It’s that gaping security hole that exists on most networks but that no help desk wants to think about. Antivirus programs are helpless against it. Spyware and adware scanners can’t limit the damage. Even firewalls can’t stop the bleeding. The risk of infection from aggressive worms and viruses in particular has increased dramatically in recent years, thanks to botnets.
Robot transmissions from remote computers, or bots, can perform various functions but most commonly are used to send spam, participate in distributed denial-of-service attacks or infect other machines with malicious code. Once a new machine is infected, it sends out its own bots, perpetuating the problem.
Symantec’s new Norton AntiBot employs heuristics, or behavioral-based technology, against viruses and worms, as well as scans for and removes adware, bots, Trojans, browser hijackers, dialers, keyloggers and spyware from machines in real time, as opposed to the on-demand scanners used in the past.
“We have seen an increase in the last couple of weeks,” says Abdul Hoggard, IT systems administrator for the Ocean Conservancy in Washington, D.C. “Bots are very different from viruses. They’re like heightened spyware that attaches to executable files and spreads. They feed off your environment to grow.”
Most bot threats never make their way inside a well-protected network in the time it takes for definitions to become available, yet brute force and dumb luck can never be underestimated. If you’ve not yet had to pull an infected machine off of your network until you figure out what to do with it, chances are you will at some point. But what else can you do to protect yourself?
Enter heuristic technology, which scrutinizes process behavior instead of simply comparing code to a static library of definitions or signatures. If a process engages in alarming behavior — such as sending a flood of data over a given port, accessing key parts of the Windows registry or performing multiple calculations that it doesn’t use — a program can intervene and terminate the process and ultimately remove the threat.
“The antiphishing feature built into Windows protects the first and second layers of the network, but that layer of protection is minimal,” says Hoggard. “It’s also not end-user independent. If an end user sets security levels too low, the bot could go past those layers. You need an additional layer or real-time, behavior-based protection.”
BizTech received a test release of the security application to review. Out of the box, Norton AntiBot provides an intuitive interface familiar to anyone who has used other Symantec security products. Users can access functions from the familiar system tray icon, which will invoke a nested hierarchical control page. This interface does an excellent job of showing system status in a simple, informative layout.
On the main page, a section labeled Protection Status displays the number of malware items removed, how many processes are being monitored and also how many behaviors are being monitored — a critical feature because many processes will employ more than a single behavior. The behavior count could also potentially serve as a heads-up that something is wrong, if it suddenly seems unusually high.
When a threat is detected, AntiBot displays an alert, giving two options: quarantine or allow the threat.
Under quarantine mode, the application instantly removes the threat, along with associated files. Under allow mode, the process continues running and trains AntiBot through heuristics that the process is not malware and to leave it alone in the future.
AntiBot keeps it simple: It requires little end-user interaction, and when it does, it presents requests in a straightforward, easy-to-understand fashion. Although it is an excellent supplement to any existing security infrastructure, keep the following in mind:
Symantec’s AntiBot “is also designed to function as a standalone product or can be used with applications that don’t have antivirus tools installed. Attachments get scanned before they hit the end user,” says Hoggard, who is evaluating the new tool for use at the Ocean Conservancy. “As soon as the bot comes into the system, AntiBot attacks it, or if the bot is dormant, when it’s triggered [to go live], the tool catches it and quarantines it.”
Although many security products nag or even bully the user to not disable protection, AntiBot doesn’t fight a user who simply wants it out of the way. There is a stop button prominently displayed in the main program window that will let the user disable this protection with a single click. A prompt questions the user before disengaging the tool, and the user can easily restart protection.
Norton AntiBot provides much-needed “it’s about time” security but requires very little configuration and virtually no administration once installed.
Unless alerting a user to potential threats, AntiBot runs quietly and barely noticeably in the system tray. On my test machine, it registered occasional minor central processing unit utilization and required less than 25 megabytes of memory. Based on the prerelease version, AntiBot will also barely make a footprint on a system’s hard drive, weighing in at under 15MB for the entire installation.
In a world where stacking security products is becoming the norm, it is more important than ever for programs to be frugal in their system resource demands. Symantec appears to have kept this in mind when designing AntiBot.
The small resource size is a major advantage for IT administrators because the tool did not take up a lot of system CPU, Hoggard says. “We have a pretty robust network, so we have the means to add as much stuff as we need to help protect the network. But the small resources required help.”
AntiBot supports 32- and 64-bit versions of Windows XP and Vista.
As one might expect, the test version wasn’t 100 percent perfect. Through trial and error, I slipped a popular denial-of-service tool under its radar by running it from a command prompt on specific switches. Outside of this incident, however, AntiBot proved to be both solid and capable.
The biggest challenge organizations will face will be writing the check. Pricing is proportional to the number of clients on which it will run. IT decision-makers would be wise to ensure that the application has been tested and proven in their own environment before making such a substantial investment.