New antivirus tools closing window of vulnerability
- By William Jackson
- Feb 07, 2007
SAN FRANCISCO'Traditional, signature-based antivirus is a mature technology. The engines do a good job of scanning for malicious code, and vendors compete fiercely to get new signatures out to their customers quickly. But no matter how well the system works, there is an inevitable window of vulnerability between the time new malware is discovered and signatures are distributed.
Vendors at the RSA security conference this week are demonstrating alternatives for closing this window and defeating unwanted code on desktops and other endpoints. The new tools include white lists, blacklists, heuristics and sandboxes.
Some of the tools are designed to be all things to all people, providing security beyond traditional antivirus protection.
'There are always going to be other security tools you'll need,' said Ross Brown, CEO of eEye Digital Security Inc. of Aliso Viejo, Calif. 'But our goal is every year to take another security function that is needed by a large segment of the market and integrate it.'
The most recent release of eEye's multifaceted Blink tool includes antivirus and anti-spyware. Blink also includes host intrusion prevention, buffer overflow prevention, system and application firewalls, a phishing filter and a control engine to enforce security policies. The client footprint for the package is about the size of a standalone antivirus product, Brown said.
Blink uses an agent to protect Microsoft workstations and servers. It supports Windows NT 4 (Service Pack 6), Windows 2000 (SP3) or Windows XP and Tablet PC OS. On the server side, it protects Windows NT Server, Windows 2000 Server, Windows 2000 Advanced Server and Windows Server 2003.
The new antivirus engine uses heuristics and rule violations as well as signatures to spot malware. Blink sandboxes incoming code and examines its behavior, blocking inappropriate activity. The system is effective enough to stop most malicious activity without a signature scan, so it offers protection before a signature is available, Brown said.
Blink also uses signatures to do a deep packet scan of software already resident on a computer, he said. 'In the background, it is a more effective way to do a system scan.'
The iSolation Server from Avinti Inc. of Lindon, Utah, also uses a sandbox to detect malicious code. It is a last line of defense, analyzing suspect e-mail that has passed through traditional antivirus and anti-spam tools. As its name implies, it isolates messages on a simulated desktop environment, and 'we observe what that file does,' said Avinti CEO William Kilmer. 'We're catching things that can't be caught by other systems.'
The Observation Engine can take up to several minutes to do an inspection, but 'it's not viewing everything that comes through,' Kilmer said.
Avinti announced Version 3.0 of iSolation Server this week, with improved performance that lets it handle up to 100,000 mailboxes and 1.5 million messages per day.
The newest release of the Parity tool from Bit9 Inc. of Cambridge, Mass., creates a white list of acceptable software and peripheral devices that can run on a platform, blocking the execution of any new code that does not come from a trusted source.
'We automate software trust,' said Bit9 chief marketing officer Tom Murphy.
This lets Parity block malicious code before signatures are available.
Parity's selling point is that in addition to a white list of approved code and a blacklist of banned code, it gray-lists any unknown code until a decision is made on how to deal with it. The client agent supports Windows 2000, XP and Server 2003.
Policies about acceptable software and devices use can be built for workgroups. When the agent is first loaded, it conducts a discovery of software already on the device and creates a hash of each piece of software so that it can be identified and tracked. Whenever a new file is written to the disk, Parity examines it to see if it is an executable, and if it is it checks it against the user's policy of allowable software, executing white-listed code and blocking blacklisted.
When confronted with unknown code, it can be set to merely monitor activity while it notifies an administrator, to block execution until the user is asked if he wants to run the code, or to lock down the endpoint so that gray-listed code cannot be run at all. Polices can allow Parity to automatically accept and white-list software patches and updates from automatic update feeds, IT administrators or other trusted sources.
Bit9 claims that Parity all but eliminates the need for other security tools.
'The only way an attack could possibly happen is in a memory-based attack where no file is written,' Murphy said. 'That is rare, but it could take place.' For that reason, he does not recommend eliminating all other endpoint security products.
In addition to security functions, Parity's controls also can provide software licensing policy enforcement, and regulatory and policy compliance for controlling data.
William Jackson is a Maryland-based freelance writer.