Abtrusion Protector for Security Professionals
Abtrusion Security is on a quest. We have a vision of how computers will
be secured in the future. The Abtrusion Protector product is the first in a
line of products designed to control execution of software. By limiting the
software that is allowed to start, we prevent many of the common techniques
and tools used to hack computers connected to the Internet. We also limit
the amount of damage viruses spread by e-mail can do.
While we do think that launch control is a technology that will be very
important in the near future, we certainly don't think that proven
technologies, such as firewalls and virus scanners will become obsolete. They
will have their place, although the role of traditional virus scanners will
probably have to be redefined somewhat.
So how does Abtrusion Protector work?
Abtrusion Protector maintains a database of SHA-1 hashes of files that
are allowed to execute on the computer. Whenever a file is loaded for
execution, the Abtrusion Protector kernel mode driver calculates the hash of
the file and then searches for it in the database. If the hash is found, the
file is allowed to load. Otherwise an access denied error is returned to
The Abtrusion Protector driver loads very early in the boot process and
controls the loading of device drivers as well as regular programs, dynamic
link libraries and OCX controls.
The database of hashes has to be updated whenever new software is
installed on the computer. Typically, Abtrusion Protector is told to record
the files installed by an install program. Abtrusion Protector also
recognizes many different installation file formats and can record all files
it finds on a CD or on other software media.
Abtrusion Protector is also able to verify digital signatures and
automatically allow files that are signed or files that are installed by
signed installations from trusted software vendors. In many cases, this
allows software to be installed in a safe way, without any additional
administration at all.
If Windows Installer is secured, Abtrusion Protector can be told to
automatically record and allow all software installed by it.
In a corporate network, launch rights for Abtrusion Protector can be
managed at a central site or can be distributed throughout the company.
Abtrusion Protector also includes features to protect itself from being
disabled by hostile software. Registry settings and the Abtrusion Protector
files can be protected so that they cannot be modified, except through the
Abtrusion Protector user interface, regardless of user privileges. In
addition, regular Windows access control lists can be used to limit user
access to Abtrusion Protector settings.
Why will launch control software become more important in the future?
We believe that there are several factors that speak for launch control
There is a much greater awareness of computer security now than just a
few years ago. We are moving towards a future where digital signatures are
going to be more and more important to provide security and authenticity of
software and not just business transactions. Launch control software
provides a way to enforce trust policies. At the same time, digital
signatures make launch control software much easier to manage.
Virus scanners are having a hard time to catch up with new viruses.
Although virus scanner vendors certainly have talented software developers,
so has the underground virus community. New viruses use new techniques to
cloak themselves - virus writers test their new creations against the most
virus scanners too.
Although many virus scanners are surprisingly good at recognizing all
forms of known viruses, they will never be able to recognize most custom
written hacking tools until it is too late.