SoftSphere Technologies, the official site of the DefenseWall HIPS - Host Intrusion Prevention System - Sandbox, Virtualization, Anti-Spyware, Anti-Rootkit, Anti-Malware, Anti-Keylogger, Anti-Virus. DefencePlus - Buffer Overflow protection. Security software just for you! Virus Prevention proactive protection!| Articles

	Company news
	Products
	Downloads
	Support
	Forum
	Registration
	Articles
	Press-Releases
	About us

Home | Articles

Why traditional means of protection do not work.

More and more often I can hear other people say, "I have anti-virus, firewall and anti-spyware installed but recently I found out that there is something wrong with my computer. I understand that somehow traditional means of protection do not work." I can hear a mute question in these words, "But how come everyone says that one needs firewall, anti-virus and anti-spyware program to be protected, and yet once you visit a porno-site your computer is full with some malware you can not get rid of. Did they cheat me?" The right answer is yes and no.

Let's look into the means of getting malicious software (malware) into a computer, what the traditional ways of protection are like and how they work.

Means and ways of attack

Modern malware is divided into several types: adware, spyware, rootkit, keylogger, etc. I would like to draw attention that they have nothing to do with traditional viruses!

Adware is an advertising module. It is intended for showing various advertisements. It can be very importunate.

Spyware is a spy module. It records different kinds of information (sites visited, documents opened, phrases sought) and sends it to advertisers or other interested parties.

Rootkit is the module which hides something. It can hide the original site of the malware in the computer as well as the consequences of its activity (registry keys, files, opened ports, etc). It can be user or kernel-level.

Keylogger is a module which records the keys pressed. It is used for stealing secret information (passwords, credit card numbers, etc). It can be user and kernel-level as well.

There are several methods of attack:
1. Through the security holes in a browser. You only have to visit porno-sites to see this method in action!
2. Via e-mail, IM, P2P and IRC-clients. The attack scenario: either through holes in software or by making a user launch an application or a file through the reference.

The first thing done by a malicious module after it is started on a computer is the registration in auto-boot areas in order to maintain control after a system restart. There are dozens of ways to do that. Many of them try to install a driver into the system (either to hide itself on the system such as a keylogger) or to delve into system processes to control their own integrity within the system.

Malicious modules are usually packed for disguise because the most important thing is that the modules works and are not recognized by anti-viruses and anti-spyware during the system scan.

Methods of defense

1. Anti-virus: The intention of an anti-virus is to find the program modules which are already recognized as malicious by analysts of anti-virus companies. So why is it still ineffective? The problem is in the mechanism of the spreading infection and anti-virus database renewal. In order to add signatures of a new malicious module in their databases analyst must have this module at their disposal, create elaborate search signatures (and they must reduce the number of faults) and add them to the databases. And the longest time in this chain of events is the delivery of a new harmful module to an anti-virus company, because ordinary users cannot do it themselves! As a result the delivery time stretches from one day to infinity.

Further, as soon as the malicious module is recognized by an anti-virus, its creators know about it instantly and then modify it so it can not be recognized by the anti-virus anymore. Thus the reaction speed does not exceed 24 hours. New users who visit the site are infected by this new version unrecognized by the anti-virus module.

2. Firewalls: This type of software is intended to control network activity. The goal of a good network firewall is to control all incoming and outgoing network connections and applications which are allowed to use the Internet. A firewall is a good facility to block all the incoming connections (which helps prevent buffer override attacks in system applications) and warn that the computer has malware. Sometimes it can block an information leak. But a firewall can not completely protect the computer from a harmful application.

3. Anti-spyware. This type of software has a scanner of well-known malware (very often of a low efficiency) as well as manual system diagnosis tools. But an ordinary user will not be able to use it effectively.

As a result we have got the situation when traditional highly-advertised means of protection can not cope with the full range of malicious software - which has turned into a very profitable business.

Is there a way out of the situation when all the means are useless? Yes, there is one! Recently Host-based Intrusion Prevention Systems have become more and more popular. The first attempts to realize these means were based on process behavior analysis (they were ideologically based on the firewall principle; sometimes they are even called application firewalls. Once suspicious or potentially dangerous activity is spotted, this type of application shows a window with the description of the activity and a question to the user whether or not they will allow this activity. But disadvantages of these behavior analyzers appeared very quickly: the need for profound understanding of the working principles of an operating system and annoying windows with questions in which a user tries to find a button saying: "I do not know the answer! I do not understand a thing!" Because of these restrictions use of behavior analyzers are not wide-spread.

Let's try to imagine an ideal protection system. We've got potentially dangerous applications which can be attacked via the Internet (browser, e-mail, IM, P2P and IRC-clients; we will call them "untrusted") and applications which can never be attacked via the Internet (explorer, system processes, text processors, etc.; we will call them "trusted"). If we limit the rights for untrusted applications on record (all the child processes of the untrusted are also untrusted!), auto-start items (that's the first thing done by the malicious software!), driver or service installment (as done by rootkits and keyloggers), modification of executable applications and interpreted files, and global hook installment and invasion into trusted processes, then we will be able to block malicious software and prevent its penetration into the system. We will not need pop-up windows with silly questions, we will simply block potentially dangerous actions of untrusted processes and that's all! But blocking harmful software activity is only half of what has to be done. There has to be an opportunity to stop the harmful process once and for all. This will be our ideal protector from the various threats on the Internet which traditional means either do not protect or do protect but ineffectively.

This ideal protector from new threats is the DefenseWall HIPS program. Demanding minimum resources, having a simple, clear and beautiful interface, being very powerful and yet not inhibiting the system - it allows fighting various types of malware in an easy, simple and effective way, demanding neither constant anti-virus database updates nor users' extensive technical knowledge and experience.

DefenseWall divides all the applications into trusted and untrusted groups. The rules for untrusted applications besides the.exe and .com files also apply to installation files .msi, control panel extentions .cpl, interpreted command files .cmd and .bat. All other scripts (.hta, .js, .vbs, etc) function as untrusted by default. One can mark as untrusted not only one executable file but also an entire folder (group rules analogue). An untrusted process appears either while executing an untrusted application or as a process spawned by another untrusted process.

The program has an embedded list of applications which is put into the list of the untrusted by default. It includes (besides the standard Windows applications) well-known alternative browsers - Mozilla/Firefox and Opera.

The untrusted applications list control panel allows you to start the listed applications as trusted and to temporarily suspend the untrusted status of an application or a folder in order to execute any necessary activities and then quickly return it to untrusted status again.

The virtual zone of untrusted processes is safely divided from the zone of the trusted. Inside each zone processes are not isolated from each other because it is useless from a safety point of view. It also drastically reduces the number of fault alarms (we do not need then anyway!).

While executing a potentially dangerous action the program icon in the system tray turns red and the action itself is put into the event log which is tracked by the program. If a potentially dangerous action is a consequence of normal program activity and has nothing to do with an attack, it can be easily excluded from the log by filtration. As a result the action itself will be blocked but will not be put into the register/registered and the icon will not turn red in the future.

If you are under an outer attack, you can easily counteract it. You can either close the entire zone of untrusted processes by pressing just one button or close any one of untrusted processes. After that you will only have to clear inactive malicious modules away from your hard drive by running any free anti-virus scanner in order not to clutter up your hard drive with various useless programs (otherwise you will not have enough space for your new mp3 files!).

The interface of the program is logically simple and intuitively clear. It is not even necessary to read the help file to start using the program effectively, the way you like it.

The program is created in a way that you can not only effectively protect already installed software but also install new software by starting it as untrusted. The majority of program products are installed as untrusted without any problems. In such a way you will be able to try new software from strange sources without the fear of becoming infected. But to be honest uninstalling these programs is better done not by regular means but with special deinstallation programs because very often such programs do not fully uninstall themselves and leave a bunch of useless items in registry or disk (remember the space for new mp3!).

DefenseWall is easy system protection from the influence of malicious modules from the outside penetrating both via the Internet and through floppy and CD-drives. For example, if we mark all the applications which start from CD as untrusted (to do that one has to add an appropriate logical drive as untrusted), then notorious Sony DRM Rootkit will not be able to install itself into the system and you will not have to erase it manually (Sony DRM Rootkit embedded uninstaller open a huge hole in browser safety system and its usage is not recommended).

Many users have already appreciated the simplicity and power with which DefenseWall copes with various harmful software and also efficiency and accuracy of our support service. Try our product and see for yourself!

Ilya Rabinovich, CEO, SoftSphere Technologies, 14.02.2006.

info@softsphere.com

� "SoftSphere Technologies" 2002 - 2008