If your new to using Blink, I hope the following information will help you understand why it is a special all-in-one security suite that provides protection that other security vendors do not.
For those that may not know, the product that the company eEye Digital Security is most widely known for is the Vulnerability Assessment Tool called “Retina”. eEye, from day one, has focused all of its efforts on studying and creating security applications aimed soley at protecting Windows based server and client systems from attacks targeting software vulnerabilities. A list of their products can be found here:
http://www.eeye.com/html/products/index.html
eEye has a lot of very good articles on their website, all of which give the reader a basic understanding of the threats that Information Systems and users face today. Blink was designed specifically to protect from these types of threats and attacks. The main vector of attack that Blink focuses on protecting from, that about 95% of all other security applications fail to protect from, is explained about in this article:
“Shellcode Detection- An Additional Layer for File-Format Exploit Prevention”
http://www.eeye.com/html/resources/newsletters/versa/VE200905.html#techtalk
If you would like to read more of eEye's articles, they can be found here:
http://www.eeye.com/html/resources/newsletters/versa/index.html
eEye has "whitepapers" that can be downloaded and read after a simple registration form is filled out. An email will be sent to you with the download links to all of the other articles available (located here):
http://www.eeye.com/html/company/wp/index.html
The number one thing that a lot of people do not understand or realize, is that Blink is trying to protect from things that other security vendors are not - known and unknown vulnerabilities in software and the underlying Operating System itself. Quite frankly, this one of the hardest things to successfully do without creating a lot of false-positives. This is the main reason why you can not compare Blink (fairly) with the rest of the security applications available today. I am not intentionally trying to throw dirt on the other security products, because they too have their pros and cons, but they don't really "focus" on what attackers are using to enable them to download code and run it on a user's system. I like to reference one particular article that published by Computerworld, which explains why I am saying this. This also is why I am sitting here trying to promote and at the same time defend eEye Digital Security's Blink product.
The Computerworld article is located here:
http://www.computerworld.com/action/article.do?command=viewArticleBasi...mp;arti
The test results conducted by the security company Secunia (http://secunia.com/advisories/), referenced in the article, is downloadable from the following link:
http://secunia.com/gfx/Secunia_Exploit-vs-AV_test-Oct-2008.pdf
I tell a lot of people straight forward and in advance, unless you are a more advanced computer user, which understands the basics about protocols, how they work, and security principles in general, you will not get the most out of Blink and be able to appreciate it as much. I would honestly recommend to the everyday user that is NOT comfortable with running security applications and who rather be walked through everything like most security applications do, to not use Blink. If you like creating firewall, IPS, and other rules in general, you will learn to love Blink. Keep in mind when you run Blink on your system, you do not want any other security applications running with it. Blink has multiple layers of protection (7 layers) and was intended to be an all-in-one security suite. Adding anything else to your system will likely cause a lot of conflict and system stability issues.
So, with the information I have given so far, I wanted to point out a few unique areas of the Blink endpoint security suite that makes it special.
Today, vulnerabilities in software and the operating system are becoming the number one vector used to install malicious code on a system. A lot of this users do not realize is even happening.
1. Vulnerability Assessment - This is one feature that most all of the competition out there does not have. Blink has included Retina for free, which is built in and already configured to run and scan your local machine for vulnerabilities.
Retina meets a lot of the Security Compliancy Standards that exist today. To read more about these see the following link: http://www.eeye.com/html/compliance/index.html
- In this post (http://forums.eeye.com/forums/p/1017/4477.aspx#4477), a user shows an example of how Retina advises users of a Zero Day vulnerability that exists on a system.
2. Application Protection - A lot of security applications have generic "Application Protection" (I.e. protection aimed at stopping buffer overflows, etc) built into them. Most of these systems are limited, or you have to manually configure them which leaves too much room to misconfigure a system leaving it open to compromise. Blink's Application Protection is enabled for the system and everything on it. Think of this as an intelligent form of Data Execution Prevention (DEP). Blink's form protects from Heap, Stack, and Integer based buffer overflows.
3. IPS - Blink's IPS is unique. The main highlight of it, is that it uses Protocol Analysis for detecting intrusions. Protocol analysis is not offered in most security applications. It is mostly found being used in large business and enterprise based IDSs. When I say it uses Protocol Analysis, I do not mean it monitors the port (based on the protocl being used), it actually analyzes the protocol itself and how it is being utilized.
Second of all, Blink's IPS is not purely reactive, meaning; it reacts and BLOCKS things all the time (as most IPSs are defaulted to). Blink's IPS also allows you to simply configure rules to Alert on suspicious activity (as an IDS would do).
It does have the typical list of known attack signatures, but eEye has made it unique by hard coding into it their own unique Protocol Analyzers modules, referred to as "BAMs".
4. System Protection - This in a sense, is part of Blink Application protection capabilities, but is sub-sectioned into two categories (explained below). The System Protection monitors all of the API calls within the system looking for malicious calls and or process termination attempts (sometimes used by malicious code to disable a security system allowing it to install itself without resistance). The two subsections of System Protection are "Registry" and "Execution" protection. These monitor the registry and detect when something is misusing an execution process (if you want to think of it that way). For example, a maliciously crafted PDF file may contain shell code in it that is designed to execute when the user opens it. This in return will carry out another malicious funtcion whether downloading more malware or attempting to possibly escalate system privlages.
5. ActiveX Protection - This is the newest feature to be added to Blink. eEye has a patent pending ActiveX protection analyzer (BAM - "Blink Analyzer Module") built into the IPS. This now allows it to protect your system from one of the more abused aspects of Internet Explorer. A good description of ActiveX can be found in this eEye article:
http://www.eeye.com/html/resources/newsletters/versa/VE200903.html#techtalk
- Example of an Zero Day (ActiveX) exploit that Blink was able to stop without any signatures:
http://forums.eeye.com/forums/p/1017/4477.aspx#4477
* FINAL NOTE OF INTEREST: Because of the way Blink was designed to protect a system, it can be installed on any new Windows OS (i.e. newly installed without any updates performed) and then placed on the internet. Blink is able to protect it. This is hardly possible with very few (if any) of the other security applications out there.
As I stated before, Blink is designed to do one main thing, protect a system from Zero Day Exploits/Attacks. Other security applications are more focused on "detection" rates, still based on signatures. Yes, these have their place in security don't get me wrong, but this type of defense will not protect from a Zero Day. Blink does have a signature based AV/Spyware module in it (provided by Norman's AV), but once again that is not Blink's main purpose. Blink is trying to proactively protect you from the vulnerability that is being exploited, which is then used most of the time to elevate system privileges or to download more malicious code to the system locally. Most security applications seemed focused on "containment" after the infection has installed and ran itself. This is not actually mitigating or blocking the source of the problem. Quite frankly, with some of the stuff out there, once it executes you might as well re-image your machine and start over fresh.
Blink's AV component (which uses Norman's AV), has at times, been the source of some of the system slowdowns that some users experience. I will not lie about this, but this is due to a few different reasons. The main reason is, most AV products scan the file when it it accessed, moved, copied, read from, and written to. In Blink, a file is also analyzed and scanned while it is being executed. This is done through a Sandboxing technology built into Norman's AV. Using this Sandbox technology, eEye was able to create custom APIs to interface with the Sandbox allowing Blink to analyze a piece of code that was being run in the Sandbox. In numerous instances, this allows the detection of malicious code without requiring an AV signature to be made for it. Normally when this fuctions triggers the alert will have a name that starts with "W32/Malware".
An example: a user clicks on an Excel spreadsheet document to open it. Upon execution, the behavior is monitored in Norman's Sandbox. If it is found to do something malicious (i.e. attempt to make abnormal system changes, spawn new processes, or even beacon out to the internet), it will be flagged by Blink and the execution is prevented. So in essence, the Norman AV component in Blink is doing a lot more processing than your typical AV product is.
More information on Norman's Sandbox technology can be found here:
http://www.norman.com/technology/norman_sandbox/the_solution/en-us
In summary, Blink is not the fix to all problems, but the capabilities it provides (especially contained within one client appliation) far exceed what the competition offers when it comes to protecting a system from today's threats. Some users will attempt to install other security applications alongside Blink, this is not advised and for the most part it will end up creating a lot of headaches and frustrating. Blink has many layers of protection and quite frankly you don't need a lot more.
I hope after reading this, it helps some people understand what Blink is all about. It frustrates me to all ends when I see users saying, "I see Blink only detected 5 out of 10 Malware samples. I recommend AVG, not Blink." Okay, once again, Blink is not trying to compete in this area of expertise, Blink is trying to stop things from happening to your system (that are way more severe and unnoticeable by the user) than a simple Trojan installing itself.
==========================================================================================
If you would like to see some past reviews that have been done on Blink Professional, Personal, and Server Editions, please see the following forum post:
http://forums.eeye.com/forums/t/774.aspx
If you are curious to see some of the types of alerts that Bink shows when something suspicous is stopped, see the following forum post:
http://forums.eeye.com/forums/t/948.aspx
Blink Personal Edition can be downloaded from here:
http://download.cnet.com/Blink-Personal/3000-2239_4-10658343.html?tag=mncol#userreview
LAST UPDATED ON: 31Jan10
Try Blink Personal Edition (free for 30 days)