Give Your PCs An Immune System

By Brian Livingston | Posted April 11, 2005

The new kinds of malware zooming around the Internet these days make you long for a simpler time when the only way a PC could catch a computer virus was to insert an infected floppy disk.

Now that PCs are connected to the Internet 24 hours a day, your network is constantly threatened by intrusions. Fortunately, security-research firms are coming up with some new approaches to the problem that offer some hope.

Sana Security is one such firm, and it recently released an advance in the art of corporate defense. I previously wrote about Sana's server-side product, Primary Response 2.2. The product's new version, 3.0, installs on and protects client PCs as well as servers from attacks, company officials say.

Primary Response belongs to a new category of security software known as host-based intrusion prevention systems, or HIPS. The implications of this development are worth your attention

How Primary Response Detects Malware
Unlike antivirus programs, which rely on signatures of known malware, Primary Response looks for unusual computer behaviors to determine which programs are malicious. John Zicker, president and CEO of Sana, said in an interview that Trojan horses, keylogger programs, and other baddies tend to exhibit three characteristics:

Persistance: Malware tends to run every time Windows starts — unlike most applications, which are launched when you click on an icon.

Stealth: A Trojan tends to hide, obscuring its existence by running without visible windows and burying its executable payload somewhere on a hard disk where it's least likely to be found.

Purposefulness: Dangerous software has a mission, as Sana Software puts it. It wants to open a communications channel to its home server, secretly record the activities of a PC and accept commands from its distant master. All of these behaviors can be detected by HIPS and used to shut down the attacks, Zicker says.

Sana doesn't claim that Primary Response can eliminate the need for anti-virus and anti-malware products. Instead, the company states that, in addition to these other software defenses, Primary Response can give companies protection against "day-zero" threats — new viruses and worms that haven't had signatures developed for them yet.

Eliminating Day-Zero Attacks
I traveled to Sana Software's headquarters in San Mateo, Calif., for a demonstration. Chief technology officer Vlad Gorelik illustrated how Primary Response prevented the operation of Guptachar, an encrypted Trojan horse that had infected a PC. Even more impressive, the program was able to halt a Windows "root kit" known as Hacker Defender. This is a sinister program that's invisible to many anti-virus products because it hides in Windows system files.

My initial suspicion was that Primary Response 3.0 would work only on a desktop PC that had been thoroughly cleaned or on which Windows had just recently been installed. Otherwise, the security program wouldn't detect the unusual behavior of a Trojan. Because the rogue application was running before Primary Response was able to analyze the PC, it might look like normal behavior.

That's not the case, according to company officials. Sana designed Version 3.0 is to be installed even on PCs that are already infected with malware. The security program can detect, for example, hidden processes that execute from the Windows directory — one sign that applets are up to no good — and kill the offenders automatically.

The Future Of Host-Based Intrusion Prevention
Your company should evaluate Primary Response 3.0. It's a terrible comment on computer security that we now need separate programs for anti-virus, anti-spam, anti-malware and zero-day purposes. But having many layers of defense is a reality in today's Wild West networking environment.

Primary Response 3.0 starts at $32 per desktop PC, with server licenses starting at $875 per server. The client program runs on Windows 2000 Pro and XP Pro. The server agent runs on Windows NT 4.0, 2000, 2003, and Solaris 8. A management module runs on those servers plus Windows NT 4.0.

Brian Livingston is the editor of WindowsSecrets.com and the co-author of "Windows Me Secrets" and nine other books. Send story ideas to him via his contact page.

Adapted from esecurityplanet.com.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date