NOTA BENE

Notes, comment and buzz from Eugene Kaspersky – Official Blog

May 2, 2012

In Updates We Trust.

Remember my recent post on Application Control?

Well, after its publication I was flooded with all sorts of e-mails with comments thereon. Of particular interest were several cynical messages claiming something like, “The application control idea is sooo simple, there’s no need for any highfalutin special “Application Control” feature. It can be dealt with on-the-fly as applications are installed and updated.”

Yeah, right. The devil’s always in the details, my cynical friends! Try it on the fly – and you’ll only fail. To get application control done properly – with by far the best results – you need three things besides that “it’s easy” attitude: lots of time, lots of resources, and lots of work going into implementation of a practical solution. Let me show you why they’re needed…

On the surface, it’s true, it could seem Application Control was a cakewalk to develop. We create a domain, populate it with users, establish a policy of limited access to programs, create an MD5 database of trusted/forbidden applications, and that appears to be it. But “appears” here is exactly the right word: the first time some software updates itself (and ooohhh how software today loves to update itself often – you noticed?) the sysadmin has to write the database all over again! And only when that’s completed will the updated programs work. Can you imagine the number of angry calls and e-mails in the meantime? The number of irate bosses? And so it would continue, with every update into the future…

To the rescue here comes running a mostly unnoticeable but mega-useful feature of our Application Control – the Trusted Updater. It not only (1) automatically updates installed programs while simultaneously bringing the database of trusted software up to date, it also (2) keeps track of inheritances of “powers of attorney” attracted to the updating process. The former is fairly straightforward and clear, I think. The second… let me explain it a bit.

Let’s take an example. While performing an update, some software launches, let’s say, a browser (for example in order to show the user’s agreement), and transfers to it its access rights. But what happens when the update is completed? Are you twigging what I’m getting at here?… Yes – in some products the browser keeps the inherited rights until it’s restarted! So until then it could perform an action that is actually forbidden according to the security policy – for example, to download something from the Internet, and, more importantly – to run it. What’s more, the browser gets the ability to call on other programs and give them the enhanced rights of the updater. Oht-Oh!

Turns out a single update could bring down the whole security system through incorrect access rights’ management during the update process. Scariest of all is that this isn’t a bug, it’s a feature!

Anyway, back to our Trusted Updater. What it does is take full control over the update: as soon as the process has finished, it restores the rights back to what they were before the update – for the whole chain of affected programs. Another handy trick is its knowing beforehand which updaters can be trusted – there’s a special category for them in our Whitelist database. And should a sysadmin want to, he or she can add other updaters to this category with minimal effort but with a good addition to the level of the network’s overall protection from all sorts of sly backdoors.

Application Control

Ok, let me back up a bit and try make things clearer than crystal. Let’s look at four different possible scenarios for controlling applications and keeping track of software updates.

Right, the first scenario – to control applications’ installation and updating with a home-brew, on-the-fly solution as described in the very first example above. Fail. Since an average computer has up to ten regularly updated programs installed – this isn’t an option.

The second scenario – to use an out-of-the-box product with a constantly replenished database of trusted (whitelisted) software. This is at least better than the first scenario – since the sysadmin can create rules for groups of software (as well as add new groups) and not for specific checksums (which we learned long ago have a tendency to quickly change). Ok, let’s say we permit the whole of the “accounting programs” category to be used only by the accounting department, and let all the software of this kind to update itself. But what happens if it turns out that the whitelisting database doesn’t have info on some specific program or other? And as a result the quarterly reporting doesn’t get sent to the tax authorities in time? Again – angry calls/mails/fines and plenty of impromptu sorting out needed. Well, with our product (featuring a whitelist-database of 300 million-plus files, with a million being added daily) such a likelihood is tiny. Then again, it’s not zero. Still, with competitors things are a lot worse… Anyway, let’s have a look at the next scenario.

The third scenario – to use a product providing comprehensive control over updates, like Trusted Updater. At first glance this would seem to be the ideal scenario. But there’s a nuance here too. Application Control, even with its clever updater, is not sufficient – especially if we’re talking about IT Security in the broad sense. Suppose some (long-whitelisted) software suddenly picks up a malware infection (you never know, the cyber miscreants could have broken into the site of the developer from which the updates are distributed).

And so we come to scenario No. 4: Application Control + Trusted Updater + categorized whitelist + control over the chain of updates + the rest of the anti-malware arsenal, like the antivirus scanner and proactive protection. And this whole orchestra needs to work in complete unison – so that, even if the baddies put some malware into an updater, there’s an extremely high degree of probability it will be purged at the next stage of protection. And as a matter of fact, this fourth and best way is precisely what we’ve got implemented in our Endpoint Security 8.

Actually, Trusted Updater is just one of the many useful features in our Application Control that distinguish it not only from home-brew on-the-fly solutions but also from competitors’ products. For example, we’ve perfected the concept of dynamic whitelisting – involving a regularly replenished database of trusted programs (in a recent test, it covers 94% of corporate software). We categorize all software (for example, “browsers”, “games” – in all, 96 categories). Plus sysadmins can replenish existing, and add their own new categories. There’s also automatic checking of programs for vulnerabilities, inventorization of applications, full integration with endpoint protection, and much more besides.

Categorization Catalogue

Overall, the product has turned out to be both delicious and powerful. I do hope this post has explained matters sufficiently – so you can protect yourself and your companies’ systems – with zero headache!

comments 4 Leave a note

Emanuella

Muy interesante , me gusta

0
Reply to conversation

Emanuella

estoy pensando en poner el Kaspersky pure en mi pc personal pero no se si seria el mas adecuado

0
Reply to conversation

madrijabber

Dear Eugene …
You are “Quite right!”
The mechanism of supervision of installation of applications absolutely necessary in a server environment where cyber criminals do not know if hackers infect them with malware or trojans spies.

Go ahead Eugene!

You have the talent for such a creation.
Greetings …

Mário Madrigrano Jaber

0
Reply to conversation

Carl Berlin

I tell clients the importance of application control everyday and with Kaspersky, keeping track is made really easy for us. Here at BeSecure Networks http://www.besecurenetworks.com we sell this solution all the time and is providing our clients with an easy to manage employees application list that we can control without having to worry about it. Good article that breaks down how I explain the solution to end users… thanks!

0
Reply to conversation
Trackbacks 2

In Denial about Deny All? | Nota Bene

Application Control: the key to a secure network – Part 2 – Securelist – Information about Viruses, Hackers and Spam

Leave a note
September 3, 2015

Mission Impossible 5 – in KLondon!

I’ve been known to have a pop at the quality of Hollywood blockbuster movies released in recent years. But there’s a new film that bucks the trend, which I recommend everyone sees at the soonest! (But then I would say that)… This impossibly incredible film I’m talking about is Mission Impossible 5. So what’s so […]

September 2, 2015

Top-100 Series: South America.

South America Continuing our slow migration across the surface of the globe as per my Top-100, it’s now the turn of South America to show us what it’s got. And it’s got plenty… 18. Angel Falls, Venezuela The highest waterfall in the world; almost a kilometer of free-falling water. Haven’t been myself, but have heard rave […]

August 28, 2015

Kamchatka-2015 – top to bottom!

In my humble opinion, Kamchatka is the most fascinating and beautiful place on the planet. Bold statement, I know; but coming from a power-globetrotter like myself, maybe you won’t reject it out of hand? If you do – read the upcoming series of posts on this year’s An-Kam (annual Kamchatka), and let’s see if you haven’t […]

August 27, 2015

Top-100 Series: North America, Part 2.

Hi folks, In continuation of my revised and revamped Top-100 of the most remarkable, interesting, enchanting and beautiful places and countries of the world, here’s the next installment: part 2 of the very best – IMHO – places to visit in North America, i.e., the North American continent, which (of course?:) includes Central American countries […]

August 24, 2015

Kamchatka-2015 – aperitif.

“Further [vertically] up there, there’s a path!” – Our guide, Fyodr.   Hi all! Phew! Back to civilization from the harsh wilds of Kamchatka, and beginning the slow acclimatization back to modern city life and all its creature comforts. In all we trekked 315km on foot, and probably traveled thousands of kilometers in all-terrain vehicles […]

August 21, 2015

Top-100 Series: North America – Part 1.

Howdy folks! I’ve started – so I’ll finish. In my lengthy prelude, I promised to lay before you my updated Top-100 Must-See Places in the World in several portions over several posts. You’ve already had my new – extra – Top-20 Cities. Next up is a set of Top-Non-City-Must-See-Places – actually 17 of them – […]

More