A major U.S. Internet service provider (ISP) plans to offer a novel security technology to its millions of customers within the next month.
EarthLink, based in Atlanta, will add “behavior blocking” software provided by Sana Security of San Mateo, Calif., to the ISP’s Protection Control Center, a security suite that’s currently in use by 1.2 million customers, according to officials of both companies.
Behavior blocking is a hot subject among security researchers because it holds out the promise of stopping virus and rootkit attacks on PCs without the need to constantly update antivirus signatures. Instead, such security products aim to recognize bad behavior and stop it before a rogue program can get control of a PC.
EarthLink’s Expanding Security Offerings
In a telephone interview, Ben Kaplan, EarthLink’s product manager for security applications, explained that behavior blocking could be a part of the ISP’s new security software as early as this December. He describes the products EarthLink offers as follows:
• Protection Control Center (PCC) 1.0 is EarthLink’s security suite, which is currently free to the ISP’s subscribers and $4.95 per month for non-EarthLink subscribers. The company is planning to lower the nonmember price to $3.95 per month or $36 a year, he says.
• PCC 2.0 is coming out soon, Kaplan says, and behavior blocking software by Sana Security will be offered as an upgrade. The improved security suite will be sold under the name “PCC 2.0 with Active Shield” and will cost consumers $2.95 per month or $24 a year, he explains.
To select Sana’s technology involved a great deal of testing, Kaplan said. “We went through a lot of different products and we felt far and away Sana excelled,” he says.
What exactly is behavior blocking and how might it improve on signature-based antivirus scans?
Watching for Code with an Agenda
Timothy Eades, senior vice president of marketing for Sana, says that about 8 percent of malware his company has monitored recently is seeking to glean financial information, such as Social Security numbers, from personal computers. About 10 percent of today’s malware is already using rootkit technology to hide itself from antivirus programs, he says.
I wrote about EarthLink’s early attempts to protect its Internet-access users from hackers on May 3, 2004. That column described the ISP’s ScamBlocker, one of the first widely used browser toolbars that attempted to prevent end users from unwittingly visit “phishing” sites or other dangerous Web locations.
I last described Sana Security and its behavior-blocking software on March 29, 2005. The technology aims to detect rogue programs by catching them doing hidden or sneaky things.
Sana officials have previously described for me what they look for in malware:
• It tries to run itself every time Windows starts up. Most legitimate software doesn’t need its modules to run every time Windows starts, but malware consistently tries to insinuate itself into aspects of the Windows Registry that run applets at boot time.
• It tries to hide. Spyware and malware usually don’t provide an uninstall program. Today’s malware much prefers to lay claim to an end user’s PC quietly, without boasting “You’re Infected!” or taking other overt actions that would alert an end user that something is wrong.
• It has an agenda. Most malware tries to collect information from the victim’s PC and attempts to contact a hacker’s server to transmit the data and await further instructions.
All of these can be signs that an unwanted bit of code is infecting a machine. “We’re now tracking 228 behaviors,” says Timothy Eades, Sana’s senior V.P. of marketing.
The company’s research, which is the subject of several patent applications, is key to Sana’s ability not just to detect malware but remove it from a PC, Eades says.
Will behavior blocking soon eclipse signature-based antivirus programs as a way to protect computer users? Can these different approaches be independently tested against one another?
Test Beds for Security Products
Sana officials point to a May 2006 study by the Tolly Group, a testing firm that produced a report on the company’s behavior blocking technology. The study, sponsored by Sana, found the company’s software detected and removed 183 out of 183 threats that were obtained from Web sites. The test involved using Microsoft’s Internet Explorer browser, with some of its security features weakened, to visit thousands of known hacker sites. The sites are part of AGNIS, a list of questionable sites maintained by SpywareWarrior.com.
Mainstream computer magazines have been slow to evaluate behavior blocking in security packages, partly because the technique is new enough that novel test suites must be developed. Until major consumer publications join the testing effort for the new technology, the Tolly Group’s study can’t be scientifically compared against the results from other labs.
As EarthLink’s expansion of its security suite takes place, we may get more data on the effectiveness of behavioral defenses, compared with signature-based protection. I hope to find out soon.