Most security vendors have moved away from signature-based detection of attacks to behavior or anomaly-based solutions, but a small group of companies has eschewed this approach altogether and is using advanced memory protection technology to prevent malicious code from executing on protected machines.
Most IPSes (intrusion prevention systems) work by observing the behavior of a protected system and learning what constitutes normal and expected behavior. When the system attempts to perform a task that the IPS doesnt recognize, the security system blocks the operation.
Other IPS tools use attack signatures, much like anti-virus software and IDSes (intrusion detection systems), to identify known attacks. But because the software needs the most up-to-date signature files to block the most recent attacks, it can fall prey to false positives.
One new solution, coming this week from Determina Inc., is Version 2.0 of its SecureCore memory firewall product, which includes protection for a wider array of Windows components and a new management console.
The approach of Determina, of Redwood City, Calif., and other security vendors such as Sana Security Inc. is to prevent malicious application behavior. Sana does this by intercepting system calls.
Determinas SecureCore solution inspects all the code that attempts to run on a protected host and prevents code injection into application memory. SecureCore is designed to prevent attacks by memory-resident worms such as Code Red or Slammer, as well as code-injection attacks on buffer overruns, stack overruns and format-string vulnerabilities.
Version 2.0 not only protects all the core Windows services but also has the ability to guard systems running Microsoft Corp.s IIS (Internet Information Services), SQL Server and Exchange. The new console gives administrators the ability to manage all their protected servers from one location and view event logs for each device.