On Windows 7 (or Vista) I use
- Features of Modern Security Suites – Part 3
- Features of Modern Security Suites – Part 2
- Features of Modern Security Suites – Part 1
- KHOBE – 8.0 earthquake for Windows desktop security software
- Plague in (security) software drivers
- Introduction to Firewall Leak-testing
- Comparison of top five personal firewalls
- More about personal firewalls
- Design of ideal personal firewall
Features of Modern Security Suites – Part 3
The final part of the Features of Modern Security Suites series discusses Web and Browser Protection features and also briefly mentions several minor features of security suites, such as Parental Control, Anti-spam, Vulnerability Protection. The features listed in this part are usually not core parts of security products. Rarely you can find a product that implements all of them. Their implementations among various products differs a lot. This is why we try to cover just the basic principles and aspects that are common.
- Web and Browser Protection
- Parental Control
- Vulnerability Protection
- Settings Protection
- Online Backup
- Performance Monitoring
- Reports and Logs
Web and Browser Protection
Also called: Web Control, Web Security, Web Protection, Browser Protection, Web Browsing Protection
Web browsers are most common targets of malicious attacks. They are exploited to infect computers from the Internet, they are used to send stolen information from the infected machine to malicious servers, and they are also attacked because of the credentials that many users save in browsers' password storage or enter into their forms. This is why there is a great effort from the security vendors to secure web browsers more than anything else in the users' computers.
Also called: Plugin Prevention
Browser's processes, threads, files and other resources can be protected with common behavior control features, but this is not enough. Most common browsers allow various plug-ins, add-ons, Browser Helper Objects, or toolbars to be installed, which can also threaten their security. A component control feature may help here. Security suites should make sure that all components the browser application is using are trusted and wanted by the user.
Domain and URL Filters, Blocking Ads
Blacklisting known malicious domains and URLs is a very common feature. Users are usually allowed to add their own entries on the list of the filters. When a browser is about to make a connection to a blocked URL, the filter detects it and abort the action before any data transfer occurs. This can be implemented either on the network level with a low level kernel driver or as a browser extension, which is more common because the behavior of the browser can be easily controlled this way, which means a proper error message can be displayed rather than a confusing general error that it was not able to establish a connection. By default the filters contain destinations that are known as malicious or illegal. Various phishing and scam sites, sources of malware, bad reputation and pornography sites can appear on the list.
Blocking ads can be implemented as a part of this feature too. Although advertisements are very important for many Internet business models, some products offer their users to block them and not to display them in browsers. If a product implements domain and URL filters, it is easy for it to define a list of domains of ads providers and thus block most of the advertisements on the Internet very effectively.
Other forms of blocking ads can be based on blocking images by their size or blocking specific keywords. This form of blocking is pointed against intrusive and improper content and most of the legitimate advertisements should be displayed correctly.
The dynamic web content such as Flash, Java applets, or ActiveX objects, presents new ways to bypass common security measures. Security suites may control and block dynamic objects that are loaded from untrusted websites. Some products also implement blocking of hidden frames and pop-up windows to prevent annoying their users.
Browser's cookies are small files that a web site can ask the browser to store on the user's computer. The web site can then request the cookie back which allows the web site to extend its functionality and the level of interaction with the user. However, the mechanism of cookies can be also used to track user's activity on the Internet. This can be considered as an unacceptable violation of the user's privacy. Security suites allow its users to control web browsers cookies, delete them automatically or forbid their creation completely. Although this functionality is a common part of today's web browsers, users may prefer to manage the computer security from a single application – their security suite.
Similarly to blocking the dynamic content, blocking cookies may cause many web sites to be unable to work properly.
Browser Virtualization is a reaction of security software vendors to the fact that the Internet browser is one of the most vulnerable programs in home computers as well as the primary target of many cyber attacks. It is the browser that is used to surf websites and if a website is itself malicious or is infected with malicious content it may attempt to exploit a vulnerability inside the browser to infect the computer.
Browser Virtualization creates a virtual environment in which the browser runs. All actions of the browser are controlled and in case they are considered as potentially harmful, they are redirected to a safe sandbox. For example, if a browser is infected with a malicious code, it may try to save malicious files to the disk and set up autorun registry entries, so that the malware persists in the system and is started after every reboot. If file and registry actions of the browser are virtualized, the installation of the malware occurs only in the virtual environment and no infection of the system actually happens. When the browser is closed, the virtual environment is destroyed and the infection is gone forever.
And at the same time, it is allowed to download the files the user wants to download to the real file system outside the sandbox. Legitimate actions of the browser are not redirected and so the usability of the browser is preserved.
The browser virtualization feature is very similar to the sandbox feature we have discussed earlier. The only difference is that instead of putting unknown applications into the sandbox, it is the well known and otherwise trusted Internet browser that runs in the sandbox.
Browser and Search Advisor, Anti-phishing
Also called: Safe Web
The purpose of Browser and Search Advisors is to provide an information about a reputation of the web site that the user is visiting or is about to visit. If the browser advisor detects that the user is browsing potentially dangerous web site it displays a warning to the user. The search advisor is focused on the result pages of search engines. These pages are modified in a way all potentially dangerous links are removed or at least visibly marked and an additional information is provided for these links when the user requests it.
Internet web sites are ranked by security software vendors. Various criteria are being used here. The web sites are scanned for malware and links to other web sites that are malicious. Web page content is analyzed and classified using keyword filters. Whitelisting and blacklisting is also applied. One of the most important criterion is Community ranking. The community of users of the security product is a strong self-protecting entity that helps its members to avoid dangerous web sites. When a significant number of users of the community surfs a malicious web site it is likely that this web site will be recognized as malicious by these users and reported through their security product. Such a negative ranking is then used to warn all others in the community.
Anti-phishing features try to prevent credential thefts. There exist many techniques how to recognize a phishing web page including content analysis, recognition of invalid or fake certificates, detection of suspicious URLs, etc. If a phishing attempt is detected the offending web site is blocked by the security product or a strong warning is displayed to the user.
Web Content Scanning
Some of the features we have described above rely on scanning of web pages content. This task is very common to all products anti-virus engines, it is very similar task to file scanning. The only problem can be with encrypted communication – for example over HTTPS, or any other protocol running over SSL/TLS, which is used when sensitive data are transferred to secure web applications. This kind of encryption is designed so that even if an attacker is able to watch whole communication, it is hard for them to decrypt it. The only entities that can decrypt the data easily are the sender and the receiver – the server application and the browser, for example.
For security products, this means that it is hard to reveal what data are being transferred and so it is not possible to scan the data for malware. However, security products can install their own modules into the browsers and thus become a part of the entity that has access to the raw, unencrypted, data. This is how some security products are able to scan even the web content that is transferred in the encrypted form. And this is also why it is important to control which add-ons and plugins are running inside the browser. If a browser is infected with a malicious module, the encryption of the otherwise secure communication can be easily bypassed.
Also called: ID Protection, Identity Safe, Identity Protection
Credit card numbers, bank account numbers, web application credentials and other passwords, personal information, email addresses, social security numbers, telephone numbers are all sensitive information that should be protected well against malicious software. Privacy Protection allow the user to define which data are most sensitive and should not leave the computer without a consent. The outbound computer traffic is scanned for the protected data and the transfer is blocked in case of a positive match.
Password Management is sometimes included as a part of Privacy Protection. The users can maintain their passwords securely as they are saved in an encrypted form and only the owner can access them. Some security products extend the encryption to all user files and can thus protect settings of third party applications as well as their logs. This applies especially to various chat programs and instant messengers that may save session logs with sensitive data to the hard drive.
Internet browser history, cookies and temporary files cleaning is also a common part of Privacy Protection. The user can set how often the cleaning tasks run. This can be as often as every time after closing the browser's application, but such an aggressive approach may cause worse user experience on some web sites; or this can be scheduled as a daily task, a weekly task etc., which means that monitoring of the user's activity on the Internet is limited to that specified period of time.
Also called: Access Control
Parental Control allows privileged users (parents) to control how the computer is used by less privileged users (children). It can be used to limit the ability of a user to log in – i.e. use the computer at all. This can effectively restrict children to be able to use computer only during specific hours during the day or for a limited number of hours per day. Also the purpose of using the computer can be restricted. This can be achieved by controlling which applications the restricted user is able to start and use. The time restrictions can be combined with application restrictions and thus creating very specific conditions, such as that a certain application can be used only for two hours a day.
Parents may also want to regulate the Internet web sites their children have access to. This restriction can be created using user specific URL blacklists but most of suites with Parental Control allow controlling the access by web site content categories. The content of most popular web sites is either evaluated by the security software vendor or there is a list of keywords that the web site content is dynamically searched for. Each web site can then be put into one or more categories, such as Adult content, Hate, Violence, Racism, Weapons, Gambling, Drugs, Obscene language, Chat, Terrorism, E-mail, Social networks, Online payment, Online dating, Pornography, Hacking, Scam, etc. The parent can thus restrict access to web sites that are either in a specific category or contain keywords that belong to the category.
The Parental Control feature may also allow to create restrictions to access specific hardware, such as USB ports, Floppy disks, or CD/DVD.
Except for setting up restrictions, parents may want to review the computer activity of their children. Parental Control is responsible for logging the activity of computer users including their Internet history, so that the privileged user can check whether the computer is being used properly.
The role of the Anti-spam module is to reduce the number of unsolicited messages the user receives mainly through email. A common implementation of security suite's anti-spam supports selected email clients, such as Outlook, Outlook Express, Windows Mail, The Bat, Thunderbird, etc., and does not work with any other clients. Web based email interfaces are usually unsupported too. There are several methods to detect spam message. The methods are usually combined to a complex anti-spam solution.
One of the most common method is that contents of incoming messages are evaluated using complex algorithms and each email receives a score from the Anti-spam module. If the score is greater than a specific limit the message is marked as spam and either moved to a special folder or deleted immediately. The limit and the action to take when the limit is reached can usually be configured in the settings of Anti-spam. A spam is recognized through the text content analysis or through detection of specific parts of a typical spam message. For example, many common spams contain links to unknown or poorly rated web sites. Goods, services and winnings of various kinds are being offered in spams. Emails with executable binaries or infected documents in attachments are also typical examples. Most of the users with systems using Latin are unlikely to receive emails written in Cyrillic or any of Asian alphabets. Each of these typical signs of spam increases the email's spam score.
Another method is to use cloud or community (sometimes called Web query). The security software vendor maintains a large database of spam messages that contains most of the widespread spam messages, scam offers, phishing emails, hoaxes etc. When a user receives an email the Anti-spam module queries the database on whether the email is similar to any of the well known spam messages. New spam messages are added to the database either by the vendor itself, manually or using automatic scripts, or using a community of users that mark spam messages in their email clients.
Anti-spam solutions commonly work with whitelists and blacklists of email addresses. Emails sent from a whitelisted address is never marked as spam. Emails coming from a blacklisted address are always considered as spam. Whitelists can be generated from the user's address book, but the final list is usually maintained by the user itself. Blacklists are updated from the vendor's servers.
Another effective method to fight spam is blocking spam mail servers. Every spammer needs a computer to send spam messages from. Improperly configured mail servers and hacked machines are commonly used to send spam. Such sources of spam can be identified and their Internet addresses can be put into blacklists. There exist many public blacklists of spam sources that are used as additional method of stopping the spam. If an email is received from a server which address is on the blacklist the email is treated as a spam regardless its content. New and new machines are misused for sending spam all the time. This is why the blacklists have to be updated often to be effective.
Also called: Vulnerability Monitor
This feature helps users to maintain their computer so that it is free of known vulnerabilities that could be exploited by malware to infect the computer. It checks up whether all important updates of the operating system and well known applications are installed. It also scans user accounts for weak passwords and checks for possible problems in system settings, such as removable media autorun settings. More advanced vulnerability protection systems can be connected to vendors of unofficial system and application patches, also called vaccines, that prevent exploiting vulnerabilities before the official update is available.
Most of the security suites contain components that rely on regular updates. Other components can be updated from time to time to newer versions that add new functionality or fix bugs. Updating is thus vital to keep the computer secure. There are several types of updates.
The first type of updates is called Database updates, signature updates, or rules updates. These updates are used by the Anti-virus component for example. It needs these updates to be able to detect the latest threats. When a new malware is created and then analyzed by the security software vendor a new signature is created for it and this signature is propagated to all anti-virus clients using an update. Before updating the database with the new signature it is possible that the malware might not be detected. This depends on whether other detection methods, such as heuristic-based scans or behavioral scans, can detect the particular malware.
Program updates are very important too. Every software including security software suites contain bugs. Bugs are fixed during the product's lifetime and bug fixes are propagated to clients through program updates. Besides bug fixes, program updates can add new functionality to the product. Sometimes, even major version updates are installed through program updates. This depends on the business and licenses model of the vendor.
There are not many things user can configure with updates. The common settings allow users to choose whether the updates should be done completely automatically – i.e. check for updates automatically and download and install updates automatically – or whether any part of the update process should be manual. In case the automatic checking for update is set, the frequency of updating can be configured. Database updates should be done frequently, daily for example, while program updates can be set to weekly, or even longer term. On computers that are connected to the Internet through proxy it is necessary to have the correct proxy settings for updates. However, the automatic detection of proxy settings works well on most systems and hence users need not to care about these settings. Some products allow to switch updates into bandwidth saving mode in which only critical updates are downloaded and other updates are put on hold until the bandwidth saving mode is disabled.
Also called: Password Protection, Access Management, User Management
The purpose of Settings Protection is obvious – to protect the product's settings from being modified by both malware and unauthorized users. Relating to this feature there exist three kinds of products. The first group of products are usually smaller products that do not implement this feature at all. Their settings are unprotected against manipulation of unauthorized users but they may protect their integrity against some kinds of malware attacks via Self-defense features. The second group of products implement a simple protection using a single password. This password has to be entered when a user wants to change the settings or create a new permanent rule. The third group of products implement more complex system of rights. A common solution is to derive users and groups from the operating system and to set up privileges and limitations to modify the settings to each user account or group. In such solutions system administrators usually have full access to the security product's settings and it is possible to define what kind of access to the product's settings have non-admin users.
Also called: SafeBox
Online Backup belongs among non-core features that many security products do not even offer. The basic idea is simply to provide users an independent, well protected, secondary storage for their most critical data. In case of a hardware problem, virus infection, or unintentional destructive actions, users may lose their data stored on their computers. The online backup feature can help then by providing relatively recent version of the most critical data.
The final selection of the files and folders to backup is usually left to the user's choice, but the backup system can recommend common folders that contain important data, such as the Documents folder, to be backed up. Besides files and folders some online backups are able to save important registry keys too.
The backed up data are stored on vendor's servers. The standard size of the remote storage is up to several gigabytes. In order to be effective, the backup process has to run regularly. On the other hand the heavy utilization of disk and network may be uncomfortable for users during their work with the computer and hence it should be done when the computer is idle.
Another feature that is less common but some suites offer it as an additional mechanism to reveal non-standard behavior that may suggest malware infection or other problems. There are many things related to the system performance and resource usage that can be monitored in the system. Many processes in the system have their typical number of threads, handles, memory consumption, CPU utilization, disk usage that do not change too much over time. There might be peaks but in long term it is possible to recognize that a process behaves differently than usual. If such a suspicious event occurs the Performance Monitoring feature initiates an alert. As a result the user can be informed about the situation, or an automatic action, such as thorough anti-virus scan over the suspicious process components, can be performed. In the context of this feature the user can define limits that are enforced in order to protect the stability of the system or that initiate additional actions of the security suite. Usually, Performance Monitoring must be trained for some time in order to obtain statistical data about the normal system behavior before it is able to recognize discrepancies.
Also called: PC Clean-up
PC Tune-up or clean-up are names for a set of utilities that some security products offer as a bonus to the standard set of features. Tune-up utilities are intended to speed up the computer using various tricks. The longer the computer is used the more objects, such as files and registry entries it works with. There are many lists being created in the system, such as the list of recently opened documents, the operating system and applications work with. Some of the lists are not limited in their length and hence over the time they become longer and longer. Similarly, the number of various temporary and cache files that are not being used anymore increases. It can also happen that applications do not uninstall properly and leave their files and registry entries in the computer. Another problem that slows down the system is fragmentation of disks.
Tune-up tools are able to find and remove useless or redundant objects, defragment disks, clean up history and cache of well known applications and thus speed up the computer a little bit. Significant improvements in the computer's performance can be expected only if the system has been used for very long time without any cleaning being done. Otherwise, effects of cleaning up might not be noticeable.
Reports and Logs
Security suites offer adjustable logging that can provide very detailed information about system events and actions of every of their components. Reports and Logs are useful when a security incident occurs. The user is able to find out what happened and how it was treated. Logs from the firewall component can be used to reveal infected machines on local and remote networks and for example, react to their presence by creating new firewall rules. Logs from the behavioral control component can call user's attention to applications which behave in a way the user does not want them to. However, a good understanding of how each of the component works internally may be required for the detailed logs to be understandable. Reports tend to be more user friendly than logs and readable for users without any advanced requirements of users' knowledge. They summarize the work of the security product over a period of time without providing too much details.
The logging feature is also important for bug reporting. The more detailed information are provided to the vendor the easier its developers can locate and fix the bug.