Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Sa No Scan Paper
1. A Brief Overview
of
Naknan's
Security Assistant™
and
noScan™ Antivirus NG
November, 2010
Patents Pending
2. Executive Summary
In 2005, Naknan began an effort to determine how to make best use of software technologies the
Company had developed over the previous seven years. The most successful product the Company had
developed was nShare, a universal protocol for information sharing. nShare was used, at that time, in
Boeing's Engineering Support Rooms (part of NASA's Mission Control), throughout the European
Space Agency, in the German Space Agency, and at NASA's Human Spaceflight web site. There
appeared to be no significant opportunity for additional sales outside the NASA-like niche. Other
products included dShare, a product developed for and used exclusively by ESA, and nLog, an event
logging and reporting product that had been installed in one commercial satellite control center.
The challenge was to find a way to use some of those technologies in ways that had not been
anticipated when the technologies were developed, to create new products which would offer
significant value to a wide variety of customers. Several months of research and market analysis
followed.
Early in 2006, Naknan focused on endpoint security as an area to use their existing technologies and
expertise. In this case, “endpoint security” meant “anti-malware” or, in the more common terminology,
antivirus. To add value, though, Naknan would have to take a different, more effective approach to
fighting virus, worm, trojan, and other infections. The methodology used in defining the new product
was highly structured and involved months of research, including interviews with experienced users of
then-current products. The new product became Security Assistant, which begat noScan™.
Security Assistant
Security Assistant provides four major capabilities to enterprises, all integrated, all managed from a
single Management Console. The four are:
1. Malware Sentry, which prevents execution of unauthorized software. Security Assistant
enforces a whitelist. The whitelist is easy to create (a few minutes of computer time) and
manage (automatically updated as updates, patches, and applications are deployed). Whitelist
enforcement is the only way to thwart targeted or unknown attacks, and it is possible with
whitelist enforcement simply because the SHA1 checksum of the attacking software is not on
the whitelist. No traditional antivirus product can come close to the effectiveness of a whitelist,
and we make whitelist maintenance nearly friction-free. Malware Sentry also detects and logs
the insertion of removable media, and prevents execution of software (or copying) from the
media if not on the node's whitelist.
2. Software Baseline Management, which means we can deploy patches, updates,
applications, and any other software to end nodes securely, and provide a positive indication
that the software was installed (or not). The Security Assistant Agent does not provide status to
the Server until install is complete or failed. It was designed this way to avoid the problem we
have seen with some patch management systems of throwing the patch at an endpoint and
calling it deployed. Security Assistant requires feedback from the Agent; absent that feedback, it
will at best indicate the software is "deploying" rather than installed, failed, declined, or any
other status. Software installed in this way will, as indicated above, automatically update the
whitelist for each node. This function is needed in order to securely automate whitelist
management, without which whitelisting is impractical.
3. 3. Secure Remote Command, which provides the capability to download and execute, without
node user ID or password, any command or script the node is capable of executing, and
providing feedback as if from a command console at the node. These commands and scripts can
be as simple or as complex as needed, limited only by the Security Assistant user's creativity
and the limitations of the target node. Commands and scripts can be scheduled to, for example,
prepare a server to accept a patch and then restore to full operating capability once the patch is
installed and verified. We have demonstrated on a Solaris server (1) verifying that Oracle is
running properly; (2) stop all elements of Oracle, including the database server; (3) switching
Solaris to single user mode, which terminates all external interfaces except serial; (4) install a
Solaris patch; (5) switch to multi-user mode; (6) restart all elements of Oracle; (7) after Oracle
has had sufficient time to stabilize, verify that all elements of Oracle are running properly; and
(8) verify that the patch was installed. Step (3) makes this a very difficult and complex
operation, but we were able to complete it successfully time after time. This function is needed
in order to maximize the value of the second function by permitting the scheduling of
preparatory commands and scripts prior to scheduled software deployments.
4. Full Filesystem Audit, meaning that Security Assistant opens and inspects each file on the
file system, ignores those which are not software (determined by inspecting rather than looking
at file extension or other superficial means), and creates a report which shows (depending on
how your stylesheets are configured) (1) all software packages (applications, plug-ins, etc.)
found; (2) files which cannot be identified as part of one or more software packages; (2) files
which are not on the whitelist; and (3) certain hardware/platform information. With a little work
on the customer's part, the audit report can show any patches required to become compliant
with the Federal Desktop Core Compliance Initiative (based on xml files downloaded from
Mitre/Homeland Security). This function is needed to periodically capture a detailed inventory
of software on each node for compliance and other purposes, and to ensure that IT staff can
both know and prove the absence of unauthorized software.
These four functions, integrated as they are both functionally and within the Management Console,
permit very tight control of the software which is permitted to exist and/or execute on each node,
independent of that which is permitted on any other node. The term “software” in this context includes
authorized software, unauthorized but legitimate software, and malware. By viewing all software as
either authorized (by virtue of being on the node's whitelist) or unauthorized (which is all software not
found on the node's whitelist), the task of preventing execution of unauthorized software while using a
tiny fraction of resources needed by traditional antivirus products is made far simpler and far more
certain than any other anti-malware product. Similarly, quarantining immediately upon discovery rather
than simply blocking attempts to execute makes Security Assistant far more effective and efficient than
other whitelist products.
The value added is significant. Everyone can benefit from Malware Sentry. Whether it is a banking
trojan looking for money to steal (these are very sophisticated pieces of malicious software, usually not
caught by traditional antivirus programs), a Stuxnet-like hybrid attempting to steal intellectual property
and/or damage control systems, or an application installed by a user from a USB drive, great damage
can be done to an organization if the software is not caught and stopped. Malware Sentry catches all of
them, and anything else not on the whitelist. All events are reported to the Management Console. In the
event that the node's Agent cannot connect to the Security Assistant Server, Malware Sentry continues
protecting the computer and saves all event notifications until connection is restored. For mobile
laptops, connection can be from a public hotspot such as a coffee shop or library, the user's home,
broadband, or any other Internet connection. As soon as the computer connects to the Internet, the
4. Security Assistant Agent calls home.
Controlling the software baseline obviously adds value, since out-of-date software typically contains
more known vulnerabilities than up-to-date software does. Less easy to see, perhaps, is the value of
knowing (as opposed to hoping) that patches were installed, or more precisely, knowing the disposition
of each patch on each node. If you know a patch failed to install on a particular node, you can take
corrective action; if you don't know, you can't, and that makes the difference between curing
vulnerabilities and having vulnerabilities you don't know about. Likewise, being able to deploy
patches, updates, and applications to a mix of platform types from a single user interface, on your own
schedule, integrated with commands and scripts, while automatically and accurately updating the
whitelist for each node adds great value. But the greatest value of this function is that whitelist
management is automated, securely updating each node's whitelist as patches are successfully
deployed.
The secure command and script capability helps avoid a lot of node touching. You can examine the file
system, copy or delete files, change configurations, and many, many other things. The longer you use
it, the more useful it becomes because, after a while, you will come up with new ideas. What if, for
example, you had a requirement to examine all computers in an enterprise, without the users'
knowledge or consent, searching for a particular file/phrase/type of data. You could have a technician
go to each node and spend an hour or more searching for data of potential interest. With Security
Assistant, you develop a relatively simple script that can do all that on one computer (and copy
whatever is found to a secure location for analysis), then execute that script on all computers. To really
operate in stealth mode, do it after normal work hours or on weekends using Wake-On-LAN (for
computers that would normally be turned off and that are configured for WOL), then turn them back off
when finished.
The auditing capability is the one that might be most difficult to see the value of. On the other hand,
consider the length of time that unauthorized software executed unmolested in the “Aurora” and
“Stuxnet” attacks, or that victims of identity theft and similar crimes are becoming less understanding
of the difficulties companies have protecting them and their sensitive information; plaintiffs' attorneys
and the judicial system are becoming downright hostile. If your organization loses control of critical
processes, or lets sensitive data and information under its control escape because someone did not
timely deploy (and verify) patches to cure known vulnerabilities, or had unauthorized (even if not
malicious) software on some of their systems, such a discovery could be devastating in court. Some
regulations may require knowing the software inventory of each node, or of the enterprise as a whole.
If your organization used Security Assistant, including the audit capability, they would have proof of
software configuration at each point in time that an audit was performed (we usually recommend every
six months). A reasonably bright Security Assistant user will run the audit, remove all unauthorized
software, then run the audit again, and keep the second one.
Once the computers are clean, Security Assistant will keep them that way, so subsequent audits should
always show no unauthorized software, proof that the Security Assistant user is doing everything
reasonable to prevent unauthorized software, which helps protect sensitive data and information. And,
regulatory compliance regarding software inventory, whether for individual nodes or the enterprise as a
whole, just became very easy.
Security Assistant is a complex system, surprisingly easy to operate and manage.
Security Assistant for Process Control has all the same features and functionality as Security Assistant
for Enterprises, but several “under the hood” differences are designed for greater certainty of outcome
(e.g., crash avoidance is of far greater significance in the process control environment than for
commercial enterprises).
5. noScan™ Antivirus NG
noScan™ Antivirus NG is the consumer version of the anti-malware component of Security Assistant.
Home users and small businesses can benefit from the next generation of industrial strength malware
protection by installing noScan™. With minimal configuration, noScan™ begins protecting the
computer it resides on with no further assistance from the user, operating similar to Malware Sentry,
discussed above.
noScan™ Antivirus NG differs from traditional antivirus in two fundamental respects:
1. It doesn't bog your computer down with frequent scans that never seem to end (hence the
name, noScan™); and
2. It works.
Traditional antivirus (that's everyone except noScan™) is very ineffective and becoming even worse as
the rate of new malware releases skyrockets. A quick search of the Internet will discover hundreds or
more of reports detailing the shortcomings of traditional antivirus. Some reports show that traditional
antivirus products fail to detect, on average, 20% or more of known malware, and few detect more than
40% of unknown malware. The most dangerous malware, that targeted to a specific industry or a
specific company, will always be unknown to everyone because it has never been seen before and no
signature can exist. Similarly, zero-day attacks are rarely recognized because they have never been seen
before. Targeted phishing attacks, those which attempt to trick computer users into visiting an infected
web site or downloading malicious software, are so effective against traditional antivirus simply
because they continuously change the signatures of the malware they use, making it practically
invisible to traditional antivirus.
noScan™ takes a different approach. Instead of attempting to know the unknowable as traditional
antivirus products do, it simply keeps track of the software that you've told it belongs on your machine.
Anything else, by definition, is unauthorized. Unauthorized software is blocked, quarantined, and
deleted. It doesn't matter whether it is known or unknown; it doesn't matter whether a signature exists
for it or not; all that matters is that it is not authorized to execute or exist on your computer.
This approach means that noScan™ doesn't have to repeatedly scan your hard drive, interrupting your
work or games. It doesn't need massive signature databases, because it doesn't use malware signatures,
and therefore doesn't need to constantly receive signature updates, eating away at your bandwidth.
Using less than 2% of your CPU and rarely using Internet bandwidth at all, noScan™ keeps track of
software that exists or attempts to exist on your computer and prevents it from doing so if it is not on
your Authorized Software List. noScan™ is both effective and non-intrusive.
Whitelisting is the only truly effective method of keeping all unauthorized software from executing on
a device. noScan™ does not need to know what tens of millions of malware look like; it simply needs
to know what the 10,000 to 25,000 software files on your desktop or laptop look like (using SHA1
hashes). There's no massive database, no never-ending scans, nothing to interrupt work or games. CPU
utilization is typically <2% although it peaks higher at certain times, such as the few milliseconds when
a write to fixed media occurs.
noScan™, as its enterprise sibling does, monitors all hard drive activity and all process starts, as well as
all interfaces that could be used for invasion. If you plug a USB drive into a noScan™-protected
laptop, for example, it detects the insertion, watches all transfers, and blocks anything that attempts to
execute from the USB drive. If the USB drive is write-enabled, noScan™ will quarantine anything that
attempts to execute, including deleting it from the USB drive.
It's easy to test the effectiveness of noScan™.
6. 1. USB: Insert a USB drive. (a) Drag and drop onto the desktop any executable or shared library
from the USB drive and watch it disappear (it can be found from File > Edit Quarantined
Items on noScan™'s Management Console). (b) Double-click (attempt to execute) a software
file on the USB drive. noScan™ will announce that it has blocked and quarantined the file; the
file will be deleted from the USB drive (if write-enabled). The quarantined file can be viewed
as above.
2. Web: Open a browser and point to a known infected web site (do not attempt this unless you
have noScan™ or Security Assistant™ installed). In most cases, downloaded malware will be
caught and quarantined while still in the browser's cache. If a large file is being downloaded, it
may be quarantined in parts. In all cases, software files will be quarantined.
3. LAN: (a) Attempt to execute a file which resides on a fileshare somewhere on the network. It
will be blocked. (b) Attempt to copy a software file from a network share to the noScan™-
protected computer; it will be quarantined.
4. Other Removable Media: Insert a CD-ROM or DVD with software on it. Any software will
be blocked.
5. Get creative; create your own software, or use your favorite malware. noScan™ is industrial
strength anti-malware protection for consumers.
noScan™ protects your computer from initialization to shutdown. You don't have to do anything, once
it is initially installed, to be protected and to remain protected. When Naknan has updates available for
noScan™, noScan™ will notify you; when you approve the update, noScan™ will silently download
and install the update without interrupting your work or your protection. We don't do signatures of
malware, so these updates to noScan™ will be infrequent.
You can install software if you wish, but you must tell noScan™ when you intend to do so. Otherwise,
noScan™ will quarantine everything you install. Quarantined items are easy to recover and add to the
Authorized Software List.
You can manually install patches just as any other software. Or, you can designate Authorized Updaters
and let them automatically download and patch your applications. An example of an updater that you
could authorize is wuauclt.exe, the Microsoft Updater for XP. Once you've told noScan™ that this
updater is authorized to add software to your computer, you can set your Microsoft OS and applications
to update automatically (if you choose) so that patches are downloaded and installed, and your
Authorized Software List is updated, all without you doing anything.
If you choose to designate Authorized Updaters, you must designate the full path, and noScan™ helps
you do this. Full path, including the name of the updater, is important because it keeps malware
developers from using a fake updater with the same name to deploy their malware. When noScan™
detects software being installed, it looks at what is causing the install; if it matches an Authorized
Updater, including full path, noScan™ verifies the integrity of the updater and lets it continue, adding
the resulting software to the Authorized Software List. If any part of the path does not match the path
noScan™ expects or if the updater fails to validate, the added software is immediately quarantined.
noScan™ is industrial-strength protection for home computers.
Patents Pending