Proventia offers advanced virus protection
New functionality boosts desktop PC software’s defenses
- By Lynn Simmonds
- Mar 20, 2006
The experts told us years ago that pattern matching, the traditional way to detect viruses, would eventually fall to the wayside in favor of nontraditional methods.
The experts were wrong. Only pattern matching can reveal a virus’ name, and we need to know that for two reasons. First, we have to know the name to clean the virus off our systems, and second, we need to know what damage it might have done.
But when trying to detect zero-day virus attacks — those that exploit software vulnerabilities that software vendors have not yet discovered — we need to catch the infections before the detection pattern arrives from the vendor.
Internet Security Systems (ISS) has developed a technology that you can add to your antivirus solution. The company’s new Virus Prevention System (VPS) now ships with several products. We decided to test it in Proventia Desktop, ISS’ agent program for locking down and fortifying desktop PCs and mobile devices.
By accident, ISS sent our labs a copy of the Proventia Desktop agent that had all the security features turned on and no way to turn them off. When we executed the agent, it silently installed on our PC running Microsoft Windows XP, leaving its icon in the right hand tray. But we couldn’t execute any programs on our workstation.
Although we are not hackers, we couldn’t resist a challenge. At the end of the day, after applying our knowledge of the operating system’s unusual features, we had penetrated all defenses and regained complete control of our computer. But we also respected the multiple layers of security that ISS had piled on our PC. We dutifully reported our penetration methods to a designated ISS technician, so the company probably closed the arcane security holes we jumped through.
We were already satisfied that Proventia could prevent unauthorized application programs from executing, so we began to test its defenses against malicious software. To see how it performed against zero-day attacks, we blocked updates to Proventia, waited one week and then hit the system with viruses that had appeared in that time. Although our sample was small, Proventia detected the new viruses.
VPS works by executing new software within a virtual machine and examining it for viruslike behaviors. ISS has identified more than 600 such behaviors and constantly adds more. Adding a pattern to a traditional antivirus program enables it to detect one virus, but adding an update to VPS empowers it to detect a whole class of viruses.
VPS detected all of a large number of common viruses, spyware and other malicious programs when we exposed them on the workstation. The system impressed us by not giving a single false positive.
We like that VPS detects viruses within a virtual machine. Inside a virtual machine, which is a self-contained operating environment that behaves as if it were a separate computer, the system can test a suspicious program to extremity without fear of it harming your system. When VPS works with your current PC antivirus program, the odds are stacked against the viruses.
Proventia adds a remarkable number of protections to the desktop. But that means it is necessarily a complex product. Our experience is that complex products are sometimes easy to break. When we installed the agent on one of our PCs, for example, the desktop kept freezing, displaying a gray screen after about three minutes of use.
We advise thorough testing before you implement Proventia, and check the company’s Web site for known conflicts with other programs.
Greer is a network security consultant. Bishop operates Peoples Information.com, an Internet consulting firm. They can be reached at [email protected].