SignaCert appliance sorts good from bad

One of the biggest challenges in deploying a HIDS (host-based IDS) is determining whether the host you are installing the IPS on is safe and secure to begin with. How can you detect malicious deviations from a starting point when you aren’t really certain it doesn’t already contain a virus or rootkit?

SignaCert’s ETS (Enterprise Trust Server) 1U appliance can identify millions of legitimate files based on their hash fingerprint, reporting the vendor and program to which they belong. The ETS can be used to look for previously unknown instances of malicious code, find deviations from an approved “gold” image, or ensure that supposedly identical systems are indeed file-for-file identical.

Started by Wyatt Starnes, previous co-founder and CEO of Tripwire, SignaCert has been collecting and cataloging tens of millions of legitimate vendor files and executables during the past few years. SignaCert claims to have built a huge database of more than 80 million different program files. When an ETS appliance is delivered to a client, SignaCert includes a subset of the larger database customized for the customer’s installed platforms (Windows, Solaris, Linux, etc.). Customers scan targeted client or server systems and compare the results to previously defined ETS policies. Deviations can be noted on reports, sent as alerts, or queried from a database.

Scanning for the known
The ETS appliance can be installed anywhere on the network, and setup is standard for a security appliance. After installation and configuration, administration is via HTTPS over a nonstandard port (nice touch). The ETS administrator defines various policies, each of which contains a list of what files should be considered legitimate. SignaCert has already collected all the file signatures for every major OS and thousands of programs, but clients can add their own.

A common scenario is for users to build a reference deployment image, then use the ETS to collect a snapshot that is subsequently used to populate the ETS database. However, unlike a traditional HIDS, ETS can tell you if the reference image contains any unknown or unexpected files. Collected referenced file statistics are then compared to other selected computers.

Surveyed computers run a client-side Java program that does the file scanning (called “harvesting” by SignaCert) and sends the results to the ETS appliance over HTTPS port 443. Any computer capable of hosting a Java-based program can run the ETS harvesting program.

Data collection and comparison is initiated by running command-line file scanning programs (GUI versions are not yet available). The results are copied to a centralized ETS server. Another client-side program can initiate a comparison against a particular ETS policy. Results can be reported on the client or queried out of a back-end MySQL database.

Files are given a trust score ranging from 0 to 700; higher trust scores identify files with a higher level of legitimate confidence. For example, a file with a trust score of 500 is a legitimate file from a known vendor whose hash was collected directly from the vendor’s distribution image. A higher trust score would be given for a hash directly reported from the vendor during production. SignaCert claims to collect data on hundreds of thousands of files directly from the vendor.