http://www.virusbtn.com/Session-f4fba84f36602d6a022d7269ee3597ef/virusbulletin/archive/2008/05/vb200805-eeye-blink
For those that do not have access to VB, here it is (minus the pretty pictures that is):
---------------------------------------------------------------------------------------------------------------------------------------------------------
EEYE DIGITAL SECURITY BLINK
PROFESSIONAL 4.0
John Hawes
Editor: Helen Martin
"Founded ten years ago and based in Orange County,
California, eEye Digital Security fi rst made its name as
a vulnerability research company, providing security
advisories on fl aws found by its teams investigating a wide
selection of software and offering businesses a range of
security auditing services. From this grew the company’s
current range of security offerings, which include several
packages focused on protecting network-facing servers
from the vulnerabilities presented by fl aws in software and
confi guration, managing policy enforcement and incident
reporting across corporate networks, as well as monitoring
network traffi c for potentially dangerous activity.
The company’s vulnerability alerting service continues to
offer privileged detail and early warnings on upcoming
dangers, as well as a forum for administrators to debate the
latest fl aws and the hottest techniques for locking down
systems and networks. The company boasts more than half
of the US Fortune 100 companies amongst its clients, and
its early research successes include spotting and alerting on
the IIS fl aw, which soon after allowed the Code Red worm
to spread across the world’s web servers.
The Blink desktop offering fi rst appeared about four years
ago, and has grown from a simple HIPS product into a
full endpoint suite, combining the standard ingredients of
anti-malware and fi rewall with proactive defence in the
form of intrusion prevention and vulnerability management.
The suite is available in a full-featured ‘personal edition’
for home users, and the professional edition, which offers
greater fl exibility of confi guration and can be combined
with a centralized management and reporting system.
Version 3.0 of the product, using anti-malware technology
provided by the Norman engine, received its fi rst VB100
award in June last year in some style. The latest version
(4.0) is due for release shortly, featuring the redesigned
interface introduced in version 3.5, additional Windows
Vista support and a number of improvements under the
hood."
WEB PRESENCE, INFORMATION AND
SUPPORT
"eEye’s main web presence is at www.eeye.com, a site
dominated by product marketing with in-depth coverage
of the fi rm’s various offerings. All products are available
as time-limited trial editions, with the personal edition of
Blink currently free for home-user purposes while offering the same level of protection as the professional suite, and all
are backed up by a wealth of information about them and
the security problems they address. The site also carries the
usual items of company and product news, as well as links
to a number of favourable reviews and test performances.
On the more technical side of things, a research sub-site is
the home of the company’s vulnerability information, most
of which seems to be available only to subscribers to the
company’s ‘Preview’ services. This offering is available
at several levels of detail, the higher of which include
personalized network security scanning, advice and insider
information on the latest undisclosed vulnerabilities, as well
as the standard alerting, in-depth analysis and newsletters
on signifi cant software security issues. The area also
includes a selection of security research tools available for
download.
Technical support for the products is similarly available
at a range of subscription levels, with the most basic
providing access to email-based support via an online
form. A knowledgebase of common issues is available to
all, however, and provides brief and often highly technical
details on a range of common issues, focusing on the
server range of products and the management suite. In
fact, all the searches I carried out specifying Blink as
a fi lter returned information on issues associated with
deploying Blink across the network (generally solvable
by setting Windows networking controls correctly).
Behind the customer login area resides access to further
documentation and guidance, including the user manuals
which are also accessible directly from within the product,
more on which later.
Having spent long enough looking at the information
available online, it was time to get my hands on the product
and see whether it would stand up to the impressive boasts
made about it in the wealth of marketing material."
INSTALLATION AND CONFIGURATION
"Initial installation of the product is a pretty standard
process. The installer for the latest beta build of version
4.0 of the product comes in at a very reasonable 45 MB
and runs through its business pretty rapidly, with the usual
installation location options and EULA to be got through,
as well as an unusually long activation key. On one
system, the installer complained about a freeware browser
sandboxing utility I had installed, insisting it be removed
before the installation could continue, but there were no
other hitches.
At the end of the process a dialog provides some
information on the product’s default settings and status
– this begins with the fi rewall in rather minimal protective
status, set to allow anything that is not specifi cally blocked
by a rule. This gives something of a clue as to how the
product operates – this is no simple set-and-forget tool
for the average unskilled user, and although the default
set of functions do provide a basic level of protection
against the majority of attacks, the beauty here is in the
depth of control available. A huge range of optional
extras are available to achieve maximum lockdown, while
the product’s initial state is to apply only those thought
suitable for all situations. Tuning the product to meet the
individual requirements of the user requires considerable
understanding of the problems being faced and the means
provided by the product to mitigate them.
The interface provided to access this vast confi guration
is simple and reasonably appealing, being modelled
along similar lines to built-in Windows tools such as
the ‘Security Center’ or other system confi guration
applications, with menus of options on the left and details
in the main panel. This gives it a straightforward and
no-nonsense feel, achieving a sense of simplicity and
authority without the unfriendly starkness which often
comes along with more business-oriented products. This
again refl ects the product’s ethos, not bending to the
whims of the inexperienced user with lots of twinkly
cartoon graphics.
Navigating the system is pretty untaxing. There are fi ve
main categories, of which at least three are pretty obvious
– the fi rewall, anti-malware and vulnerability scanning
components. The other two, labelled ‘Intrusion Prevention’
and ‘System Protection’, seem to overlap somewhat and it
is not immediately obvious what each covers, but looking
inside soon clears things up. The system protection
area covers guarding of registry and applications, while
everything else, including anti-phishing measures, is
included under intrusion prevention. With most of these
now fairly standard in security suites, I opted to start off
with the most novel, the vulnerability scanner."
SYSTEM HARDENING FUNCTIONS
"With the product installed, there are several steps
required before the host system is fully secured to Blink’s
satisfaction. The initial interface shows several items to be
lacking the comforting green tick that signifi es that they are
fully active. The most interesting and unusual of these is
the vulnerability scanner. This requires an initial run to fi nd
any problems with the current setup of the system, and the
setting up of a schedule to look out for any further fl aws.
Running the vulnerability scan is a pretty simple process.
The module has few options, simply the ability to schedule
scans or run them manually, and a report viewer to analyse
the results. The scan itself was pretty fast, taking no more
than a minute or two even on crowded and low-powered
systems. In test systems in the sealed VB lab, a large
number of problems were easily identifi ed thanks to the
lack of access to recent updates from Microsoft. To emulate
a real user more closely, I fi red up a well-used and by now
rather wheezy old laptop, which had languished powered
down under a bed for several months. With the product
installed and updated, the vulnerability scanner found an
even wider range of issues – the majority of which were
easily resolved by letting the Microsoft updater carry out
its slow and tedious business of downloading and installing
missing patches. However, for the remaining issues it
seemed that considerably more work would be required to
satisfy Blink’s stringent requirements.
Several of the remaining issues concerned various pieces
of software installed on the system, ranging from several
Adobe and Mozilla products to more surprising ones such
as WinRar. While some had their own updaters, several
required manual update or even reinstallation. Among the
most serious problems found was a ‘zero-day’ vulnerability in some Microsoft software which, as the report pointed out,
was as yet unpatched; instead a workaround was suggested,
with a link helpfully provided to advice from US-CERT on
applying it. One item remaining on the ‘high risk’ list was
a problem with anonymous registry access, a slack setting
which could be closed down with a few tweaks in the
registry.
Browsing further down the lengthy report, a slew of
entries detailed potential weaknesses in my system. These
included a lack of fully trackable logging, unsafe caching
of usernames, passwords and page fi le contents, as well as
various issues with unnecessary services, drive sharing and
allowing unaccredited users to perform various activities.
The autorun default, a spreading vector of a lot of recent
unpleasant worms, was also highlighted, and even the fact
that users could insert USB key drives and use them to
move data off the machine was mentioned as a potential
means for unwanted data extraction.
Each entry was accompanied by details of how to
correct or mitigate the problem, usually in the form
of instructions for doctoring registry keys, changing
settings using Control Panel tools, or links to more
involved instructions in appropriate places, predominantly
Microsoft Knowledge Base articles. Each entry was also
accompanied by links to alerts and advisories on the
subject, from the likes of Secunia and iDefense as well
as eEye’s own vulnerability pages, Microsoft bulletins
and articles and other alerts from the software developers
involved in any given fl aw, with CVE numbers included
where appropriate.
The depth of detail provided was remarkable, and the
range of areas covered, from potential remote exploits
and sources of data extraction to problems with fully
accountable logging and physical access points for abusive
users, was quite staggering. The sheer scale of the issue of locking down a system could easily be overwhelming,
particularly for the less technically minded user, but for
a network admin wanting to ensure all the systems in
his charge are as secure as possible, and with the power
to automate most of the tasks involved, this is surely an
invaluable tool.
Vulnerabilities in software are a huge vector for malware,
particularly in the ever-growing area of web threats
which are rapidly increasing in complexity, subtlety
and scale, with more and more legitimate sites playing
unwitting host to attacks. Most of these attacks make use
of long-patched fl aws, probing systems for holes to sneak
malware onto new victims, and the importance of keeping
a system fully patched is greater than ever. Since this task
is also more complex than ever, having details of all the
potential dangers in a single report, along with information
on remediation, and having it regenerated rapidly on a
regular basis to keep up with the latest developments, is an
enormous advantage.
The only feature I could think of that would be a useful
addition would be an option to disregard some of the
entries, as either unfi xable in a given situation or not
applicable under a corporate policy, but given the attention
to detail it seems more than likely that such functionality
is already available to admins using the separate
management tools. As it was, it was tempting to try to
eliminate each and every one of the issues fl agged up, if
only to see what would happen when a scan found nothing
to complain about – surely some kind of fanfare or shiny
virtual gold medal would be an appropriate reward for
such diligence.
Sadly time was too pressing to go to such great lengths,
and I left my test machines with a few minor issues
remaining unfi xed to look into the more common security
measures provided by the suite."
SYSTEM PROTECTION FUNCTIONS
"Of course, once the system is fully patched and confi gured
to the product’s liking, the vulnerability scanner
becomes a core part of the ongoing protection offered. A
scheduled scan will highlight new patches as and when
needed, including updating the status of those nasty
as-yet-unpatched fl aws. New confi guration tips are also
added as researchers spot new vectors and new potential
issues with the standard setup of a Windows system. Beyond
this rather special functionality, however, the product
also offers a full set of the more usual protection features
provided by most other security suites on the market.
At the core of the standard anti-malware protection
provided is the Norman engine with its strong ‘sandbox’
heuristics. Running it over the VB test sets showed a high
level of detection, which was improved still further after
upping the heuristic settings. The interface to the engine and
all the fi le-hooking and other integration is developed by
eEye, and operating the scanner and adjusting the on-access
settings proved a pleasingly simple business, with defaults
seeming well chosen and appropriate. Any on-demand
scans required were also available from the context menu.
On its own this seemed something of an improvement on
Norman’s own interface to the same detection technology,
which I have frequently found rather complex and fi ddly
when adapting it to the specifi c needs of VB100 testing.
Scanning speeds and on-access overheads closely mirrored
past test results for Norman and Blink, implying that little
extra burden was being placed on the systems by the
range of added extras. The Norman engine has a long and
illustrious past in VB100 comparative testing, and with
a few recent problems caused by a batch of polymorphic
items now behind it, it looks set to continue to do well. It
also regularly achieves decent scores in other independent tests, making the ‘Advanced’ grade in the most recent
AV-Comparatives test and scoring ‘Satisfactory’ or better in
all but the speed category in AV-Test’s latest set of results.
In our own speed measurements, both Norman and Blink
products appear in the middle of the fi eld, somewhat
behind some of the zippiest products but never imposing
the sort of overheads seen in the weightier ones. Using
the product on a range of systems I never observed any
intrusive slowdown, although when running the updater on
a particularly aged and underpowered machine whilst trying
to carry out several other tasks, things did become a little
slow to respond for a few minutes as drive lights fl ickered
and crackled with effort.
Moving on to the intrusion prevention fi lters, these
again seem to focus to a large extent on vulnerability
monitoring, watching numerous protocols for suspicious
data which could indicate an attempted attack. The large set
of categories comes fully stocked with long lists of known
bad behaviours, and a separate tab presents a lengthy list
of signatures for known exploits. The majority are active
by default, but some are provided for those who have more
specifi c needs, which include a website-blocking section
populated with common social networking sites.
The process of adding more rules and signatures is via
a simple and straightforward wizard, which in all these
modules advises the user to be sure they know what they
are doing before setting up a rule which could impinge
on important system operations. With the default settings
already pretty thorough, exploit signatures can be extended
by adding pattern strings of one’s own design, providing
the user with a level of control over what comes through to
the machine usually only available to network admins. The phishing controls, listed under ‘Identity Theft Rules’, cover
a range of common tricks found on phishing web pages,
including hidden or spoofed URLs and links, and again can
be extended to the user’s content.
The system protection setup operates in a similar manner,
this time with far fewer built-in rules but with the same
straightforward system to allow the user to generate their
own. Setting controls on specifi c applications, ensuring
doctored versions cannot be run, or even allowing them
only to be run by a specifi c parent process, is a pretty
straightforward task achieved in a few clicks, and a similar
system prevents (or allows) access to specifi c areas of
the registry.
The fi rewall also uses the same system, giving a pleasing
consistency across the product. The various options, with a
handful of default system-wide rules and more for specifi c
applications, are presented clearly and legibly with a
good level of plain-language description to assist the less
technical user. Its initial rather passive setup does require
a few extra steps to ensure a decent level of protection, but
this can be done with a couple of clicks of check-boxes, and
it seemed to operate well once fully up and running.
Most of these rules function in a quiet and unfl ashy way, not
bombarding the user with a deluge of hyperbolic warnings
about blocked activities and simply logging unwanted
events, if desired. Even the on-access malware scanner
produced small, simple popups with the minimum of fuss.
The settings can be programmed to provide a training
popup, fi lled with detail and options, when an unknown
application attempts a restricted activity. In my tests,
these managed to block the handful of malicious items
that managed to get past the signatures and heuristics of
the anti-malware engine, as they attempted to leak data
from the system, contact base to download further nasties, doctor important registry entries or perform other malicious
activities. The popups default to a deny action if left for
45 seconds.
My only quibble with the whole setup is that the
descriptions of the rules are often considerably longer
than the display space available. Double-clicking the title
bar boundaries shrinks the area even further rather than
expanding it to the required width, which means that it takes
some fi ddly stretching of boxes and dragging of sliders to
read the full detail of any given rule or setting. That this
detail is available at all is impressive, however"
HELP AND GUIDANCE
The provision of clear and useful information, a pattern
repeated across the product, caters more than adequately
for the complexity of confi guration available. While this
is not a simple set-and-forget system, and may appear
daunting to many inexperienced users at the desktop level,
the product provides plenty of information for those willing
to put a little effort into deciding for themselves how to set
things up.
Beyond the basic information provided alongside each
individual rule, vulnerability alert or malware warning, a
superbly detailed manual is provided, alongside an equally
well thought out help system. Unlike many help pages,
which often do little more than list the available buttons and
what they do, this is properly task-oriented, detailing the
steps required to achieve a given objective. The manual PDF
runs to some 99 pages, providing even more step-by-step
information on how the various features should be operated,
including detailed instructions for defi ning new rules. All
are written in lucid language with a minimum of jargon, and
are clearly aimed at putting the exceptional power of the
product within the reach of the humbler user."
CONCLUSIONS
"With such an in-depth product to look at in a very
short time, it has not been possible to do more than
skim the surface of Blink’s capabilities. I have focused
predominantly on the vulnerability scanner as it is a rare
if not unique component in a security suite, but the rest
of the functions (apart from the straightforward antimalware
scanner) are also unusual in the sheer depth of
confi guration available. In the right hands, this product
can do far more than provide solid security from malicious
code and attacks; it can implement a complete usage
policy, managing many aspects of how a system and its
user operate, including controlling access to unwanted
software and web resources, maintaining hygiene
standards and accountability through logging.
Of course, those hands need to know what they are doing,
but as I have come to see through longer exposure to the
product and its support systems, they do not necessarily
need to be those of an expert. Enough background
information and links to further resources are provided at
almost every level of the product to allow an informed and
committed novice not only to implement a solid security
regime on their system, but also to learn a considerable
amount about it along the way. The home-user version,
offering the same full range of tools and options, can be put
to use fairly simply using more or less the default settings
to provide a very decent level of security, but with a little
effort, and some trust in the assistance provided, can allow
anyone to take control of their computer and take a little
responsibility for their own online safety.
Of course, I can understand how this could be rather too
much to bear for many home users, and they may be better
off investing in something more cuddly, but for those
willing to put in the effort the rewards should be well
worth it. In a more professional setting, for those requiring
absolute control to enforce a detailed and demanding
security policy, Blink can provide a superb breadth of power
to do just that, in a single well-designed and solid package."
Technical details
Technical details
eEye Digital Security Blink Professional 4.0 was variously tested
on:
AMD K7, 500 MHz, 512 MB RAM, running Microsoft Windows
XP Professional SP2 and Windows 2000 Professional SP4.
Intel Pentium 4 1.6 GHz, 512 MB RAM, running Microsoft
Windows XP Professional SP2 and Windows 2000 Professional
SP4.
AMD Athlon64 3800+ dual core, 1 GB RAM, running Microsoft
Windows XP Professional SP2 and Windows Vista SP1 (32-bit).
AMD Duron 1 GHz laptop, 256 MB RAM, running Microsoft
Windows XP Professional SP2.
XP Professional SP2 and Windows 2000 Professional SP4.
------------------------------------------------------------------------------
Works Cited:
Hawes, John. "eEye Digital Security Blink Professional 4.0."
2008. 01 May 2008. <http://www.virusbtn.com/Session-f4fba84f36602d6a022d7269ee3597ef /virusbulletin/archive/2008/05/vb200805-eeye-blink.>
------------------------------------------------------------------------------