The new kinds of malware that are zooming around the Internet these days make
you long for a simpler time when the only way a PC could catch a computer virus
was to insert an infected floppy disk.
Now that PCs are connected to the Internet 24 hours a day, your network is
constantly threatened by intrusions. Fortunately, security-research firms are
coming up with some new approaches to the problem that offer some hope.
Sana Security is one such firm, and it's recently released an advance in the art
of corporate defense. I previously wrote on
June 4, 2004, about Sana's server-side product, Primary Response 2.2. The
product's new version, 3.0, installs on and protects client PCs as well as servers from attacks, company officials say.
Primary Response belongs to a new category of security software known as
host-based intrusion prevention systems or HIPS. The implications of this
development are worth your attention
How Primary Response Detects Malware
Unlike antivirus programs, which rely on signatures of known malware, Primary
Response looks for unusual computer behaviors to determine which programs are
malicious. John Zicker, president and CEO of Sana, said in an interview that
Trojan horses, keylogger programs, and other baddies tend to exhibit three
characteristics:
• Persistance.
Malware tends to run every time Windows starts — unlike most applications, which
are launched when a user clicks an icon.
• Stealth.
A Trojan tends to hide, obscuring its existence by running without visible
windows and burying its executable payload somewhere on a hard disk where it's
least likely to be found.
• Purposefulness.
Dangerous software has a mission, as Sana Software puts it. It wants to open a
communications channel to its home server, secretly record the activities of a
PC, and accept commands from its distant master. All of these behaviors can be
detected by HIPS and used to shut down the attacks, Zicker says.
Sana doesn't claim that Primary Response can eliminate the need for antivirus
and anti-adware products. Instead, the company states that, in addition to these
other software defenses, Primary Response can give companies protection against
"day zero" threats — new viruses and worms that signatures haven't yet been
developed for.
Eliminating Day-Zero Attacks
I traveled to Sana Software's headquarters in San Mateo, Calif., for a
demonstration. Chief technology officer Vlad Gorelik illustrated how
Primary Response prevented the operation of Guptachar, an encrypted Trojan horse
that had infected a PC. Even more impressive, the program was able to halt a
Windows "root kit" known as Hacker Defender. This is a sinister program that's invisible to many antivirus products because it hides in Windows system files.
My initial suspicion was that Primary Response 3.0 would work only on a desktop
PC that had been thoroughly cleaned or on which Windows had just recently been
installed. Otherwise, the security program wouldn't detect the unusual behavior
of a Trojan. Because the rogue app was running before Primary Response was able
to analyze the PC, it might look like normal behavior.
That's not the case, according to company officials. Version 3.0 of the software
is designed to be installed even on PCs that are already infected with malware.
The security program can detect, for example, hidden processes that execute from
the Windows directory -- one sign that applets are up to no good -- and kill the
offenders automatically.
The Future Of Host-Based Intrusion Prevention
Other companies besides Sana offer host-based intrusion prevention products as
well. I'll look at some of those in this space next week.
Meanwhile, Primary Response 3.0 is one such product that your company should
evaluate. It's a terrible comment on computer security that we now need separate
programs for antivirus, antispam, anti-adware, and zero-day purposes. But having
many layers of defense is a reality in today's Wild West networking environment.
Primary Response 3.0 starts at $32 USD per desktop PC, with server licenses
starting at $875 per server. The client program runs on Windows 2000 Pro and XP
Pro. The server agent runs on Windows NT 4.0, 2000, 2003, and Solaris 8. A
management module runs on those servers plus Windows NT 4.0.
For more information, see Sana Security's Primary Response page.