A Brief Overview of Naknans Security Assistant™ andnoScan™ Antivirus NG November, 2010 Patents Pending
Executive SummaryIn 2005, Naknan began an effort to determine how to make best use of software technologies theCompany had developed over the previous seven years. The most successful product the Company haddeveloped was nShare, a universal protocol for information sharing. nShare was used, at that time, inBoeings Engineering Support Rooms (part of NASAs Mission Control), throughout the EuropeanSpace Agency, in the German Space Agency, and at NASAs Human Spaceflight web site. Thereappeared to be no significant opportunity for additional sales outside the NASA-like niche. Otherproducts included dShare, a product developed for and used exclusively by ESA, and nLog, an eventlogging and reporting product that had been installed in one commercial satellite control center.The challenge was to find a way to use some of those technologies in ways that had not beenanticipated when the technologies were developed, to create new products which would offersignificant value to a wide variety of customers. Several months of research and market analysisfollowed.Early in 2006, Naknan focused on endpoint security as an area to use their existing technologies andexpertise. In this case, “endpoint security” meant “anti-malware” or, in the more common terminology,antivirus. To add value, though, Naknan would have to take a different, more effective approach tofighting virus, worm, trojan, and other infections. The methodology used in defining the new productwas highly structured and involved months of research, including interviews with experienced users ofthen-current products. The new product became Security Assistant, which begat noScan™.Security AssistantSecurity Assistant provides four major capabilities to enterprises, all integrated, all managed from asingle Management Console. The four are: 1. Malware Sentry, which prevents execution of unauthorized software. Security Assistant enforces a whitelist. The whitelist is easy to create (a few minutes of computer time) and manage (automatically updated as updates, patches, and applications are deployed). Whitelist enforcement is the only way to thwart targeted or unknown attacks, and it is possible with whitelist enforcement simply because the SHA1 checksum of the attacking software is not on the whitelist. No traditional antivirus product can come close to the effectiveness of a whitelist, and we make whitelist maintenance nearly friction-free. Malware Sentry also detects and logs the insertion of removable media, and prevents execution of software (or copying) from the media if not on the nodes whitelist. 2. Software Baseline Management, which means we can deploy patches, updates, applications, and any other software to end nodes securely, and provide a positive indication that the software was installed (or not). The Security Assistant Agent does not provide status to the Server until install is complete or failed. It was designed this way to avoid the problem we have seen with some patch management systems of throwing the patch at an endpoint and calling it deployed. Security Assistant requires feedback from the Agent; absent that feedback, it will at best indicate the software is "deploying" rather than installed, failed, declined, or any other status. Software installed in this way will, as indicated above, automatically update the whitelist for each node. This function is needed in order to securely automate whitelist management, without which whitelisting is impractical.
3. Secure Remote Command, which provides the capability to download and execute, without node user ID or password, any command or script the node is capable of executing, and providing feedback as if from a command console at the node. These commands and scripts can be as simple or as complex as needed, limited only by the Security Assistant users creativity and the limitations of the target node. Commands and scripts can be scheduled to, for example, prepare a server to accept a patch and then restore to full operating capability once the patch is installed and verified. We have demonstrated on a Solaris server (1) verifying that Oracle is running properly; (2) stop all elements of Oracle, including the database server; (3) switching Solaris to single user mode, which terminates all external interfaces except serial; (4) install a Solaris patch; (5) switch to multi-user mode; (6) restart all elements of Oracle; (7) after Oracle has had sufficient time to stabilize, verify that all elements of Oracle are running properly; and (8) verify that the patch was installed. Step (3) makes this a very difficult and complex operation, but we were able to complete it successfully time after time. This function is needed in order to maximize the value of the second function by permitting the scheduling of preparatory commands and scripts prior to scheduled software deployments. 4. Full Filesystem Audit, meaning that Security Assistant opens and inspects each file on the file system, ignores those which are not software (determined by inspecting rather than looking at file extension or other superficial means), and creates a report which shows (depending on how your stylesheets are configured) (1) all software packages (applications, plug-ins, etc.) found; (2) files which cannot be identified as part of one or more software packages; (2) files which are not on the whitelist; and (3) certain hardware/platform information. With a little work on the customers part, the audit report can show any patches required to become compliant with the Federal Desktop Core Compliance Initiative (based on xml files downloaded from Mitre/Homeland Security). This function is needed to periodically capture a detailed inventory of software on each node for compliance and other purposes, and to ensure that IT staff can both know and prove the absence of unauthorized software.These four functions, integrated as they are both functionally and within the Management Console,permit very tight control of the software which is permitted to exist and/or execute on each node,independent of that which is permitted on any other node. The term “software” in this context includesauthorized software, unauthorized but legitimate software, and malware. By viewing all software aseither authorized (by virtue of being on the nodes whitelist) or unauthorized (which is all software notfound on the nodes whitelist), the task of preventing execution of unauthorized software while using atiny fraction of resources needed by traditional antivirus products is made far simpler and far morecertain than any other anti-malware product. Similarly, quarantining immediately upon discovery ratherthan simply blocking attempts to execute makes Security Assistant far more effective and efficient thanother whitelist products.The value added is significant. Everyone can benefit from Malware Sentry. Whether it is a bankingtrojan looking for money to steal (these are very sophisticated pieces of malicious software, usually notcaught by traditional antivirus programs), a Stuxnet-like hybrid attempting to steal intellectual propertyand/or damage control systems, or an application installed by a user from a USB drive, great damagecan be done to an organization if the software is not caught and stopped. Malware Sentry catches all ofthem, and anything else not on the whitelist. All events are reported to the Management Console. In theevent that the nodes Agent cannot connect to the Security Assistant Server, Malware Sentry continuesprotecting the computer and saves all event notifications until connection is restored. For mobilelaptops, connection can be from a public hotspot such as a coffee shop or library, the users home,broadband, or any other Internet connection. As soon as the computer connects to the Internet, the
Security Assistant Agent calls home.Controlling the software baseline obviously adds value, since out-of-date software typically containsmore known vulnerabilities than up-to-date software does. Less easy to see, perhaps, is the value ofknowing (as opposed to hoping) that patches were installed, or more precisely, knowing the dispositionof each patch on each node. If you know a patch failed to install on a particular node, you can takecorrective action; if you dont know, you cant, and that makes the difference between curingvulnerabilities and having vulnerabilities you dont know about. Likewise, being able to deploypatches, updates, and applications to a mix of platform types from a single user interface, on your ownschedule, integrated with commands and scripts, while automatically and accurately updating thewhitelist for each node adds great value. But the greatest value of this function is that whitelistmanagement is automated, securely updating each nodes whitelist as patches are successfullydeployed.The secure command and script capability helps avoid a lot of node touching. You can examine the filesystem, copy or delete files, change configurations, and many, many other things. The longer you useit, the more useful it becomes because, after a while, you will come up with new ideas. What if, forexample, you had a requirement to examine all computers in an enterprise, without the usersknowledge or consent, searching for a particular file/phrase/type of data. You could have a techniciango to each node and spend an hour or more searching for data of potential interest. With SecurityAssistant, you develop a relatively simple script that can do all that on one computer (and copywhatever is found to a secure location for analysis), then execute that script on all computers. To reallyoperate in stealth mode, do it after normal work hours or on weekends using Wake-On-LAN (forcomputers that would normally be turned off and that are configured for WOL), then turn them back offwhen finished.The auditing capability is the one that might be most difficult to see the value of. On the other hand,consider the length of time that unauthorized software executed unmolested in the “Aurora” and“Stuxnet” attacks, or that victims of identity theft and similar crimes are becoming less understandingof the difficulties companies have protecting them and their sensitive information; plaintiffs attorneysand the judicial system are becoming downright hostile. If your organization loses control of criticalprocesses, or lets sensitive data and information under its control escape because someone did nottimely deploy (and verify) patches to cure known vulnerabilities, or had unauthorized (even if notmalicious) software on some of their systems, such a discovery could be devastating in court. Someregulations may require knowing the software inventory of each node, or of the enterprise as a whole.If your organization used Security Assistant, including the audit capability, they would have proof ofsoftware configuration at each point in time that an audit was performed (we usually recommend everysix months). A reasonably bright Security Assistant user will run the audit, remove all unauthorizedsoftware, then run the audit again, and keep the second one.Once the computers are clean, Security Assistant will keep them that way, so subsequent audits shouldalways show no unauthorized software, proof that the Security Assistant user is doing everythingreasonable to prevent unauthorized software, which helps protect sensitive data and information. And,regulatory compliance regarding software inventory, whether for individual nodes or the enterprise as awhole, just became very easy.Security Assistant is a complex system, surprisingly easy to operate and manage.Security Assistant for Process Control has all the same features and functionality as Security Assistantfor Enterprises, but several “under the hood” differences are designed for greater certainty of outcome(e.g., crash avoidance is of far greater significance in the process control environment than forcommercial enterprises).
noScan™ Antivirus NGnoScan™ Antivirus NG is the consumer version of the anti-malware component of Security Assistant.Home users and small businesses can benefit from the next generation of industrial strength malwareprotection by installing noScan™. With minimal configuration, noScan™ begins protecting thecomputer it resides on with no further assistance from the user, operating similar to Malware Sentry,discussed above.noScan™ Antivirus NG differs from traditional antivirus in two fundamental respects: 1. It doesnt bog your computer down with frequent scans that never seem to end (hence the name, noScan™); and 2. It works.Traditional antivirus (thats everyone except noScan™) is very ineffective and becoming even worse asthe rate of new malware releases skyrockets. A quick search of the Internet will discover hundreds ormore of reports detailing the shortcomings of traditional antivirus. Some reports show that traditionalantivirus products fail to detect, on average, 20% or more of known malware, and few detect more than40% of unknown malware. The most dangerous malware, that targeted to a specific industry or aspecific company, will always be unknown to everyone because it has never been seen before and nosignature can exist. Similarly, zero-day attacks are rarely recognized because they have never been seenbefore. Targeted phishing attacks, those which attempt to trick computer users into visiting an infectedweb site or downloading malicious software, are so effective against traditional antivirus simplybecause they continuously change the signatures of the malware they use, making it practicallyinvisible to traditional antivirus.noScan™ takes a different approach. Instead of attempting to know the unknowable as traditionalantivirus products do, it simply keeps track of the software that youve told it belongs on your machine.Anything else, by definition, is unauthorized. Unauthorized software is blocked, quarantined, anddeleted. It doesnt matter whether it is known or unknown; it doesnt matter whether a signature existsfor it or not; all that matters is that it is not authorized to execute or exist on your computer.This approach means that noScan™ doesnt have to repeatedly scan your hard drive, interrupting yourwork or games. It doesnt need massive signature databases, because it doesnt use malware signatures,and therefore doesnt need to constantly receive signature updates, eating away at your bandwidth.Using less than 2% of your CPU and rarely using Internet bandwidth at all, noScan™ keeps track ofsoftware that exists or attempts to exist on your computer and prevents it from doing so if it is not onyour Authorized Software List. noScan™ is both effective and non-intrusive.Whitelisting is the only truly effective method of keeping all unauthorized software from executing ona device. noScan™ does not need to know what tens of millions of malware look like; it simply needsto know what the 10,000 to 25,000 software files on your desktop or laptop look like (using SHA1hashes). Theres no massive database, no never-ending scans, nothing to interrupt work or games. CPUutilization is typically <2% although it peaks higher at certain times, such as the few milliseconds whena write to fixed media occurs.noScan™, as its enterprise sibling does, monitors all hard drive activity and all process starts, as well asall interfaces that could be used for invasion. If you plug a USB drive into a noScan™-protectedlaptop, for example, it detects the insertion, watches all transfers, and blocks anything that attempts toexecute from the USB drive. If the USB drive is write-enabled, noScan™ will quarantine anything thatattempts to execute, including deleting it from the USB drive.Its easy to test the effectiveness of noScan™.
1. USB: Insert a USB drive. (a) Drag and drop onto the desktop any executable or shared library from the USB drive and watch it disappear (it can be found from File > Edit Quarantined Items on noScan™s Management Console). (b) Double-click (attempt to execute) a software file on the USB drive. noScan™ will announce that it has blocked and quarantined the file; the file will be deleted from the USB drive (if write-enabled). The quarantined file can be viewed as above. 2. Web: Open a browser and point to a known infected web site (do not attempt this unless you have noScan™ or Security Assistant™ installed). In most cases, downloaded malware will be caught and quarantined while still in the browsers cache. If a large file is being downloaded, it may be quarantined in parts. In all cases, software files will be quarantined. 3. LAN: (a) Attempt to execute a file which resides on a fileshare somewhere on the network. It will be blocked. (b) Attempt to copy a software file from a network share to the noScan™- protected computer; it will be quarantined. 4. Other Removable Media: Insert a CD-ROM or DVD with software on it. Any software will be blocked. 5. Get creative; create your own software, or use your favorite malware. noScan™ is industrial strength anti-malware protection for consumers.noScan™ protects your computer from initialization to shutdown. You dont have to do anything, onceit is initially installed, to be protected and to remain protected. When Naknan has updates available fornoScan™, noScan™ will notify you; when you approve the update, noScan™ will silently downloadand install the update without interrupting your work or your protection. We dont do signatures ofmalware, so these updates to noScan™ will be infrequent.You can install software if you wish, but you must tell noScan™ when you intend to do so. Otherwise,noScan™ will quarantine everything you install. Quarantined items are easy to recover and add to theAuthorized Software List.You can manually install patches just as any other software. Or, you can designate Authorized Updatersand let them automatically download and patch your applications. An example of an updater that youcould authorize is wuauclt.exe, the Microsoft Updater for XP. Once youve told noScan™ that thisupdater is authorized to add software to your computer, you can set your Microsoft OS and applicationsto update automatically (if you choose) so that patches are downloaded and installed, and yourAuthorized Software List is updated, all without you doing anything.If you choose to designate Authorized Updaters, you must designate the full path, and noScan™ helpsyou do this. Full path, including the name of the updater, is important because it keeps malwaredevelopers from using a fake updater with the same name to deploy their malware. When noScan™detects software being installed, it looks at what is causing the install; if it matches an AuthorizedUpdater, including full path, noScan™ verifies the integrity of the updater and lets it continue, addingthe resulting software to the Authorized Software List. If any part of the path does not match the pathnoScan™ expects or if the updater fails to validate, the added software is immediately quarantined.noScan™ is industrial-strength protection for home computers. Patents Pending