Files are given a trust score ranging from 0 to 700; higher trust scores identify files with a higher level of legitimate confidence. For example, a file with a trust score of 500 is a legitimate file from a known vendor whose hash was collected directly from the vendor’s distribution image. A higher trust score would be given for a hash directly reported from the vendor during production. SignaCert claims to collect data on hundreds of thousands of files directly from the vendor.

The Bottom Line SignaCert, signacert.com Very Good  7.3 criteria score weight Management 7 20% Threat defense 7 40% Scalability 8 20% Setup 8 10% Value 7 10% Cost: $250 per CPU socket per year; volume, partner, and OEM pricing is also available. Platforms: Any client that supports Java Bottom Line: SignaCert's Enterprise Trust Server is a unique product for maintaining system consistency and for detecting malicious file modifications. Improvement over traditional host-based IDSes because its 80 million file signature database can determine legitimate files on the starting snapshot. Cannot detect all system changes and needs a client-side GUI. About our Reviews and Scoring Methodology

Expected files, as defined by policy, are considered “inside the set count.” Previously undefined files, even if they are legitimate vendor files, are considered “outside the set count.” The action of detecting unexpected but legitimate files can be used to find deviations from a distribution image, new unapproved patches, unapproved software, or -- even more worrisome -- removed patches. SignaCert reports that the ETS has gained stronger than expected use for confirming that all servers in a common cluster are identical to each other.

Testing known and unknown
The InfoWorld Test Center tested two scenarios: comparing against a previously defined distribution image and detecting previously unknown malware. In the distribution image scenario, we created a “gold” image and snapshot the files (remembering to not include legitimate variable random files like tmp files). We installed two new patches and removed one. We ran the supplied client-side programs and the ETS server correctly identified all changed files and correctly identified their source by patch name.

In the second scenario we took a Windows XP Pro SP2 computer and executed five bank-stealing Trojan programs not recognized by anti-virus software. The entire file scan of a Windows XP Pro SP2 client (with more than 80,000 OS and program files) took less than 15 minutes. The subsequent ETS report correctly identified every single new file insertion. This is a great detection tool in today’s world where traditional anti-virus detectors are becoming less reliable every day.

Useful with limitations
The ability to add unexplained files (in this case, malware) to a new ETS policy, then use harvesting to find more infected clients was extremely useful. This would prove invaluable when trying to detect exploitation damage from an unrecognized malware infestation.

Unfortunately, in its current version ETS cannot detect anything other than file changes. The malware programs’ manipulation of the registry, so common with today’s Windows malware, was not checked or reported on. In another small point, unexplained files were reported on the deviation report, but the status area was left blank. It would be nice if a text label called “undefined” or something similar was displayed. Additionally, because the harvesting process uses a nonpersistent Java client-side program, it is possible that rootkit modifications could go undetected.

It is clear, in talking with SignaCert’s CEO and developers, that the ETS appliance is just the first phase to a much larger goal. APIs are being developed to allow third parties and system vendors to utilize SignaCert’s large file identification database for a myriad of other functions, including trustworthy computing, intrusion prevention, and the additional inclusion of more examined object types (e.g. registry values, memory, etc.).