With new malware and threats on the rise every year, as cyber security students we wanted to be able to expand upon IOC's (Indicators of compromise) which can be utilized to show the presence of malware on a specific machine. Certain Anti-Viruses nowadays can cost upwards of $250 and still leave your machine vulnerable, with SAA (Secure Affordable Antivirus) it will cost you nothing and gives the user complete control over their anti-virus and which values are ultimately checked against and blocked on the host machine.

What it does

Utilizing our python code, we scan through the list of specified folders for scanning, this could be a network drive, or even your main "C:" drive. The program then grabs the associated MD5 and SHA-1 hashes which are then stored and compared against the known malicious IOC's which are stored in the MISP Database. If a malicious file has been found when the comparison against the MISP database is taking place, the malicious file is then compressed into a .zip file so it can be later saved for analysis and the non-compressed version is then deleted. Once the program has finished scanning all of the files in the specified folders, the scan is then complete.

How we built it

The core for the back-end on this project is an open source platform called MISP. MISP is a way to share IOC's that you have gathered during your investigations with other teams or the rest of the intelligence community. This is often used by government agencies and companies for sharing information internally and externally. MISP is primarily built off of MariaDB, Python, JavaScript, and PHP. The back-end for MISP utilizes a Python Library called PyMISP which we utilized to pull certain IOC's while the scan we being completed.

Challenges we ran into

Initially we had issue's with setting MISP up, even though most of the documentation was up to date, there was a few things that were different in each instance that was being spun up, it took us about three installation tries before MISP was successfully installed on the VPS (Virtual private server). The next issue where we spent the majority of the time was an SSL error that was given to us by PyMISP, we had to figure out how to disable the SSL check as MISP uses a self signed certificate. This problem was ultimately fixed by utilizing Cloud Flare for a signed SSL certificate.

Accomplishments that we're proud of

Utilizing Cloudflare for a hackathon project is not something that we have done in the past and the team had a great job with coming up with that idea so the SSL functionality was still the same. We were also able to learn more about system administration by learning about to deploy MISP at a production ready level.

What we learned

We learned that with MISP you are able to pull from any third-party source for IOC's, it would not be viable everyday for you to go through and by hand update your Secure Affordable Antivirus with new IOC's. With MISP you are able to automate the gathering of IOC's from the sources you tell it to gather from, in this weekend alone we were able to gather over 1.5 million IOC's.

What's next for Secure Affordable Antivirus

We will be working on a GUI for Secure Affordable Antivirus to allow for a better user experience. New malware is developed 24/7 and as cybersecurity students we will continue to add the newest threats to our database to better secure our users.

Built With

Share this project: