffbnXAbVJ8SY%2FxBbf620fXioiLnC%2FKNKPnEx8AZbTQroK0XVHqG8inSdYv6S9Ab6II5OuGUvM2I%2BF93uCcU5KJdaRLgKym9gZo%2FJ12ibHX8pENcWNOEDy%2FVantNuLydz7hTjfFc7V553nu4mb37oP2EtUETVTDsyCJ8bQFnw4GZcG9keDrseoAfIG%2Bt6jXllfemwj%2F8UA%2FYpC68hKZOZIxsjIRhMV7AwA89XkmkfdzaeJuILh57f5KzQ3Vqi2yF3yyRpsiuUlUeXc2BI5j6eMneRT8Cnkhu%2Bj6blmb5hAF3zIu%2BPFcCtu0bSjbGOj7XgEeGqY3oUTjHqZKDBe2KTg1ahoCjOGyXS%2B2D5L38CUjPXqSzulAIueEww1KvukwY6nQGk9d7Q5W5OD8OfhbrXFp15at5xyEn3UiJaVCFNFyqpSHWA037XMBuTivdElYiyXccGroHlZrPQ24MijmuNugaCFT%2BjNUcsRDwa9ccLiCSS2ht5TppX70ElPnvhVybS%2B23vKtoKxad11JfwiQ7BUhh973PD455MfzZnbM22%2BwQHvJEGiGZGxnbJ6QyYipW8uIdx73HaWiZOraM4bQMM&X-Amz-Signature=bb7f50913a8f8cdef4fb61b4e28d1772a3ad3a36560450a471e49e11ab3ad751&X-Amz-SignedHeaders=host
Following the link provided you will be able to download the respective report to inspect it in detail.