| |
 |
February 2001AV
ALTERNATIVES: Extending Scanner Range BY ROBERT VIBERT Behavior blockers and other AV alternatives can enhance defenses against new malware. Last August, CERT brought together security experts to discuss the security threats of ActiveX mobile scripts. The result of that conference was a report, published in December, which debunks many of the security myths surrounding ActiveX controls and other executable scripts (http://www.cert.org/reports/activeX_report.pdf). The CERT panel concluded that readily available and easily implemented security precautions are sufficient to mitigate the risks associated with mobile code. However, the panel also maintained that mobile code presents risks that are not easily guarded against because it can execute functions outside the scope of conventional AV scanners. The potential security issues associated with ActiveX, as noted in the CERT report as well as numerous documented reports of malicious Java code, underscore the problems faced by organizations that rely on conventional AV scanners to protect their systems from unknown and evolving malware. For the most part, signature-based AV scanners are effective at screening out known viruses and worms, but are virtually powerless against new malicious code-the most dramatic demonstration being LoveLetter last spring. While there's no complete defense against new malware, the development of antivirus alternatives is closing the defensive gap between known and unknown scripts. These alternatives stop malicious code from having an effect on computer systems, either by intercepting and blocking suspicious actions, restricting access to critical system resources, or detecting and stopping any attempted system modifications. Behavior Blockers, Malware Filters and Integrity Checkers So, how do you stop a new virus or worm that your AV scanner has never seen before? By thwarting its malicious actions. Malware is powerless if it can't gain access to a system, which makes blocking entry at the Internet gateway the first line of defense against unknown code. Some blocking programs use databases of scripts and heuristics to identify and isolate suspect code before it reaches internal networks. Should a piece of malicious code make it past the gateway filter, behavior blockers and integrity checkers can monitor the activities of suspect applications to determine if any are attempting to do things they shouldn't. InDefense's Achilles'Shield (http://www.indefense.com/), Aladdin Knowledge Systems's eSafe (http://www.ealaddin.com/), Pelican Security's SafeTnet (http://www.pelicansecurity.com/), Sandbox Security's Secure4U (http://www.sandboxsecurity.com/), and Finjan's SurfinShield (http://www.finjan.com/) are among the commercial applications available today that restrict access to system resources by monitoring and determining which system calls are acceptable based on security policies. The goal of these products is to control the access rights of an application or application group-similar to the user access rights normally set in Microsoft NT-and proactively protect the system against any malicious activity. Other products, like Computer Associates's eTrust (http://www.ca.com/) and Trend Micro's InterScan AppletTrap (http://www.trendmicro.com/), serve as gateway filters for malicious ActiveX and Java, stopping mobile code before it enters the system. "Sandboxing," a method of quarantining suspicious code as it enters a computer or network, is a term often associated with these products. For example, Pelican's SafeTnet detains suspect code in a segregated area, monitors its attempted actions and compares the actions to established security policies. Actions allowed by the policy are permitted to enter the system, while suspect and prohibited actions are blocked. The level of granular control varies from product to product, most offering either application-level or system-level monitoring. Application-level monitoring takes a utilitarian approach by terminating all of the programs interacting with suspect code. This means that the blocking applications will immediately shut down a browser, word processor or e-mail client to prevent suspect code from causing any damage. While effective, this approach could be a major annoyance to users. System-level applications, on the other hand, will block suspect actions without interfering with running applications. For instance, the discovery of a suspicious code will disable MS Internet Explorer's ActiveX control, but the browser session is allowed to continue. Behavior-blockers and access-control applications have an advantage over conventional AV scanners in that they don't need to know anything about a virus, worm or other malware in order to work. They are also not fazed by compressed or encrypted code. Most important, these programs are able to deal with Java and ActiveX threats, which are usually totally ignored by virus scanners. The downside of behavior blockers is that most act like perimeter alarms, popping up dialogue boxes that prompt users to make a choice between stopping or allowing a suspicious action. These warnings often impede productivity, cause application errors or lock up systems. These problems will often prompt sysadmins to relax security policies, which obviously diminishes the effectiveness of the behavior blockers. Many vendors claim to have a unique solution for combating unknown malware, but most products take similar approaches and offer comparable features. Choosing a behavior blocker or malware filter application depends on the specific needs of your organization, the defenses currently in place and the role the application will play. Trend Micro's InterScan AppletTrap Built as an HTTP proxy server, Trend Micro's InterScan AppletTrap is focused on detecting and stopping malicious Java applets, JavaScripts and ActiveX controls with a real-time protection system that distributes scanning tasks between the server and client. AppletTrap blocks unrecognized ActiveX controls and Java applets at the gateway server. It also uses updateable block lists to filter known malicious Java applets and JavaScripts. Only code with recognized signatures and not included on any block lists are allowed to pass. Block lists are divided into three categories: one preset, the other two defined by the organization. Trend Micro provides an updateable catalog listing of hostile applet hashes (MD5 codes). Sysadmins can set up a list for approved corporate applet hashes and other lists of Internet sites known to use malicious applets. The AppletTrap can be configured to block all ActiveX controls, all uncertified ActiveX controls or all but specified third-party-certified ActiveX controls at the Internet gateway. On client stations, AppletTrap's desktop module performs real-time monitoring of each Java applet's behavior, comparing it against the established security policy. Any malicious applet detected on a client station is prevented from executing and is reported to the proxy server for inclusion on a block list. AppletTrap supports customizable policies that can be mapped for selected groups of users, allowing different privileges in different areas of the corporate LAN. With its narrow focus on Java and ActiveX, AppletTrap is best suited to those organizations with other protection in place. Trend Micro offers other gateway and desktop protection software-primarily antivirus scanners-that are compatible with AppletTrap. Computer Associates's e-Trust Content Inspection Computer Associates produces the eTrust Content Inspection program, another gateway-based system that detects and filters unwelcome downloadables. Like AppletTrap, eTrust Content Inspection intercepts inbound objects at the gateway. Signed objects are inspected to verify their digital signatures and validate their certificate authorities. Executable code in compressed files (.zip, .jar and .cab) is extracted and analyzed to determine whether it adheres to established security policies. Included with eTrust Content Inspection is a database of known hostile code-including Java, ActiveX, .exe files and compressed files-and malicious URLs specified by the administrator. Known viruses are scanned via a link to CA's virus scanning engine. eTrust Content Inspection includes a Control Center module, which receives and distributes changes from the Policy Manager module across an enterprise. It also stores analysis data (source and destination IP addresses, security violations and collisions, including the cause of the violation and the date and time of analysis) of objects blocked at the gateway. This module also manages a database of security plans, audit records and system parameters. To catch malware not blocked at the gateway, eTrust Content Inspection includes a desktop module that monitors for and stops suspicious local activity. The gateway component can be configured to work with third-party applications, including Check Point's FireWall-1 (http://www.checkpoint.com/), Microsoft's Proxy Server (http://www.microsoft.com/) and Netscape's Proxy Server for NT (http://www.netscape.com/). Pelican Security's SafeTnet Working on the desktop level on Windows workstations, SafeTnet uses a policy-based sandboxing technique to monitor all attempts to access system resources. The source of the code-e-mail clients, FTP clients, peer-to-peer messengers, Web browsers or other Internet clients-is immaterial to the application's approach. SafeTnet's "Dynamic Sandbox" is a limited run-time environment where active content is executed and monitored without harming a system's resources. While in the protected environment, the suspicious code's activity is compared against established security policies that will allow or deny it access to various system resources, including the file system, registry, network and system processes. The application comes with default policies or options for creating custom policies, mostly to take into account acceptable actions by executables, MS Office documents, Web browsers or other active content. Unlike other AV alternatives, SafeTnet doesn't look specifically at Java or ActiveX code, but rather works more as a pure behavior blocker, watching all code activity. The exception to this is the extra focus placed on the macro content of files in the formats of MS Word 97/2000, Excel 97/ 2000 and PowerPoint 97/2000. Depending on policy settings, SafeTnet logs the actions attempted by active content, records the details of the attempted action and/or notes the system's response. This feature may assist sysadmins in identifying new threats and amending policies. SafeTnet's fairly narrow focus suggests that it's primarily a client-only or small- business solution. InDefense's Achilles'Shield Similar in technique to SafeTnet, Achilles'-Shield detects malware and viruses through behavior monitoring and stops malicious activity at the system level. It also offers enhanced macro virus protection and real-time integrity checking. Unlike SafeTnet and other Windows-based programs, Achilles'Shield incorporates DOS-level protection for system sectors, a module for scanning known viruses, and a function for detecting missing conventional memory. Without focusing specifically on ActiveX and Java, Achilles'Shield provides a range of modules to counter known and unknown malware threats: a "smart" memory-resident monitor, an activity checker, an integrity checker, a macro detector, a macro analyzer and a rescue disk creator. The Achilles'Shield Real-Time module monitors malicious activity in the computer's memory whenever a virus or malicious program is executed. By monitoring memory, it can detect and prevent malicious programs from modifying other executable or system files, changing startup parameters, creating new malicious executables on the hard drive, accessing or using the system's e-mail component, and modifying the boot record, CMOS or registry. Real-Time will alert sysadmins when a suspicious macro is detected in MS Office files, automatically disinfect contaminated floppy disks and prevent a user from restarting a computer with a disk in the default drive. The Achilles'Shield Integrity Checker/ Vaccinator identifies unapproved file modifications. During installation, this module examines all the folders on the local hard drives and records a thumbnail of all executable and program library files. A small "vaccination" file is stored in each folder where these files are found. On subsequent inspections, the Integrity Checker compares executable files against the original's thumbnail, generating a warning if any changes are detected. A plug-in module for the MS Outlook e-mail client checks all incoming and outgoing messages with attachments-including .zip and self-extracting files-and issues alerts if any executable codes or macros are detected. Special traps are also used to ensure Trojans and worm executables cannot replicate or install themselves. The MacroPass module checks and clears macros entering a system against a list of known and approved macros, both internally developed and commercially obtained. When a file containing macros is opened, copied or created, all macros present are checked against the policy database. Unknown macros are locked out until they are certified. The Macro Analyzer module reviews MS Office document macros for keywords or code strings that would indicate viral infection or malicious intent. It then describes the actions the macro is likely to perform if executed and gives the user the choice of removing it, certifying it or continuing without taking any action. Achilles'Shield also provides its own Task Manager module to schedule or manually run different customized file checks. A network configuration module assists in updating the software on distributed client workstations. Lacking in Achilles'Shield functions is the ability to monitor IP ports, but InDefense claims it will incorporate this capability in its next version. With one of the few integrity checking programs on the market, coupled with the macro certification option and DOS-level protection, Achilles'Shield stands somewhat apart from many other behavior-blocking products. Sandbox Security's Secure4U Secure4U is a Windows-based firewall application that also uses sandboxing to limit the actions of malicious code. It allows the enforcement of file and registry access restrictions with settings comparable to Windows NT security access control lists, allowing sysadmins to enforce a consistent network-wide access policy. During installation, Secure4U scans a workstation for known applications and sets preconfigured default sandboxes around the most common Web browsers (Netscape 4.01-6.0 and Internet Explorer 4.01-5.5) and e-mail clients (Outlook, Outlook Express and Lotus Notes). With the learning mode, users can monitor the activities of other applications and create specific settings for them. Secure4U users can create a sandbox around any application and restrict its access to system resources. Within this closed environment, any code can run while calls to system resources are monitored for malicious activity. It bases its actions on the application's behavior, not on checks against a database of known hostile activities. Drivers, the registry databases (all configurations) and the file systems are shielded. Secure4U offers several privacy-enhancing options: the Cache Manager permits automatic removal of the browser cache content after each session; the Cookie Manager controls automatic blocking, removal and management of all cookies; the WWW Content Filtering module blocks access to Web pages containing restricted words; and an e-mail-filtering module rejects the external transmission of e-mails containing user-defined confidential words. The personal firewall can be configured to block all Internet access for specific applications, limit applications to specific IP ports (or sets of IP ports), and/or block specific IP addresses. Secure4U provides an interface to conventional third-party AV scanners and comes with a copy of Computer Associates's InoculateIT. Complementary applications allow Secure4U to open and scan all CAB files for viruses. Finjan Software's SurfinShield Finjan Software has branded itself as a pioneer in the behavior-blocking field with its SurfinShield product, which provides corporate desktops with real-time monitoring of executable files, ActiveX, Java, Visual Basic Script and JavaScript, Scrap files (.shs and .shb), and Windows Scripting Host attachments (.vbs, .js, .wsh). SurfinShield is part of a suite of products that provides gateway-level protection. One component, SurfinGate, provides functions comparable to CA's eTrust Products. Additional modules for file extension-filtering guard against executables, scripts, plug-ins and cookies. As with Secure4U, SurfinShield users can create sandbox permission rules to control the access to the file system, network and the system registry. Its customizable e-mail notification function alerts sysadmins about security and suspicious events. Users can also block the automatic launch of MS Office applications via Web browsers, Outlook and Eudora. Some of SurfinShield's more innovative features include a mechanism for defeating multimedia surveillance by stopping Trojans from tapping into a PC's microphone or Web camera. The application permits the "white listing" of known non-malicious programs, which are allowed to run while all other code is still monitored. Palm Pilot users can monitor their handheld devices for malicious code being uploaded during the synchronization process. Support for client applications includes browsers, instant messaging, e-mail clients, FTP clients and newsreaders. The SurfinShield Corporate edition, designed for the large business environment, consists of a central control unit and client modules for each desktop. The central control unit includes a server, database and console, which are used to enforce and manage the enterprise-wide sharing of security policies. The central server manages a database that stores an organization's security records and each user's local security policy, as well as corporate- and group-level security policies, active content profiles and log information. This registry of information allows sysadmins to react immediately to new threats by quickly adjusting security policies. Multiple servers can be supported through a single centralized database. SurfinShield's auto-detection feature allows the server to monitor desktops and log all security events, including active content source, attempted activity, time and date and attempted attacks. Finjan recently made up for its lack of conventional AV capabilities by established a collaboration with F-Secure (http://www.f-secure.com/), the Finnish developer of antivirus products. Through the F-Secure Policy Manager, users can manage their AV scanner and the Finjan suite, pairing up proactive and reactive AV technologies.
Aladdin's eSafe Another application that takes the "best of both worlds" approach is Aladdin's eSafe Protect Enterprise, a suite that incorporates antivirus scanning, sandbox protection, personal and application firewalls, and console-based deployment tools. The eSafe line is the only product on the market that combines behavior blocking with an internally developed antivirus scanner, allowing the simultaneous detection of known and unknown malware. The antivirus module has an on-access and on-demand scanner and the ability to automatically download virus signature updates. Besides viruses, the scanner is designed to detect and filter known malicious codes before they can execute in the browser. This is an advantage over other products that have to allow malware to be saved to the local hard drive before taking any defensive action. eSafe's Macro Terminator uses heuristic scanning to identify new malicious macros based on patterns of known macro viruses. If a file contains a certain number of suspicious patterns, it's considered infected and is quarantined. eSafe offers two types of sandboxes: application specific and general purpose. Application-specific sandboxes, with default settings for many common browsers and programs, control actions performed by the specific application assigned to them. The general-purpose sandboxes apply controls to actions performed by any and all applications on a desktop system. When a new application is created or saved by an Internet application, it's registered in the Untrusted Applications Sandbox, which blocks nearly all computer resources when the new application is executed by a browser or e-mail client. Users can still download an application and execute it outside a browser or e-mail client, but ActiveX, Java and VBScript (Windows Scripting Host) as well as FileSystemObject functions are prevented from running under Internet applications other than IE and Netscape Navigator. A number of messaging applications are automatically sandboxed by the Internet Applications Sandbox, including Eudora, Microsoft Outlook and Outlook Express, Lotus Notes, Microsoft NetMeeting, ICQ, Back Web, AOL, Point Cast and Opera. The Internet Applications Sandbox distinguishes between operations performed by a trusted Internet browser or e-mail client and those performed by other executable files spawned by these trusted applications. This prevents malicious code from accessing system resources used by the browser or e-mail client. eSafe creates a personal firewall between the computer and its communication ports, which can be configured to restrict users to only approved Web sites. The use of FTP and HTTP ports can be restricted to a local intranet server to prevent Internet access from specific PCs. It can also scan incoming communication packets, URLs, data content and newsgroup names for forbidden words, terminating sessions found in violation of security or use policies. The same function can also screen outgoing transmissions for proprietary or confidential materials and restrict the times of day for certain communications, which also makes it an effective usage policy manager. eSafe incorporates a white list capability for organizations with their own intranet using pre-approved Java applets and ActiveX commands, while preventing the use of outside active content. It also offers an integrity checker, similar in function to Achilles'Shield. With eSafe Protect Enterprise installed on a server, sysadmins can deploy default configurations of eSafe Protect or customize the configuration based on the security requirements of individual users or groups. This allows users' privileges and settings to follow them as they use different network workstations. eSafe also comes in a gateway version, offering filtering for Java, ActiveX, malicious scripts, known viruses, spam and URL blocking. Centralized reports provide information that can be used to streamline security settings, identify "problem" Web sites and analyze threats. Content-sensitive alerts can be broadcast to administrators via e-mail, pager, cell phone or any other method that accepts SMTP messages. Of the products reviewed in this article, eSafe is the most comprehensive, with a number of features to counter a broad range of threats. Side by Side With AV Scanners The objective of most alternative malware protection applications is not to replace traditional antivirus scanners, but to complement them. Some, such as Secure4U, are able to activate a commandline AV scanner while others, like eSafe, offer their own built-in detectors for known viruses. What all alternative approaches offer is a defense geared toward stopping unknown viruses, worms, active content and other malware by identifying suspect code by its actions, not its signature. While generally effective, none of these products covers all the bases. Secure4U and SurfinShield, for example, do not address malicious macros. Only Achilles'-Shield offers DOS-level protection, and most focus primarily on Java and ActiveX. Although their operation is fairly straightforward, most are missing the toolkits for deploying and managing them in a network setting. As with any emerging technology, only a substantial growth in the number of users will result in needed improvements. Customer feedback will likely yield the features and interactions to fill in the gaps. Just as the shortcomings of conventional AV scanners have not hindered their use, neither should the limitations of AV alternatives hinder theirs. As this new technology continues to mature, organizations should explore how behavior blockers, malware filters, macro certifiers and integrity checkers can augment their existing antivirus scanners and provide another layer of defense on their digital perimeters. ROBERT VIBERT (rv@segurasolutions.com) writes about computer security with an emphasis on viruses and malware. CASE STUDY Defense-in-Depth BY PETE LOSHIN TIS WORLDWIDE ADOPTS A LAYERED APPROACH TO GATEWAY AND DESKTOP HYGIENE. Protected by both AV scanners and gateway filters, TIS Worldwide blocked nearly 100 instances of the recent Navidad virus, says Nelson. Tony Nelson, network security director for TIS Worldwide, switched from McAfee's antivirus solution to Aladdin's eSafe Enterprise and Gateway solutions for one simple reason: in his words, "central control and deployment." Headquartered in Manhattan's financial district, TIS is an e-business solutions integrator whose corporate WAN spans 11 locations and more than 800 desktops. Keeping these networks and end nodes immunized against malicious code is as much an administrative challenge as it is a technical one. "The ability to deploy both patterns and engines from a WinNT login script is a natural extension of the login process," says Nelson. The TIS network is concentrated in New York and San Francisco, with 300 and 100 users, respectively-leaving the other half the network spread across nine other sites. Nelson says that TIS has "a combined total of 15 Microsoft WinNT Primary Domain Controllers (PDCs) and Backup Domain Controllers (BDCs) supporting our company." Each of the PDCs has eSafe Enterprise, a suite that incorporates AV scanning, sandbox protection and personal and application firewalls. The Enterprise suite scans inbound content, restricts access to internal data and blocks "inappropriate" external data. TIS has also installed eSafe Gateway, which inspects all traffic passing through Web, mail and FTP servers in real time, protecting against malware as well as spam, mail-bombing and other e-mail attacks. The TIS WAN has three entry points, each protected by a name-brand firewall. Behind each of them is an eSafe Gateway. "These gateways have alone covered the cost of the products by stopping countless viruses and other malicious e-mails from entering our corporate network," Nelson says. Ever mindful of the need for defense-in-depth, Nelson hedges his bets on eSafe by using Trend Micro's ScanMail on TIS's Lotus Notes mail servers, though he also plans to run a pilot with eSafe's new Lotus Notes product as soon as it's available. Nelson also hopes to deploy an IDS soon. Nelson's experience with eSafe has been generally positive. "The most recent attack we averted was the Navidad virus, which was blocked slightly less than 100 times at our barriers," Nelson says. "The beautiful part was that navidad.exe had been added to the 'known vandal list' the night before during an auto-update of the Gateway product. It took absolutely no human intervention to avert this potential hazard. Shortly after that, I added the Creative virus to the known vandal list, and successfully blocked that many times, too." The only drawback with eSafe Gateway, Nelson says, is that it's very "chatty"-sending out e-mail "any time a file fails to scan, or an e-mail is destined for an invalid user account." For TIS, there's no question:
eSafe is worth it. Nelson dismissed the cost of the software
when weighed against the alternatives: "How much does it cost
to clean up behind Melissa or Navidad? Can you afford to be
without it is a better question." w |
|