Halt! Who Goes There? Or Remedy #3.

Security people, sysadmins and, generally, all those who by virtue of their employment take loving care of corporate networks – all these people have plenty of headaches. Indeed, a veritable cornucopia of headaches. And, of course, the main source of trouble is… you guessed it, users. Tens, hundreds, even thousands of users (depending on your good fortune) who have problems 24/7. As for us, we try to help these ‘frontline soldiers’ get to grips with their headaches, using the full extent of our resources in our field of competence. Below, we discuss one very helpful remedy that fits this combat strategy to perfection.

There are, in fact, three separate remedies. But they all tackle one problem – keeping users under control. And there are helpful side effects – enforcing a centralized IT security policy, fool-proofing, and automating the ‘donkey work’. That’s right, I’m talking of three new features included in the new version of our corporate solution, Endpoint Security 8: application control, device control and web control. This post is about application control (or simply AC without the DC).

Most of the time it’s a struggle to keep computers clean. Users are given to downloading questionable “cool warez”, installing them, trying them out and forgetting all about them. As a result, in half a year the computer normally turns into an unmanageable software zoo, becoming unbelievably error-prone and slow. And, of course, the abovementioned “cool warez” can easily be virus-ridden, pirated, or at best counterproductive.

There are different ways of getting out of this predicament. Some companies wag their finger at users and strictly forbid them to install software on their computers (without actually enforcing a ban). Others simply make installing software impossible in one way or another. AC is, in fact, an elegant compromise between the two.

So how does it work?

Our AС has three main features:

  • Restricting application startup
  • Managing application privileges
  • Checking applications for vulnerabilities

They are all shown in the “scary” diagram below:

There’s nothing that scary about the diagram, of course… except maybe at first glance if you are not used to this sort of thing.

In practice, application control looks like this.

First, the sysadmin sets the rules for specific programs and program categories – what can be run, what can’t, and what to do with the rest (so-called “gray” software). You can set one rule for all, or apply different restrictions to different user groups. By the way, ‘out-of-the-box’ integration with Active Directory comes in handy in the latter case. There are also ready-made Default Allow (allow everything, block only what’s specified by admin) and Default Deny (block everything, allow only what’s specified by admin) scenarios. From experience, the latter is particularly popular.

To make creating rules easier, we have a complete cloud-based whitelisting database, which includes categorized information on 300+ million scanned and safe files (with around a million files added daily). According to a recent test, the database covers 94% of all corporate software. Indeed, why waste time finding out which games employees are playing? It’s much easier to ban the entire Games category. Even if they find some exotic game which isn’t already in the database, it can easily be added manually.

There’s one more interesting option – an automatic inventory of the software installed. Yup, that’s another magic button for you. A very popular feature, too, saving sysadmins loads of time and allowing them to make electrifying discoveries about villains, creeps and even rats :).

Once the software has been included in the inventory and categorized and the launching rules have been created, it’s time for a test run. This is called “rule testing mode”. By comparing rules with software inventory results, the system comes up with a report on what software will get messed up and who is likely to be making angry calls.

After this, the rules are centrally uploaded to all the protected computers on the network. As soon as a user tries to run some software, our product installed on the computer matches it against the database and follows a predefined rule.

It gets even more interesting than that though, for application startup control is by no means all our AC is capable of!

First, application privilege control can be used to define the range of allowed actions for each application and for application categories. For example, it’s possible to block all attempts to establish an Internet connection for all software except officially allowed browsers and email clients; or block access to internal databases – client databases, partner databases, warehouse databases – for all software except dedicated programs that require such access.

Second, AC includes a yummy feature called Vulnerability Scan. Scanning is performed both on-the-fly, when launching an application, and when routinely creating an inventory. If “gaps” are detected, a sysadmin can block the software or install a patch. We get information on vulnerabilities from three sources: from our partners Secunia and Microsoft, plus from our own research. Vulnerability data is downloaded with other database updates.

Now, let’s have another look at that “scary” diagram.

You launch a program. The system checks its category. If it is on the blacklist (forbidden) then it is blocked from running. If the program is on the whitelist (allowed) the system proceeds to the next check. If the “gray list” is triggered (no data), additional heuristic analysis is performed and a decision is made based on its results. In the next step, the system monitors the program’s activity, and the program’s feature is blocked if it violates any ban. Then comes the last test – the vulnerability scan. Again, depending on the settings, the program can be blocked, “covered” with additional protection, or simply allowed to run. Bingo! No magic, just good old business logic being put to use.

Application control is not really anything new, but it has only just started to appear in comprehensive all-in-one security solutions. Therefore, it makes sense that we don’t know much about the feature’s effectiveness yet. So far vendors have just been putting on airs about how cool their version of the feature is. But a few days ago, the results of the world’s first comparative test of this technology – carried out by West Coast Labs – were published:

[There are heaps more interesting infographics here]

// Yep, looks like the “Fourth vendor” was scared to death with their results.

I don’t think any commentary is necessary here. It looks like we are the only ones who are really investing in technology development, although everybody just loves to yell about it. In other words – three cheers for our R&D, product marketing and, most of all, whitelist lab!

Keep up the good work, guys!

Trackbacks/Pingbacks

  1. In Updates We Trust. | Nota Bene - May 2, 2012

    […] Remember my recent post on Application Control? […]

  2. The Dangers of Exploits and Zero-Days, and Their Prevention. | Nota Bene - May 25, 2012

    […] emulation, heuristics, HIPS, behavior blockers, cloud-based reputation services, whitelisting, application control, and a whole array of proactive technologies. Secondly, “unknown” in computer security speak is […]

  3. Safe Money: A Virtual Safe for Virtual Money – that Actually Works. | Nota Bene - August 14, 2012

    […] finally, the protected browser includes enhanced Application Control (HIPS) specially for websites, and protects input characters with the help of (i) our virtual […]

  4. Safe Money: Un Sistema di Sicurezza Online per le transazioni economiche online – che realmente funziona. | Nota Bene - September 17, 2012

    […] realmente, il motore di ricerca include allettanti Applicazioni di Controllo (HIPS) specifiche per siti Webs e protegge i caratteri di accesso con l’aiuto delle (i) nostre […]

  5. Protection Bancaire : Une Sécurité Virtuelle pour l’Argent Virtuel – Ça Fonctionne Vraiment ! | Nota Bene - September 17, 2012

    […] le navigateur protégé inclut le contrôle des applications amélioré (HIPS) spécialement pour les sites Web, et protège les caractères d’entrée a […]

  6. I Pericoli degli Exploits e degli Zero-Days, e la loro prevenzione | Nota Bene - September 17, 2012

    […] HIPS, programmi di sicurezza behavior blockers, servizi di reputazione cloud based, whitelisting, controllo delle applicazioni ed un’intera serie di tecnologie proattive. In secondo luogo, “sconosciuto” non suona nel […]

  7. Dinheiro Seguro: Um cofre virtual para dinheiro virtual que realmente funciona | Nota Bene - September 17, 2012

    […] por fim, o modo “browser protegido” inclui um melhorado Controlo de Aplicações (HIPS), especial para sites, e protege os caracteres introduzidos com a ajuda do teclado virtual, […]

  8. Os perigos dos exploits e dias zero e como preveni-los | Nota Bene - September 17, 2012

    […] HIPS, bloqueadores de comportamento, serviços de reputação baseados na nuvem, whitelisting, controlo de aplicações, e uma série de outras tecnologias pró-activas. Em segundo lugar, o termo “desconhecido”, na […]

  9. Kaspersky (Server) Anti-Spam: No Longer the Underdog; More Top Dog. | Nota Bene - September 27, 2012

    […] were top marks in comparative testing of our proactive protection by Matousec; we were No. 1 in testing of our Application Control function by West Coast Labs; and we also secured excellent results in testing of our mobile security product […]

  10. In Denial about Deny All? | Nota Bene - October 3, 2012

    […] Now, in computer security engineering there are two possible default stances a company can take with regard to security: “Default Allow” – where everything (every bit of software) not explicitly forbidden is permitted for installation on computers; and “Default Deny” – where everything not explicitly permitted is forbidden (which I briefly touched upon here). […]

  11. Kaspersky (Server) Anti-Spam: No Longer the Underdog; More Top Dog. | Eugene Kaspersky - November 6, 2012

    […] were top marks in comparative testing of our proactive protection by Matousec; we were No. 1 in testing of our Application Control function by West Coast Labs; and we also secured excellent results in testing of our mobile security product […]

  12. In Updates We Trust. | Eugene Kaspersky - November 6, 2012

    […] Remember my recent post on Application Control? […]

  13. Safe Money: A Virtual Safe for Virtual Money – that Actually Works. | Eugene Kaspersky - November 7, 2012

    […] finally, the protected browser includes enhanced Application Control (HIPS) specially for websites, and protects input characters with the help of (i) our virtual […]

  14. The Dangers of Trojans, Exploits, and Malicious Tools | Eugene Kaspersky - November 8, 2012

    […] emulation, heuristics, HIPS, behavior blockers, cloud-based reputation services, whitelisting, application control, and a whole array of proactive technologies. Secondly, “unknown” in computer security speak is […]

  15. All Mouth, No Trouser. | Nota Bene - January 24, 2013

    […] participate in testing. Or to forbid testers to name products with their actual names, and instead hide behind “Vendor A”, “Vendor B”, etc. So why take part in the first place if the results of […]

  16. It’s Not All Just Antivirus, You Know. Introducing Kaspersky Security for Business. | Nota Bene - January 31, 2013

    […] improved Application Control, supporting Default Deny (datasheet). Here a lot of new features have been added, including […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: