SignaCert appliance sorts good from bad

SignaCert’s Enterprise Trust Server maintains legitimate system consistency and detects malware modifications

One of the biggest challenges in deploying a HIDS (host-based IDS) is determining whether the host you are installing the IPS on is safe and secure to begin with. How can you detect malicious deviations from a starting point when you aren’t really certain it doesn’t already contain a virus or rootkit?

SignaCert’s ETS (Enterprise Trust Server) 1U appliance can identify millions of legitimate files based on their hash fingerprint, reporting the vendor and program to which they belong. The ETS can be used to look for previously unknown instances of malicious code, find deviations from an approved “gold” image, or ensure that supposedly identical systems are indeed file-for-file identical.

Started by Wyatt Starnes, previous co-founder and CEO of Tripwire, SignaCert has been collecting and cataloging tens of millions of legitimate vendor files and executables during the past few years. SignaCert claims to have built a huge database of more than 80 million different program files. When an ETS appliance is delivered to a client, SignaCert includes a subset of the larger database customized for the customer’s installed platforms (Windows, Solaris, Linux, etc.). Customers scan targeted client or server systems and compare the results to previously defined ETS policies. Deviations can be noted on reports, sent as alerts, or queried from a database.

Scanning for the known

The ETS appliance can be installed anywhere on the network, and setup is standard for a security appliance. After installation and configuration, administration is via HTTPS over a nonstandard port (nice touch). The ETS administrator defines various policies, each of which contains a list of what files should be considered legitimate. SignaCert has already collected all the file signatures for every major OS and thousands of programs, but clients can add their own.

A common scenario is for users to build a reference deployment image, then use the ETS to collect a snapshot that is subsequently used to populate the ETS database. However, unlike a traditional HIDS, ETS can tell you if the reference image contains any unknown or unexpected files. Collected referenced file statistics are then compared to other selected computers.

Surveyed computers run a client-side Java program that does the file scanning (called “harvesting” by SignaCert) and sends the results to the ETS appliance over HTTPS port 443. Any computer capable of hosting a Java-based program can run the ETS harvesting program.

Data collection and comparison is initiated by running command-line file scanning programs (GUI versions are not yet available). The results are copied to a centralized ETS server. Another client-side program can initiate a comparison against a particular ETS policy. Results can be reported on the client or queried out of a back-end MySQL database.

Files are given a trust score ranging from 0 to 700; higher trust scores identify files with a higher level of legitimate confidence. For example, a file with a trust score of 500 is a legitimate file from a known vendor whose hash was collected directly from the vendor’s distribution image. A higher trust score would be given for a hash directly reported from the vendor during production. SignaCert claims to collect data on hundreds of thousands of files directly from the vendor.

Expected files, as defined by policy, are considered “inside the set count.” Previously undefined files, even if they are legitimate vendor files, are considered “outside the set count.” The action of detecting unexpected but legitimate files can be used to find deviations from a distribution image, new unapproved patches, unapproved software, or -- even more worrisome -- removed patches. SignaCert reports that the ETS has gained stronger than expected use for confirming that all servers in a common cluster are identical to each other.

Testing known and unknown
The InfoWorld Test Center tested two scenarios: comparing against a previously defined distribution image and detecting previously unknown malware. In the distribution image scenario, we created a “gold” image and snapshot the files (remembering to not include legitimate variable random files like tmp files). We installed two new patches and removed one. We ran the supplied client-side programs and the ETS server correctly identified all changed files and correctly identified their source by patch name.

In the second scenario we took a Windows XP Pro SP2 computer and executed five bank-stealing Trojan programs not recognized by anti-virus software. The entire file scan of a Windows XP Pro SP2 client (with more than 80,000 OS and program files) took less than 15 minutes. The subsequent ETS report correctly identified every single new file insertion. This is a great detection tool in today’s world where traditional anti-virus detectors are becoming less reliable every day.

Useful with limitations
The ability to add unexplained files (in this case, malware) to a new ETS policy, then use harvesting to find more infected clients was extremely useful. This would prove invaluable when trying to detect exploitation damage from an unrecognized malware infestation.

Unfortunately, in its current version ETS cannot detect anything other than file changes. The malware programs’ manipulation of the registry, so common with today’s Windows malware, was not checked or reported on. In another small point, unexplained files were reported on the deviation report, but the status area was left blank. It would be nice if a text label called “undefined” or something similar was displayed. Additionally, because the harvesting process uses a nonpersistent Java client-side program, it is possible that rootkit modifications could go undetected.

It is clear, in talking with SignaCert’s CEO and developers, that the ETS appliance is just the first phase to a much larger goal. APIs are being developed to allow third parties and system vendors to utilize SignaCert’s large file identification database for a myriad of other functions, including trustworthy computing, intrusion prevention, and the additional inclusion of more examined object types (e.g. registry values, memory, etc.).

InfoWorld Scorecard
Value (10.0%)
Scalability (20.0%)
Setup (10.0%)
Threat defense (40.0%)
Management (20.0%)
Overall Score (100%)
SignaCert Enterprise Trust Server v.1.1 7.0 8.0 8.0 7.0 7.0 7.3