SignaCert appliance sorts good from bad
SignaCert’s Enterprise Trust Server maintains legitimate system consistency and detects malware modificationsFollow @rogeragrimes
Expected files, as defined by policy, are considered “inside the set count.” Previously undefined files, even if they are legitimate vendor files, are considered “outside the set count.” The action of detecting unexpected but legitimate files can be used to find deviations from a distribution image, new unapproved patches, unapproved software, or -- even more worrisome -- removed patches. SignaCert reports that the ETS has gained stronger than expected use for confirming that all servers in a common cluster are identical to each other.
Testing known and unknown
The InfoWorld Test Center tested two scenarios: comparing against a previously defined distribution image and detecting previously unknown malware. In the distribution image scenario, we created a “gold” image and snapshot the files (remembering to not include legitimate variable random files like tmp files). We installed two new patches and removed one. We ran the supplied client-side programs and the ETS server correctly identified all changed files and correctly identified their source by patch name.
In the second scenario we took a Windows XP Pro SP2 computer and executed five bank-stealing Trojan programs not recognized by anti-virus software. The entire file scan of a Windows XP Pro SP2 client (with more than 80,000 OS and program files) took less than 15 minutes. The subsequent ETS report correctly identified every single new file insertion. This is a great detection tool in today’s world where traditional anti-virus detectors are becoming less reliable every day.
Useful with limitations
The ability to add unexplained files (in this case, malware) to a new ETS policy, then use harvesting to find more infected clients was extremely useful. This would prove invaluable when trying to detect exploitation damage from an unrecognized malware infestation.
Unfortunately, in its current version ETS cannot detect anything other than file changes. The malware programs’ manipulation of the registry, so common with today’s Windows malware, was not checked or reported on. In another small point, unexplained files were reported on the deviation report, but the status area was left blank. It would be nice if a text label called “undefined” or something similar was displayed. Additionally, because the harvesting process uses a nonpersistent Java client-side program, it is possible that rootkit modifications could go undetected.
It is clear, in talking with SignaCert’s CEO and developers, that the ETS appliance is just the first phase to a much larger goal. APIs are being developed to allow third parties and system vendors to utilize SignaCert’s large file identification database for a myriad of other functions, including trustworthy computing, intrusion prevention, and the additional inclusion of more examined object types (e.g. registry values, memory, etc.).