Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Parity 3.5 Reins in Malware by Taking Control of Desktop



 By: Andrew Garcia
2007-01-29
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Review: Host-based Bit9 IPS uses policies to limit attack surface and monitor for untrusted code.

Bit9s Parity 3.5 is a fine host-based intrusion prevention system that works not by identifying and blocking malware before it touches the system but rather by limiting the code that can run on the desktop. Although its a daunting product at the outset, Bit9s new tools greatly simplify management.

These tools also solve some of the shortcomings of a least-privileged user desktop environment because only administrator-approved applications are allowed to run. Although a locked-down desktop keeps users out of most trouble, the potential still exists for running malware under user credentials or for a vulnerability to be exploited.

Parity 3.5 IPS complements a locked-down desktop by keeping malware inert. Parity 3.5 limits the attack surface that comes from running unapproved vulnerable applications and triggers alerts if unknown or untrusted code is seen propagating around the network.

However, Parity 3.5 will not clean the inert malware from systems—other tools are necessary for accomplishing that.

Parity 3.5, which started shipping in December, also brings to the table new enhancements that monitor software usage across the enterprise, control the use of USB storage devices and provide Parity 3.5 administrators in-line integration with Bit9s software vetting service, ParityCenter.

Resource Library:

Parity 3.5 can be licensed in two ways (all prices quoted are for a 1,000-seat deployment): In the perpetual model, companies may purchase the software for a one-time fee of $35 per workstation, with an additional 20 percent annual maintenance fee for standard support (or 25 percent for premium support); the subscription model costs $19 per workstation per year for standard support and maintenance (or $21 per workstation per year for premium support).

The Parity Server component must be installed on at least a Microsoft Windows Server 2003 SP (Service Pack) 1 machine that has at least 1GB of RAM and 20GB of available storage. The Parity Agent, which performs disk inventory, monitoring and policy enforcement on client workstations, can be installed on Windows 2000-, XP- or 2003-based hosts.

Parity 3.5 policies are enforced per Host Group, which we set up in the Parity Server. For each policy, we could enforce lockdown (allow only approved applications), block (allow no applications) and ask (warning users of unapproved software while allowing them to continue).

We could also set up the policies in a monitor-only mode, which is helpful for getting to know exactly what is running on the network, or we could disable policy enforcement or the agent entirely.

Once the agent is installed on a client, Parity 3.5 performs an initial discovery of executables residing on the workstation, reporting all findings to the Parity Server for evaluation. At first glance, the file inventory is overwhelming: We found more than 5,000 items on a single client with only a few applications installed. These items are presented to the administrator in list form on the Web-based Parity 3.5 console.

Thankfully, Bit9 has made several improvements to ease the approval process. Parity 3.5 creates a hash of every file and reports the hash to Bit9s ParityCenter. (This service is included for subscription customers and costs an additional 10 percent annually for perpetual customers).

TJX intrusion highlights pursuit of corporate data. Click here to read more.

ParityCenter reports back what it knows about the file, whether the files publisher is trusted and whether the file contains malware discovered by ParityCenters anti-virus and code analysis tools. Based on ParityCenter recommendations, we could safely approve some of the found software.

We learned that ParityCenter has not seen everything, though, as many of our found executables had not been vetted (including software that had been reported as malicious or suspect by other anti-malware companies). Wed like to see Bit9 pursue relationships with other anti-malware companies to expand the depth of its database.

For now, administrators will have to make most policy decisions themselves, and Parity 3.5 provides several methods for doing so. During tests, we could make policy approvals based on a number of Bit9-provided criteria. For example, we could automatically approve software installed by certain users, software installed from approved installation sources, and software from known and trusted publishers.

If needed, we could approve software on a file-by-file basis. It is useful to understand the different ways Parity 3.5 operates. Lockdown mode is effectively a whitelist-if software isnt approved, it wont run. But Parity 3.5 also provides the option of banning software, allowing administrators to blacklist specific apps.

For example, Parity 3.5 can block Internet Explorer plug-ins and ActiveX controls, so we placed a ban on the Google Toolbar for IE. One of our test machines had the Google Toolbar installed prior to the Parity 3.5 deployment. Within a few seconds of creating the policy banning it, Google Toolbar would not start, even though the host group was configured to monitor mode.

However, this experience also showed us how things can quickly get annoying for users if a blocked application is wrapped tightly into the operating system. The Google Toolbar attempted to launch every time IE or Windows Explorer started, creating a lot of pop-ups on users screens and numerous entries in the Parity Server log.

Parity 3.5 also blocked users ability to uninstall the toolbar, so, in a case like ours, administrators will have to take some action (changing the policy or uninstalling the software) to quell the alert storm.

This underlies one of the perils of trying to install Parity 3.5 on an active desktop fleet. The wise administrator would begin configuring Parity 3.5 by using a freshly imaged workstation to set a base line of approved software.

But rolling out Parity 3.5 to workstations already in the field is another matter, especially if users have previously had free rein to install software in the past.

Administrators should be able to approve acceptable software fairly easily given the variety of tools Bit9 provides, but dealing with the complications arising from unapproved software not working after being denied by Parity 3.5 could lead to some pain.

We found the new USB media controls effective, but they are rudimentary compared with the tools in products such as SecureWaves Sanctuary.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Parity 3.5 Reins in Malware by Taking Control of Desktop
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Andrew Garcia
 


xr㶲0;; ʷ♵M=RJVlҌפN"!1Ej/Y/:/qtMiɗ8["h4|Aș3!箹)ٝЧGo-zIj|݇@AefAUL5 JԶn\7n[Y0Pa᳙(,Q  tjGt0]2d4k6!g4wekO/cߨWX`&`1Zt|RdA'AjZl,P'@.|( wm< a}c $aL1P?wIV@aSӸ/*! lpi#j%yyyN  uȭC ¿{yo@בnL3^_D_j0QEVKY|/ Z@w:}d/#t6 +?[8VV'_ZUC0 xg6b M u ô|W+ I-qhCu{D ,_dxpLu:8?# <--˝)$Tt</Rxhf5 tA[&%m":u PsfF[cW)MXrƒ t$u,7hr Y@e)#p?S݃I hJq䰉k>ذ 1"%̛iJyO{ "}ВEtBAͩ8 (J!"xV3E !\JZ!}! g|8Jjv7pemczjNڊ1Wr{,eށ:I=t9&E;~c8^%g 5F8 ,ieݴ%!g8WG5MGVmĦcTf~Pb(7ZdL,5,ϙR7X_AQ?/Mt3|FMk1ktI< EC#ɠ:ڴ;\ZVS4!E&mЀ wbhx<,AbG&a`ͨ?oF#m| &>q\l8d$n)ssLn-/5_ӽk:F?a#0.Zm{$8ʼE]ub Bݷ|{ޚꖭ,L<ģ ϩ(~~9-RC/1{" EEKy3@ $h-az.> ŊHHHXVppT6ݞH:s'PT+es㙰RN٣XB YX/_23CCɴaX9{DMfT`B[ᛥLKak Sn.ZUb٦ByQY$*O\Y5*h `HLMq r`!]g 3p#Eq"L)32,Xh'l:ʚ"Ϩ9dShƏ00UEBf,dPLAuϝ1h jd7`WvfVe|GK4&T֬zo}pl7+ w&rG|媞5jx0?s\LdFfkoO: V!0\{?|T30`-e?dϧ=)V}fAٰZQJ!I 6D ȸau-`byS]Wѹq@8|1B-g @?pb^ FZ."f~q~029 +?/|udA`+\qW["LJ}ܑe u'6$\]Rj)RLZ06AaeL副^tHFM@X G\dAs`АgBrIa TWkS//' 7]@.&D~Ê?DNScO=.C+DÜU^oV/w.$ZTbrxCjvPVkqvJ..wq)4)|:zPCl?K'_Ɛ^Sz3t5ܮ[K.~g^Ol^Lc"O`)Go@|V?>]Ik01Sle`Sxt$ b*亢#?݀΍l/Џ]MtAkY, ܠɠ 0ԴgKiCKtwTI |qCW&{LdEN{Բ':*5P6>*0nG.<֜H+?N33hj 03-tpSUjzIe/E+t m(5#S #2pgrh)hj*3ivϷJh#2h+,s Jb+ʹV(EcXehjCȼϤMpR|9}->q 7poj-ŏ@?(14xIc#&a\iYցh 03RlȪ+> 2.izIRϢsG&:Lpz]Qd:)nQ==My@h# &w|}CI H5 ]Uj; ss4G\0R1<ʢ'r ]N6._VZQ YHX9H(P+ YG۷BlpH75SXp| ^_H{c, ,"zJ+.=2a7ZTe3㘘= %bn }+ =|QtW%|w=Oz}=L8q~_w8et{AvOQa^gq O4 }U^wO*V%|}8~l1%z˾WMw$(XMp4q'^i{{>>^|; YdFh0Z^ < hao0 8 %Y; g݋u oлo= r@pAju?^'d0| sti_6b30fhRbQfjcX#a̍FDh!q3 T/Us>֒\zF_ɾj,49Aϐa6A&)ېcgcs~uYLPH2Xa@HR ~tqyN .g@$@Anpkz!NU He*4Д+%IA%wzWmx<|mr/HUɉ C^4} y*}y:}_exL+Bɘ{pУXJqvq3c~:)}C/gN9]~@Ҽ"gÍ7"HtSϝ+}2L:&rޚS%[B {t#1ݻaTwʉd* e~=m3결tC%ܟ1ON)tJȓsI؏ z>RB'ԴIդ28I5F4A2 uIH? Md4XPWdhtlA jÚmf /.ܺm|`=`l)Za"|)Nr a=j`e>!‡[yRb}b%%h8WJW!9 |@s`*#=SL aʕ}rZTrq]4h$=ݛ9F`푮cɹ``'#9ʼS3,`, GW ./CvcNȣ&k{?wynL xqf='so.(cǩm:;@D_$w"B+QDK%ז9Ax\}4]vYf?^xxXLD1C{7 A犴/ NA ̯> H-@V_ ޽?Qwp]9Qz AC~kM|3ry}j*=Yh[h_?H+I㆟ݖyc,\XSω$٘&BERTUjln$jYpJE_V ;ѩc+N c,n9P2vA J `ȞxqCwb _Y.=]awQ[]zÞ6wYiEu.K\-"PnGZY|:ז%0.7``TwQcC趿z"UN6V*x$FyΉX~2&#N:zEPzdad9%̦Zj4*?p:/tc4Y0F10KcFGΩ/ώsv[OYq{qGn)y#= P@^aRۤse`v$o# ;y*iwYS0$nfPeȻ; w D),911Lx/&Ȓd 9pÕ=`[QO?v:'IMlT _p%]'5X; x,Ilvq-=3{’*J|Kj%NxTI;<[Sd%9y|- hݡ*& U/@bz]R/եRTQ #KM0siaK[ߊJjcS*8[nmz`JTiyHZTnrx+J8PZLoC O!B /=ߪ[-H")OaA2H~C/OXB൷9+}9⃍}KilƃE;sF? _BB o6G=z L[ݖaTIx6>aDdADs̩]} cRZ1}nf郵+L¤RJiazmx=zsפtQ>Mq Jert0>9Ip S -T K,kw;$(yq77777777w<ߍ뫗Fsϡ4$V,UU}V$W|;tj)Ǚ i_ymmZs1i: ǝ1v3ݑ1{HxÙԲPBh|7 /M>OKɯn`/C=jK?} B]ws&X@e,uz,Zo82/m̌I|> ƕ%so ͌ٓw;*LLjLoM[ˤ>LwP"qn&JH(p#QCn!ԨJ6hFéH(aѽT">o5qeF|i2^\]}W ;A+i0ŔYa*$-nᗘNJe 7g C",z }ush sz2؋y&-Vb7lrV@m]el-S'A J)9@#_O)5NlcoٮFHNB7,%R%<-+ZQ+-l 6D}ihNg^W'X?g+M9*sk=Z]T媄qs啀aP.xTcWIݔ3BK#Rֆ0m#ᙟӱ/- {L|,oFğvch=FLVs :c{ t[f(bCHGo;p6&•!zٌ"!Ĩ1aCl{6yas;p$| /e$3ëoPE6Gk=Zk;۲N1 Wvx {kWU "-TY٧8b+4&/`wVhl|+w; *Z)[~ ş LzK)20ܝ\B7{Pn/+ŷj .`ZD^T찆߽s ۩$>֜fER ZߤLހm_ma}"^%j/y|Ȫhoko#fE[}^)]jhk'1غ,~= ( LRˬٛV$0"*Θh֖&P aD+oi_ `<ŹIv|wouv1Apn]|@Qa髇WH*Xھ e^m/ I4b'rśX,hELVÑ@u}œ3Taq'!L7̃i˼li܁-rf ][G?LƞqQo|֊[NiΞCmo ɀ XPps]I٫TD~ Nd>MYx\Jґu `<$z̥7f?= N8Ccǃ"Ba=X :>IoH0 L]YU# `xGI(V=#Yg0\*$LGXțN\@Sgٕ0(HSc}& 'lI<R+ /OǴ5 [z>˘Uֽ?#7,>Y \Zs4cYofPJƈ^䰟aDp=S-D1Șh MQ HxDɹgMN:pxXҚ0!<RA~x#{6"))Ĵ0,޴ &"K;";C{bxvRǠ{Q^21Faŷ~(l;b21cbHcڗHUR A "PF: 1C(~bJ ͍$u~+vK .X`s ,2E<ezwX<>ͻ)4oوxdf,EwNw`C'[5EY|ob{LgA~Bb@Ԑ0(ˏIB uXRFB(s $~XϧH_P!bJ])IhR|:TJ|+R0cU$+_oSw^7X z+iT(KI+1;}^oi`u0 }a3brLuf)ڗg_IUCGWAwA;gk;՚#:|jcJBN=^Z+!z,8i67a\nq4ħYh@zB+4[EYN/PKNPkN_e1MlNy{9cq'ʏO>'9Svi:fw qN9?t/rʡݜ/~/g,>v9s?y9=?*P/nr :WK?s9^}AF&ˣqr]!,.5PU[k /Y;3ݲ3 ǸZuvņ^_A5KHe^ۛT}GPypPHxEó##htoĶ.p&}:=Wvl+Jy.ߔ[nNJ>x]ȜHǣWɴ&Vی 볹Y|,yM`pr 'GY+wV/syXw[3;=q&%݆.n ۭ~xL|uӚܴO]﷌v<2+յ֚ |3/߆zH'<+;}4;(wfi3Q*K5ýEyR780׀z#OoC/kOgM>w>]u_kҹh /;졳5K쓭?M}ςo扬:Sw߽,R+|c ,)hع+jzrfhNo4pGsn LXV١n &)#ZִZjVU 'WHd6##"2txC5ɪ"+uw9 ط]V*J0X\^9Q(Fuo*K0njE=q̐ga1VJ!'\Cx‹)˫2fdof2aSKpkx;r(q ?,(sY^FlO\B/#Vw-q]j+H2hؐ,s6N-#XN>@O'ÙX*of f+gm تGnѨswB~2RV@g\Ыȹd .LeSzyk*8,_bZef$tk`V{ep-#6O,5U,%O|u@_-c˃a?_bs/J:=fG.i" (luy5M24s . " n#Q\LZDAۀ0߶- xn'u1.spa3vû1mZxY>}r 1-X ThcоxK45~;ݜţ:aѡ(Y^OϊӍQf\r{^f$W"nrG0ʶ"<]Ï }Cqzvtsڱ Emqgqœj@@rĶom~lX3!?e|ITǓȘ b2O|e'0O2#0'MĮkfAj3rg 6{eiaϖ,|Ŷ/G㿄&l,2zǞ">}T.q "2H 2s{B|%؄'UYsJdB2,'KYЄ2jX9VX#e ^2PΧg{I>~Pڂ!نIf[W ^{#D3dưz<I1H EY/ڈY{NπnuMf@gYl(VxRDw/loe]␺<6e;,v 3RǙ,`+/2^;'g\|5_l=7ϒΌzLU"zʴu{Dq+A'%}YQ v.yhFʫv\z$tnR'9"Ź oPmJ0wC{ , B`G}dȡ(l}j.͜GԋOg0xmҵh_ɬnq|1-%/#=^&c`H؂{ꐏXi[1JpC)tO˰CVt3C׀5V`=H_qS`p#1tB\(X`tgf˟]lہQ#5l\TFMLmQa[~50(|NuusfOEmE>m+Ѝ A\'X3' X<޳sW=?5^6Љe6;7ǿa<>YʐL\ȏ,,L[녗Z']Y!Ya4,Lb5"[]QI(`RжX3|"@a)5z`n~3 f<˜4W6IĶqynuҵ-ˑ;`yO|g~C{%=\s!&tԵa=":xqea=Vt*N/gv P.I{eT3uG?; ovˌhT*.㉋;ݏ5GU Fn/z.@ђuzWǝ4!ջlw/>&+e=;`om gs7*Рٚ[fSժZ-Nbj|ۊ#iQg8&rYOJ^R۝E^8%†mJHU&s)#KM\eZ)M39Q2;&|ƷZ2cˤ_ lY)