Bit9's Parity 4.1 is effective host-based intrusion prevention for Windows systems that works by whitelisting applications, allowing only approved applications to run, and blocking anything else, including malware. IT managers at any size organization should immediately consider using application whitelisting to secure Windows systems.
Application whitelisting tools, including Parity, CA's CA HIPS (Host-Based Intrusion Prevention System), CoreTrace's Bouncer and Lumension's Sanctuary Application Control work differently from anti-virus, anti-spyware tools that use signatures and anomaly detection schemes to try to stop unwanted software actions.
Parity 4.1 worked effectively in my tests and the product raises serious questions about the future usefulness of host- and gateway-based security systems that focus on identifying fast-morphing malware signatures.
Application whitelisting isn't without flaws as a protection strategy-for example, there is the need to painstakingly approve programs to prevent blocking needed apps. However, Bit9's Parity, with an extensive database of vetted applications along with a nimble agent and flexible policy engine, proved more than able to handle my test environment.
Keep in mind that Parity 4.1 doesn't clean malware from a system, although it renders toxic executables inert. Parity does make it much easier to identify the systems that are infected, however, and provides a specific report on which machines are installed with unwanted software, thus making it a much easier task to focus cleanup efforts.
Parity 4.1 became available in June and now provides Active Directory integration, a useful "new files" report, software categorization that significantly eases policy creation, automatic device inventory and the ability to virtualize the Parity server.
Parity 4.1 can be licensed in two ways: a perpetual one-time license is $35 per workstation and $350 per server. A subscription license is also available for $19 per workstation, plus a maintenance fee.
Parity 4.1 is a client/server application. I installed the Parity Server in a VMware ESX Server 3.5 environment on a virtual machine configured with dual processors, a 60GB drive, 2GB RAM and a single network interface card with a fixed IP address. This configuration is the minimum required for managing up to 3,500 clients.
Parity 4.1 can now use an external Microsoft SQL Server 2005 database to track clients, which I installed on a VM in the same VMware ESX cluster. There is currently no support for Oracle databases. The Parity Agent, which performs disk inventory, monitoring and policy enforcement on workstations and servers, can be installed on Windows 2000-, XP-, Vista, or 2003-based systems.
Parity 4.1 policies are enforced per Host Group, which I set up in the Parity Server. My policy settings included monitor (watch and report), block (stop all unapproved applications), ask (warn user of unapproved software with an option to continue execution) and local approval (allow trusted users to approve software on their individual system).
The monitor policy was especially useful for understanding what applications were in use on my test systems before making policy decisions on specific applications.
After first installing the Parity agent on a system, the initialization process took from 10 to 40 minutes running in the background. This is a one-time penalty as compared with anti-virus scans, which typically consume 1 to 2 hours of machine time per week. The initial discovery looks for executables installed on the target system and then reports the inventory to the Parity Server. My systems reported more than 17,000 items scattered across several systems that have been used in typical production settings for the last two years. These items are presented to the administrator in a list on the Web-based Parity 4.1 console.