Determina's VPS 4.0

Antimalware programs run the gamut from virus protection to ad zappers, but most have one thing in common: the need for a database of signatures that keeps growing with the list of viruses. Determina VPS 4.0 monitors Windows servers and desktops for vulnerabilities without hogging disk space, and with only minimal impact on the application's performance.

A zero-touch tool, Determina VPS (Vulnerability Protection Suite) 4.0 conducts on-the-fly attack blocking and protection against buffer overflows, without requiring virus signature vulnerability updates or patches to be downloaded and installed. This protection system does not increase in size; create additional, multiple, registry entries; or require users to respond to any prompts during signature updates. Because the application keeps its database size steady, disk space and search time remain constant.

Determina VPS monitors every application as it runs. The system creates a runtime module that analyzes code as it is executed, then determines whether each code segment is legitimate or injected by a hacker. Here, Determina relies on its brain-trust--the MIT systems code analysts who created the program and understand how malware and legitimate applications behave.

VPS ascertains each application's purpose and inspects each line of code when the program starts. When it detects a sudden, unexpected change--calling remote applications, or trying to open many IP ports and spawn child processes, for example--the application is halted and an alert is issued on the server console.

How It Works

Two elements work together to achieve this level of protection: Determina Memory Firewall, which actively monitors applications as they run; and LiveShield, which patches application vulnerabilities before they can be exploited. Memory Firewall draws its rules directly from the applications, according to Determina. It monitors control flow and control transfers to validate the flow of instructions as they execute.Anything compiled into the program is marked as legitimate as the program's instructions are loaded into memory. Essentially, as the program loads, VPS determines what's execution space and what's data space, then ensures the programs don't execute non-execution code.

Even rare or infrequent tasks, such as off-day database pulls from remote locations, are part of the program's legitimate instructions and will not trigger a false positive. Malware attacks that inject their code into flawed programs transfer control into data space, a memory location that was not part of the original program. This unexpected behavior triggers the Determina software.

LiveShield fixes vulnerabilities that are already in memory. Unlike Memory Firewall, which needs no updating, LiveShield requires some care and feeding. From the Web-accessible Management Console, LiveShield can be configured to watch over multiple systems running agents in a network. When an agent encounters a problem, it generates a log report that can be viewed from the Management Console. The admin can take action based on the severity of the violation.

VPS 4.0's Web-based Management Console allows administrators to set policies for application monitoring, and to build agents specific to each system's OS, applications and required network access. The policies can then be published to workstations or servers on the network.

App Remains the SameLiveShield and Memory Firewall do not patch applications on-disk. They simply monitor the programs in active memory as executed, and then act on the vulnerabilities. The end-user's applications remain in the same state on the server, or client, when they are shut down as when the program was launched. Determina's goal is to cover vulnerabilities as needed, according to VPS Senior Director of Product Management Warren Wu.

To test VPS's performance, we ran Microsoft Internet Explorer 6 in a sandbox system (Virtual PC) with an agent running, while another system in a similar environment monitored IE 6 through the Management Console. We observed no active issues with system response time.

Next, we tested VPS 4.0 under heavy-use conditions, by opening many copies of the IE 6 browser and then exposing them all to vulnerabilities through test applications. Again, we noted no overall system performance hits, though Determina admits there's potential for a slight lag, as both Memory Firewall and LiveShield piggyback the business applications as they are executed.

Finally, we tested CPU load on two different sessions of Windows XP SP2: the first using the Memory Firewall client, and the second unpatched. When we started IE 6 and Microsoft Outlook Express, the protected system showed 6 to 10 percent more CPU load than the unprotected system. While the increase isn't significant for starting individual applications, the additional CPU load could create a bottleneck on workstations that load many applications at start-up.

Compatibility QuestionsVPS 4.0 is entirely compatible with most major antivirus utilities, with some exceptions: Both McAfee VirusScan 8.0i and McAfee Entercept check for buffer overflow. VPS is also incompatible with Cisco Systems' Cisco Security Agent, which makes changes to the Windows kernel. Finally, Webroot Spy Sweeper's Spy Installation Shield does not work with VPS, but the other features of Spy Sweeper do.

Networks that have malware protection from companies such as CA, McAfee, Symantec; "free" antivirus tools such as Grisoft's AVG Free edition; or post-infection cleanup tools such as AdAware and Spybot Search & Destroy, already employ a system of regular signature updates. In such cases, Determina's VPS may fit in.

If, however, a large portion of your network requires low-to-no footprint protection, with management from a server console, consider starting with Determina. But understanding that the tools do not create permanent patches for applications is an important point to consider before making the decision to purchase.

Bill Silvey is an IT professional specializing in desktop-to-server workstation connectivity and enterprise solutions. Write to him at [email protected].