Proventia Desktop firewall stymies malware

Newest version of host-based firewall proves capable with well-equipped feature set

In the days of overcomplicated security tools, it's satisfying to review a feature-rich product that intentionally keeps it simple. Internet Security Systems (ISS) Proventia Desktop (also known as IBM Proventia Desktop Endpoint Protection) offers a host-based firewall core supplemented by anti-virus, anti-malware, buffer overflow exploit protection, intrusion prevention, and it can function as a Cisco Network Admission Control agent. I was eager to test version, released after the IBM buyout of ISS, to see how the product is holding out against the competition.

( For more on ISS's mail security product, read our review of Proventia Network Mail Security System MS3004 )

Setup made simple

Installation of Proventia Desktop was simple and quick -- so quick that I almost didn't even know it installed. The only clue was a new status bar icon in the desktop tray. Clicking on the tray icon pulls up the user interface.

The UI has 7 tabs with a handful of configuration options on each. Interface options were clearly labeled, readily understandable in most cases without any additional reading. If you need more help, just click on the Help button provided on each configuration screen. There were a few minor bugs in the interface, but none that I couldn't immediately figure out.

The firewall comes with four defining Protection Levels carried over from the product's BlackICE origins: Paranoid, to block all unsolicited inbound traffic; Nervous, to block most unsolicited inbound traffic; Cautious, to block some unsolicited inbound traffic; and Trusting, which allows all inbound traffic.

The default setting is Nervous. It allows Internet and Windows NetBIOS sharing by default, but disabling each setting is as easy as removing the check mark. You can configure visual and audio indications for blocked traffic as well as get a visual indication when the service is stopped.

All host-based firewalls are subject to unauthorized stops in the firewall service. Typically, this is done accidentally by any user with administrative permissions and privileges or maliciously by a buffer overflow or executed malware program. Proventia Desktop protects itself from both: It prevents unauthorized changes to agent files and service shutdowns, asking for a password before the agent can be reconfigured or disabled. Additionally, the administrator can choose for all network traffic, inbound and outbound, to be blocked if the agent is stopped (i.e. fail secure).

The firewall's exception rules are standard. You can block by port or all ports, IP protocol number (UDP, TCP, etc.), IP address, or traffic direction (inbound, outbound, or both), and you can choose to accept or reject particular traffic. One interesting twist is the ability to set the future duration of the rule by hour, day, month, or forever, which is the default.

You should enable outbound Application Control, which is not turned on by default. You can choose the default behavior -- let it connect, prompt before allowing, prevent connection, or terminate application -- to implement when an unknown or modified application attempts to connect to the network. These same options are used in defining firewall rules, and you may define additional known applications along with the assigned behavior.

To definite an application, you use a path statement or MD5 hash value. Path statements can use system variables and the normal wildcard characters. Many host-based firewalls allow you to block applications, but Proventia Desktop also allows you to terminate the offending program, a setting that could be useful in putting down unauthorized programs and malware.

Click for larger view.

Unfortunately, over 180 default exceptions are automatically allowed out even when Application Control is enabled. These include many programs that use network services to communicate out, default Windows applications (such as explorer.exe, rdpclip.exe), and various antivirus vendor files.

Direct network connections to these excepted applications can be blocked, but if another process attempts to communicate on the network by using an API hook or call into the same application, that application will be able to use the network through that application regardless of the setting in Application Control. This can be used by malware to bypass the firewall. (Users can examine the default exceptions stored as a comma-delimited file stored in the Proventia home directory.) It would be nice if ISS listed the default exceptions in the GUI and also allowed these exceptions to be easily removed.

Seek and destroy

One of ISS' long-time strengths is intrusion detection and prevention. Proventia Desktop includes a ton of intrusion prevention signatures, including Ping sweep, NetBIOS share enumeration sweep, and TCP probe. Custom IDS signatures can be added though ISS’ OpenSignature functionality. Exceptions to the intrusion detection list may also be added for the computer it is on or other IP addresses, as well as defining which events to ignore and which IP addresses to trust. This comes in handy for known legitimate computers that cause false-positives.

Proventia Desktop integrates BitDefender anti-virus and anti-spyware features, and scanning is performed on access or on demand. Instead of using only normal, signature-based analysis, Proventia complements it with executable behavioral inspection, running suspicious code in a limited virtual environment.

By default, scanning is not enabled on all actions except when files are being written to disk -- ISS calls this Behavioral Virus Prevention.  Proventia Desktop can also scan e-mail (Outlook, POP, SMTP, and IMAP clients) along with file attachment archives and self-extracting (packed) files, IE plug-in installs, and Microsoft Office documents when opened.

Although you cannot define the types of archive files or packed files to be, you can define how "deep" the scanner should look, such as the number of files or  how many bytes per archive it should examine, the amount of time to spend scanning per archive, and how many nesting levels deep it should go).

When malware is noted, the system takes one of five actions (correctly called reactions in Proventia Desktop): Clean, Prompt, Delete, Quarantine, or Report. I especially like the multiple levels of reaction that can be defined for various entry points. 

By default, anti-virus and anti-spyware signatures are checked and updated every hour. Updates come from centrally located update servers on the local network or from ISS's Web-located servers if the network update servers are unavailable.

Mixed feelings about buffer overflow protection

Proventia Desktop's Buffer Overflow Exploit Protection feature is not turned on by default, which I found unfortunate. Even when enabled, it only initially protects a limited set of common applications, including AOL Instant Messenger and Yahoo Messenger; VPN clients; Netscape; and Microsoft Office, IE, Exchange, and ISA and SQL Server. Thankfully, you may include additional applications using folder path or filename, or exclude other applications by filename.

The feature does exactly what its name says: exploitation protection, not buffer overflow protection. Proventia Desktop does not attempt to prevent buffer overflows from occurring in the first place; it leaves that to Windows Data Execution Protection or no-execution enabled CPUs. Instead, Proventia Desktop monitors potentially malicious system calls originating from memory areas that are likely to have resulted from a buffer overflow.

Proventia's limited buffer overflow protection is questionable in my book because it allows the buffer overflow to occur and it doesn't protect all applications. But it did successfully stop many of the most popular buffer overflows from causing further damage, including Blaster and Slammer. I wouldn't buy Proventia Desktop for the buffer overflow Click for larger view. protection alone, but it's a nice add-on.

Proventia's limited buffer overflow protection is questionable in my book because it allows the buffer overflow to occur and it doesn't protect all applications. But it did successfully stop many of the most popular buffer overflows from causing further damage, including Blaster and Slammer. I wouldn't buy Proventia Desktop for the buffer overflow Click for larger view. protection alone, but it's a nice add-on.

Logging is slightly above average. Events are listed by intrusion name or intruder IP address and are color coded to summarize criticality, and admins may customize the criticality and colors. Each event can be right-clicked to block or allow future traffic from the involved traffic origination point (see Figure 2 at right).

Involved remote host IP addresses can be converted to their DNS or NetBIOS host names with a feature ISS calls Back Tracing. All connection information and packet data can be logged to a file -- a great feature not included with many host-based firewalls. Management Console Reporting can be integrated with ISS' SiteProtector, a central management and reporting console.

A capable firewall

I put Desktop Proventia through its paces in a small test lab and also out on the road when connecting my laptop to several public networks over a period of two weeks. It performed well: All attack types and unknown probes were logged as expected. Proventia Desktop also stopped most tested worms and viruses, but a few new rootkits and programs archived with uncommon packers were not recognized (they were not recognized by other popular anti-virus programs as well). I was pleasantly surprised at the minimum performance hit.

Overall, ISS offers a capable host-based firewall with some additional functionality not included in other stand-alone firewall products. I especially liked its simple, clean interface. Make sure that you understand what Proventia Desktop can and can't do, especially concerning the default outbound exceptions and its buffer overflow exploit protection limitations.

InfoWorld Scorecard
Threat defense (40.0%)
Value (10.0%)
Scalability (20.0%)
Setup (10.0%)
Management (20.0%)
Overall Score (100%)
IBM ISS Proventia Desktop Endpoint Protection version: 8.0 8.0 8.0 9.0 7.0 7.9