At the 4th Solent Cyber Security Cluster Meeting we had Ian Wells from HighQuest Solutions present the Abatis anti-virus solution.

1. Abatis HDF and Control Management Console
Providing Proactive & Efficient Protection from
Advanced Cyber Threats

2. Zero Day Malware attacks - Introduction
The aim of the attack is to covertly set up a Command & Control (C&C) channel and then to exfiltrate data out of
the target system(s) over a period of time. This is normally achieved by the user opening up an email attachment
or visiting a website that is able to deposit a malware load, known as drive by websites. To prevent detection the
malware needs to be unknown.
Methodology
1. The attacker performs some kind of reconnaissance to gain an understanding of the organisation.
2. The target (user) is tricked into opening an attachment which contains the payload malware.
3. The malware remains dormant until some point in time when it communicates through the C&C channel to
the attacker.
4. The malware also traverses the target network to infect other machines.
5. Data can exfiltrate out of the network under the C&C channel.

3. Countermeasure techniques
Network Level
Network appliances that inspect every port entering the network. They can drill down into every file
inspecting attachments for embedded code. i.e. An attached Powerpoint slide, in PDF format, and in the
Powerpoint there is a Java script.
 These appliances are expensive.
 They need to be updated with Cybersecurity feeds, because they do use some form of white/grey/black listings.
 They require IT security to set security policy, and the professional services to implement are expensive.
End user level
Traditional Anti-Virus is a good example of the end user level security. An established and accepted method.
 Needs client software running on the end point.
 Low cost and easy to deploy.
 Needs constant signature updating
Host Integrity Technology
A technique for maintaining an end user client to comply with the organisation’s security policy.
 Needs client software running on the end point.
 Low cost and easy to deploy

4. Introduction – Abatis HDF
Abatis HDF is a unique and time-proven effective security tool to help enforce computer and file integrity on
Microsoft Windows platforms from Windows 2000 to the latest Windows 7 versions (32 and 64 bit).
Abatis HDF is deployed on all end point workstations and servers and is managed by a Central Management
Console, CMC, which enforces corporate security policy and provides detailed analysis and audit information.
The Abatis HDF features provide advantages to the organisation such as;
 Defeats zero-day malware, rootkits, Trojans, APTs and viruses/worms
 Protects legacy and new operating systems from Windows NT4 to Windows 7
 Small software footprint that requires no ongoing updates
 Extremely fast in operation
 Prevents exploitation of Alternate Data Streams (ADS)
 Prevent exploitation from CryptoLocker RansomWare
 Protects all permanent storage on the device, thereby ensuring no threats can penetrate
 Non-signature-based software protection for Windows and Linux
 Provides anti-malware and anti-hacker protection

5. This is how Abatis HDF helps users!
The situation
• Hacking now biggest value crime in the world, No one is safe – targets are individuals, corporates and
governments
• Traditional anti virus is no longer effective protection, does not work for zero day APT attacks.
How Abatis HDF helps users.
• Abatis stops 99% of all viruses (according to Symantec 2010 report)
• Very small footprint, imperceptible performance loss, ideal for low power & smartphones
• No more patches on legacy systems and no AV available for SCADA systems
• Abatis can support NT4 through to Win7 and is deterministic – perfect for SCADA
• True/near-forensic logging and CMC make management simple and cost effective
• Potential performance gains, battery life enhancement and data centre energy savings (GREEN AGENDA)
• The only APT Hunter-Killer on the market?

6. Abatis Hard Disk Firewall
 HDF is a kernel level filter driver of less than 100 KB
 Prevents malware from becoming persistent on a Windows or Linux device
 Blocks the writing of binary executable files to permanent storage
 Policy driven so can be configured to allow or block any file type
 Granular policy allows safe, automatic updating of selected files as required
 Log files stored locally in delimited or syslog form for transfer to SIEM/CMC
HDF is a proactive, non-signature based technology to help enforce system and file integrity protection. By definition,
there can be no malware infection or hacking compromise when system integrity is robustly maintained. It is useful to
note HDF is not a conventional anti-virus program but a robust technical tool to help system administrators maintain
system integrity without complex management overheads.
A Patented technology

7. Abatis – Technical Features
The following are a list of HDF unique technical features:
 Integrates seamlessly into the operating system as a kernel module. Microsoft documented implementation and
no backdoor and no rootkit approach.
 Resists attack attempts to shut down operation, e.g. by hostile malware or user mistakes.
 Small application footprint (30KBytes for Standard, 60KBytes for Advanced), no system performance
degradation.
 Identify and block executable files with a generic approach and without signatures-based pattern matching.
 Operates autonomously irrespective to the system privileges of the logged-on user and system processes.
 Totally transparent to users and applications. No user interaction and all applications run as normal without
modification.
 Support local and networked drives, plug-and-play mounted devices and removable storage devices, e.g. USB
drives.
 Audit logs HDF operations, e.g. blocking or non-blocking actions are logged for audit trail purposes.
 Compatible with antivirus programs, personal firewalls and file encryption tools.
 No day-to-day user maintenance and reliable operation.

8. HDF has three modes of operation:
 Normal (or Protect) – where unwanted executables are blocked from being written to the disk,
 Learn – which records the unwanted executables that would have been blocked if HDF had been in Protect mode,
 Audit – which records all write I/O activity.
Control of a system’s Write I/O:
 Detects and stops all unauthorised software executables from being stored to a protected computer (while not
affecting existing applications ability to run)
 A proactive security solution to:
 Block zero-day, unknown and known malware binaries such as keyloggers, Trojans and spyware persisting on
the system
 Block rootkits - kernel and user mode variants
 Defeat zero-day and targeted APT attack
 Protect against drive-by attacks and hacking
Abatis HDF's main security features are: 1

9. Blocks unauthorised system and file modification
 Prevent web defacement attacks (Advanced version only)
 Protect any files defined by the user from unauthorised modification
 Prevent protected files from being overwritten
HDF application is resilient against hostile attacks to,
 HDF kernel binary, e.g. HDF.sys
 unauthorised shutdown and attempts to disable it
 HDF start up and configuration settings maintained in the Windows Registry (Advanced version only)
Abatis HDF's main security features are: 2

10. Maintains system integrity and operational efficiency:
 Removes the urgency for systems security patches, e.g. Microsoft critical patches, reducing vulnerability
windows during patches testing time (in environment where software patching is a governance
requirement)
 Functions transparently to applications and the user - no user interaction
 No perceptible performance degradation
 Reduces system downtime otherwise caused by patching and virus cleaning
 Stops the installation of unwanted or illegal/unapproved software
 Protects against accidental and malicious virus/malware insertion
Abatis HDF's main security features are: 3

11. Abatis video demonstrations
SDBOT with Abatis HDF turned off – 4 mins
https://www.youtube.com/watch?v=b391BcO4w1Y
SDBOT with Abatis HDF turned on – 4 mins
https://www.youtube.com/watch?v=Lu6iuYubHmQ
CryptoLocker defeated by Abatis HDF – 7 mins
https://www.youtube.com/watch?v=MX3e2wc63as
Alternative Data Stream file injection – 7 mins
https://www.youtube.com/watch?v=PKGdXHc4yLA
UPX Open source packer – 6 mins
https://www.youtube.com/watch?v=g0RmclTe7Lo
The following videos show conclusively how Abatis HDF will prevent any program, examplefile.exe, that is not in
security policy prevented to execute. It is effectively blocked and recorded into the log file for remediation.

12. Software Distribution/System Patching
 Central software deployment
 HDF is delivered in a standard Microsoft Installation Package (msi file) – support silent unattended install.
Fully supports Window Installer and other software distribution tools such as Microsoft’s SMS, IBM’s Tivoli
Configuration Manager, Symantec’s On iCommand /LiveState etc.
 Distribute by Microsoft Active Directory
 Deployment via Central Management Console (CMC)
 HDF can also be deployed in components to support customised and in-house software distribution
process.
 Software/System patching
 HDF support automated software and system patching.
 HDF blocking can be controlled by:
 Command line tool used by scripts or batch files.
 Static and runtime Policy rules (based on process name, target path and filename and/or system/user
accounts).
 CMC browser interface
 API library

13. Legacy Windows ™ Systems – End of Support Period
Windows Version Mainstream Support Ends Extended Support Ends Market Share %
Windows NT4 Ended 2001 Ended 2004 0.05
Windows 2000 Ended 2005 Ended 2010 0.06
Windows XP Ended 2009 Ends April 2014 39.51
Windows XP Embedded Ended 2011 Ends January 2016 Included above
Windows Vista Ended 2012 Ends April 2017 5.24
Windows 7 Ends January 2015 Ends January 2020 44.48 **
Windows 2003 Server Ended 2010 Ends July 2015 47.9 *
Windows 2008 Web Server Ended July 2013 Ends January 2020 Included above
Windows 2008 Server Ends January 2015 Ends July 2018 Included above
Abatis protects all of these legacy and obsolete operating systems
Microsoft has over 80% of the desktop operating system market , and nearly half of the server market , yet around 40% of both are using obsolete/unsupported operating systems.

14. Abatis CMC
 Central Management Console that provides facilities to:
 Install HDF on an estate
 Retrieve and analyse logs
 Push policy updates to HDF individually, in groups or globally as required
 Web based application providing a SIEM-like dashboard
 Simple, clean, easy to use, SQL database back end
 Search for identified ‘rogue’ files such as blocked APT updates
 Experience shows ‘clean-up’ of an infection reduced from 3 days to 2 hours
HDF Central Management Console is specifically designed tool to monitor all HDF Protected computers for real‐time HDF
logging, status of HDF clients, security trends, security alarm, and to interrogate the HDF Operating parameters as well as
system and hardware information. Through CMC, IT Administrator can send runtime commands to the HDF clients, such as
turn-on/off protect mode, set the allowed processes etc.

15. Central Management Console (CMC)

16. Cost Benefits in deploying Abatis HDF
 Saves money by reducing / eliminating incidence of malware infection and associated fix/clean-up costs
 Low cost, virtually fit-and-forget solution (in certain environments) and importantly does not require
expensive updates and maintenance contracts,
 Mitigates the risk of losing sensitive data that could attract major fines from the ICO and/or regulators.
 Prevents the loss of business through downtime of IT systems
 Single software product can be rolled-out across the estate from servers to desktops to routers to
SCADA which reduces dramatically the operational overhead costs.
 Potential performance enhancement, savings through reduced power consumption and battery life
improvement - improved GREEN credentials.
In today’s businesses IT costs are being constantly driven down and Cyber security even though is seen as a major
requirement is still subject to severe cost scrutiny. This is more so in the often hidden operational and maintenance
costs of many Cyber security solutions.

17. Technical Benefits in deploying Abatis HDF
 Single software product can be rolled-out across the estate from Windows and Linux servers to
desktops to routers which prevents malware and APT attacks and dramatically improves security.
 Improves management oversight and control of the estate (including enforcing the security policy)
 Can be installed alongside existing security controls – does not ‘fight’ with existing known AV, IPS, etc
 Provides protection for mis-configured and incorrectly patched systems.
 Provides protection for Legacy equipment for which patches and AV may no longer be available,
 Near zero performance hit (potential improvement….)
 Provides some IP Theft protection and good control over external devices such as USB, DVD, etc.
 A credible technical defence for real time and safety-critical systems and SCADA environments
 Small, efficient code allows possibility of use in mobile platforms, low power devices and the Internet
of Things (incl Smart Meters)
In today’s Cyber threat environments, it is essential that a product or system will actually prevent and withstand an attack
from these varying threat vectors, does not impede users from their work, and does what it says on the “Tin”

18. Abatis Technology Roadmap
 Available Now
 Windows HDF Standard
 Windows HDF Advanced
 Linux (Red Hat)
 Central Management Console (CMC)
 Future Products
 Smart-Phones and Tablets
 Android
 Windows Phone
 Kindle?
 Further IP Protection, Formal Evaluation/Certification and Ease of Use Product Improvements
 Automatic policy generation, device discovery and AV invocation to clean up existing APTs
 Evaluation under CESG CPA Scheme
 Certification on various SCADA manufacturers’ equipment
 Establish community of interest (COI) for policy generation and standardisation
Both available in 32 bit and 64 bit versions
Covering NT4  Win 7, incl. server and embedded

19. Overall Summary
• Traditional anti virus is no longer effective protection
• Hacking now biggest value crime in the world
• No one is safe – targets are individuals, corporates and governments
• 4.2 billion people have a toothbrush: 5.1 billion have a mobile phone; 4 billion smartphones with no effective
anti virus
• Abatis stops 99% of all viruses (according to Symantec 2010 report)
• Very small footprint, imperceptible performance loss, ideal for low power & smartphones
• No more patches on legacy systems and no AV available for SCADA systems
• Abatis can support NT4 through to Win7 and is deterministic – perfect for SCADA
• True/near-forensic logging and CMC make management simple and cost effective
• Potential performance gains, battery life enhancement and data centre energy savings (GREEN AGENDA)
• The only APT Hunter-Killer on the market?
Simple & proven
Efficient & economical
Performance enhancing
Miniscule footprint

20. HighQuest Solutions Ltd
145-147 St. John Street
London
EC1V 4PW
Tel: +44 (0) 207 078 4332
www.highquestsolutions.com
Ian Wells – Director