Taking the application approach to client security

Taking the application approach to client security.

Application control endpoint security products can limit the programs that can run on distributed client systems. The three products we tested in this category each attempt to solve the problem differently.

WholeSecurity’s Confidence Online takes a behavior-based approach and monitors application activity. If the application starts exhibiting malicious behavior, the process/program can be logged or killed, depending on how the policy is defined.

SecureWave’s Sanctuary uses a whitelist approach, which lets the client only run applications that have been explicitly allowed to run, launch or execute. You can define these applications based on file name, file path and cryptographic hash, for example. This approach can be difficult to administer because you need to know explicitly which applications are good and bad, a difficult stipulation these days when the latest attack runs as an executable named explorer.exe.

Finjan Software’s Vital Security for Clients takes an approach that falls in between the other two.

We found WholeSecurity to be the strongest performer because of its behavior-based approach and ease of use.

The setup and configuration of the Finjan and WholeSecurity servers/consoles installation went smoothly. We followed the installer and the documentation for the server, used a downloadable client program and did not encounter any major issues.

The SecureWave installation process was not all that difficult but was time-consuming because as it did require reading the manual to understand how everything worked and what needed to be done. But to that end, we found the SecureWave documentation to be clearly written, detailed, accurate and easy to understand. Finjan and WholeSecurity provide adequate documentation, without standing out as either stellar or grossly lacking.

Moving onto policy management

We attempted to implement the same policy we used when testing the hybrid endpoint security products, but ran into a few issues. Because these products do not contain “classic” network-based firewall  functionality, we had to figure out how to define our policy in terms of application execution. For example, WholeSecurity and SecureWave could only be tested on their product’s ability to block specific applications such as sol.exe and telnet.exe from running, if defined that way.

For SecureWave, we profiled the system and set sol.exe as a disallowed application. This program failed to launch, as expected. Telnet also was set as a disallowed application. Again, this program failed to launch, as expected.

WholeSecurity monitors applications for unusual or malicious activity. You also can specify programs that should not run. We specified that sol.exe and telnet.exe should not be allowed to execute, a rule that was successfully followed.

Finjan monitors active content, such as Javascript, in HTML tags, so it would not work with any of our policy tests. You can choose to allow, block or monitor active content in runtime.

Onto attacking

Finjan, SecureWave and Whole Security, as they only offer application control, worked as far as they claimed in this area. They don’t help defend against network attacks because there is no network protection (firewall, intrusion detection or intrusion prevention ). But all products kept operating when we tried to coarsely de-install them.

The one consistent area of improvement for all products in this space is reporting. Every product needs better, detailed reporting system.

WholeSecurity sends alerts to the central server. But we would like to see more information in these alerts and more report options, such as the ability to create custom reports. Report data can be exported to an XML -type file.

Finjan includes a log viewing section in the console where you can pull up the logs and a reporting module to generate a few canned reports, including attack status. These reports can be exported to a CSV file.

SecureWave sends logs to the central server, but does not contain any additional reporting functionality.

In the end, WholeSecurity came out on top. Its behavior-based approach is non-intrusive to the end user and is effective. And administrators still have the ability to manually block or allow applications when necessary. However, as with all of the application-focused products tested, we highly recommend that you deploy WholeSecurity’s wares with a personal firewall.

Back to review: “Endpoint security products aid in client defense”