Taking the application approach to client security

Application control endpoint security products can limit the programs that can run on distributed client systems. The three products we tested in this category each attempt to solve the problem differently.

WholeSecurity's Confidence Online takes a behavior-based approach and monitors application activity. If the application starts exhibiting malicious behavior, the process/program can be logged or killed, depending on how the policy is defined.

SecureWave's Sanctuary uses a whitelist approach, which lets the client only run applications that have been explicitly allowed to run, launch or execute. You can define these applications based on file name, file path and cryptographic hash, for example. This approach can be difficult to administer because you need to know explicitly which applications are good and bad, a difficult stipulation these days when the latest attack runs as an executable named explorer.exe.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Application control endpoint security products can limit the programs that can run on distributed client systems. The three products we tested in this category each attempt to solve the problem differently.

WholeSecurity's Confidence Online takes a behavior-based approach and monitors application activity. If the application starts exhibiting malicious behavior, the process/program can be logged or killed, depending on how the policy is defined.

SecureWave's Sanctuary uses a whitelist approach, which lets the client only run applications that have been explicitly allowed to run, launch or execute. You can define these applications based on file name, file path and cryptographic hash, for example. This approach can be difficult to administer because you need to know explicitly which applications are good and bad, a difficult stipulation these days when the latest attack runs as an executable named explorer.exe.

Finjan Software's Vital Security for Clients takes an approach that falls in between the other two.

We found WholeSecurity to be the strongest performer because of its behavior-based approach and ease of use.

The setup and configuration of the Finjan and WholeSecurity servers/consoles installation went smoothly. We followed the installer and the documentation for the server, used a downloadable client program and did not encounter any major issues.

The SecureWave installation process was not all that difficult but was time-consuming because as it did require reading the manual to understand how everything worked and what needed to be done. But to that end, we found the SecureWave documentation to be clearly written, detailed, accurate and easy to understand. Finjan and WholeSecurity provide adequate documentation, without standing out as either stellar or grossly lacking.

Moving onto policy management

We attempted to implement the same policy we used when testing the hybrid endpoint security products, but ran into a few issues. Because these products do not contain "classic" network-based firewall  functionality, we had to figure out how to define our policy in terms of application execution. For example, WholeSecurity and SecureWave could only be tested on their product's ability to block specific applications such as sol.exe and telnet.exe from running, if defined that way.

For SecureWave, we profiled the system and set sol.exe as a disallowed application. This program failed to launch, as expected. Telnet also was set as a disallowed application. Again, this program failed to launch, as expected.

WholeSecurity monitors applications for unusual or malicious activity. You also can specify programs that should not run. We specified that sol.exe and telnet.exe should not be allowed to execute, a rule that was successfully followed.

Finjan monitors active content, such as Javascript, in HTML tags, so it would not work with any of our policy tests. You can choose to allow, block or monitor active content in runtime.

Onto attacking

Finjan, SecureWave and Whole Security, as they only offer application control, worked as far as they claimed in this area. They don't help defend against network attacks because there is no network protection (firewall, intrusion detection or intrusion prevention ). But all products kept operating when we tried to coarsely de-install them.