Primary Response update targets Trojans, rootkits

Sana Security's updated product addresses new security threats

Sana Security said on Monday that a new version of its Primary Response product can help customers detect a new generation of complex online threats, including Trojan horse programs and malicious remote monitoring software known as "rootkits."

Primary Response 3.0 is the latest version of Sana's intrusion prevention system (IPS) software. It improves the ability of the technology to spot and block threats before they have been formally identified, Sana said in a statement.

The product uses software agents on servers and desktops to monitor and respond to threats. A heuristic detection technology called Active Malware Defense Technology (Active MDT) protects servers and clients from malicious software, including rootkits, which often imitate normal programs, Sana said.

Sana offers agent software that runs on servers that use Microsoft Corp.'s Windows NT, 2000 and 2003 or Sun Microsystems. Solaris 8 operating systems, and client machines running Windows 2000 and XP, Sana said.

Active MDT analyzes the behavior of memory processes or applications on a machine over time and flags malicious behavior, or software that is trying to evade detection, the company said. Unlike signature-based detection, Active MDT uses a combination of behaviors to determine whether or not a program is malicious, Sana said.

Primary Response can be managed centrally and deployed across hundreds of servers and PCs on a corporate network, or on machines used in remote locations or branch offices using a management server, Sana said.

Rootkits and Trojan horse programs are of growing interest to network security managers, because the programs are increasingly distributed along with Internet viruses and worms, and can be used for sophisticated identity and intellectual property theft. Unlike traditional viruses, rootkits and Trojans are often able to avoid detection by traditional security products such as antivirus software, intrusion detection system (IDS) and firewall software.

A new generation of so-called "kernel rootkits" is becoming more common. They attack the kernel, or core processing center of an operating system, and can intercept data passing to and from the kernel, making it difficult for administrators or detection tools to see signs that the system is being attacked.

Products like Primary Response detect infections using an approach called "adaptive profiling." This studies the way an application normally behaves, then issues warnings when abnormal behavior is observed, Sana said.

Primary Response 3.0 is available immediately from Sana and costs US$32 for a single desktop license, with volume discounts available. Server licenses start at $875 per server, Sana said.