Application whitelisting review: SignaCert Enterprise Trust Services
SignaCert is great for monitoring compliance with application and configuration policies, but it lacks built-in blocking.
Columnist, InfoWorld |
SignaCert was one of the first whitelisting products available, and it now boasts more than 1 billion predefined file signatures as part of its Global Trust Repository service. It also offers file authenticity ratings, wide platform support, extensibility through XML, and excellent documentation. SignaCert's significant weakness is that it does not natively block file executions -- the only product in InfoWorld's review that does not include this ability as a standard feature.
Instead of blocking unauthorized applications, SignaCert focuses on identifying deviations from trusted, predefined baselines of files and security configuration settings, specializing in midsize to large environments.
SignaCert Enterprise Trust Services is composed of the SignaCert Enterprise Trust Server appliance, a huge predefined file hash database (cloud service and local), and a client that works across more operating systems (including Windows, Linux, Mac OS X, and Solaris) than any of the reviewed competitors. SignaCert even claims to work across network device platforms, such as firewalls and routers, but I didn't test that functionality. It's also the only product to monitor security configuration settings, as well as registry and file objects.
SignaCert's nonpersistent Java client is the most customizable client in this review. You can tailor its behavior based on a variety of configuration settings (to cap CPU utilization, for example). You can even build your own client to support whatever you want as long as it confirms to SignaCert's XML formatting. SignaCert easily has the best documentation of any product in this review, including hundreds of pages on both client and server components.
SignaCert comes with a vast database of predefined file hashes collected directly from the vendors. This used to be a unique feature for SignaCert, but Bit9 Parity and Lumension Application Control have followed suit. SignaCert claims to cover a wider array of platforms with its predefined file signatures than these competitors, but I did not verify this claim.
| Test Center Scorecard | ||||||
|---|---|---|---|---|---|---|
| 30% | 15% | 25% | 10% | 20% | ||
| SignaCert Enterprise Trust Services 3.0 | 8 | 9 | 8 | 8 | 8 |
8.2 Very Good |
SignaCert lets you collect your own baselines using a process it calls harvesting. Unlike the baseline generation tools of many competitors, SignaCert's harvesting can easily report all file types, including the attributes of multiple hashes, location, publisher values, and even file permissions and ownership.
SignaCert collects four file hash measurements [screen image] -- MD5, SHA-1, SHA-256, and SHA-512 -- the most hash types of any product in this review. Like Bit9, SignaCert applies trust values on files it recognizes and includes the location and collection method when calculating the trust value, called an Authenticity score. Authenticity scores can range from 0 to 1000, with 1000 equivalent to completely trusted. SignaCert prepopulates these scores, or customers can submit their own scores for newly collected files.
SignaCert may trail competitors in execution blocking, but it leads the way in baselining and compliance. SignaCert includes out-of-the-box templates for various regulatory requirements (PCI, FDCC, SOX, NERC) covering not only files, but ports, services, and configuration settings. Other vendors offer regulatory audits, but no other product defends ports, services, and configuration settings.
Monitoring for compliance is fairly simple. Simply match a compliance template with one or more computers that you want to audit or survey. Run a file scan before or after, and then compare the results. You can run baseline or audit compliance reports ad hoc or on a scheduled basis, and you can save reports to multiple formats, including PDF and XML. Alerts can be sent via e-mail, Windows event logs, SNMP, syslog, and more. SignaCert comes with many predefined and customizable dashboard views [screen image] and reports, and output can even be connected to Remedy Help Desk solutions.
This story, "Application whitelisting review: SignaCert Enterprise Trust Services," and reviews of competing products from Bit9, CoreTrace, Lumension, McAfee, and Microsoft, were originally published at InfoWorld.com. Follow the latest developments in information security and endpoint security at InfoWorld.com.
Copyright © 2009 IDG Communications, Inc.