Give Your PCs An Immune System Adding Host-based Intrusion Prevention Systems to Security Arsenal Brian Livingston
The new kinds of malware that are zooming around the Internet these days make you long for a simpler time when the only way a PC could catch a computer virus was to insert an infected floppy disk.
Now that PCs are connected to the Internet 24 hours a day, your network is constantly threatened by intrusions. Fortunately, security-research firms are
coming up with some new approaches to the problem that offer some hope.
Sana Security is one such firm, and it's recently released an advance in the art of corporate defense. I previously wrote on June 4, 2004, about Sana's server-side product, Primary Response 2.2. The product's new version, 3.0, installs on and protects client PCs as well as servers from attacks, company officials say.
Primary Response belongs to a new category of security software known as host-based intrusion prevention systems, or HIPS. The implications of this
development are worth your attention
How Primary Response Detects Malware
Unlike antivirus programs, which rely on signatures of known malware, Primary Response looks for unusual computer behaviors to determine which programs are malicious. John Zicker, president and CEO of Sana, said in an interview that Trojan horses, keylogger programs, and other baddies tend to exhibit three characteristics:
• Persistance.
Malware tends to run every time Windows starts — unlike most applications, which are launched when a user clicks an icon.
• Stealth.
A Trojan tends to hide, obscuring its existence by running without visible windows and burying its executable payload somewhere on a hard disk where it's
least likely to be found.
• Purposefulness.
Dangerous software has a mission, as Sana Software puts it. It wants to open a communications channel to its home server, secretly record the activities of a PC, and accept commands from its distant master. All of these behaviors can be detected by HIPS and used to shut down the attacks, Zicker says.
Sana doesn't claim that Primary Response can eliminate the need for anti-virus and anti-malware products. Instead, the company states that, in addition to these other software defenses, Primary Response can give companies protection against "day zero" threats — new viruses and worms that signatures haven't yet been developed for.
Eliminating Day-Zero Attacks
I traveled to Sana Software's headquarters in San Mateo, Calif., for a demonstration. Chief technology officer Vlad Gorelik illustrated how Primary Response prevented the operation of Guptachar, an encrypted Trojan horse that had infected a PC. Even more impressive, the program was able to halt a
Windows "root kit" known as Hacker Defender. This is a sinister program that's invisible to many anti-virus products because it hides in Windows system files.
My initial suspicion was that Primary Response 3.0 would work only on a desktop PC that had been thoroughly cleaned or on which Windows had just recently been installed. Otherwise, the security program wouldn't detect the unusual behavior of a Trojan. Because the rogue app was running before Primary Response was able to analyze the PC, it might look like normal behavior.
That's not the case, according to company officials. Version 3.0 of the software is designed to be installed even on PCs that are already infected with malware. The security program can detect, for example, hidden processes that execute from the Windows directory — one sign that applets are up to no good — and kill the offenders automatically.
The Future Of Host-Based Intrusion Prevention
Other companies besides Sana offer host-based intrusion prevention products as well. I'll look at some of those in this space next week.
Meanwhile, Primary Response 3.0 is one such product that your company should evaluate. It's a terrible comment on computer security that we now need separate programs for anti-virus, anti-spam, anti-malware, and zero-day purposes. But having many layers of defense is a reality in today's Wild West networking environment.
Primary Response 3.0 starts at $32 USD per desktop PC, with server licenses starting at $875 per server. The client program runs on Windows 2000 Pro and XP Pro. The server agent runs on Windows NT 4.0, 2000, 2003, and Solaris 8. A management module runs on those servers plus Windows NT 4.0.
Brian Livingston is the editor of
WindowsSecrets.com and
the co-author of "Windows Me Secrets" and nine other books. Send
story ideas to him via his
contact page.
The new kinds of malware that are zooming around the Internet these days make you long for a simpler time when the only way a PC could catch a computer virus was to insert an infected floppy disk.
