Product review: Seven integrated endpoint security products


This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."

Download it now to read this article plus other related content.

Every vendor in our analysis claims to protect systems against exploitation using some form of HIPS technology. Different vendors use this term for a variety of disparate technical defenses (see "HIPS Hydra," below). Regardless of approach, we wanted to see how each vendor would fare against exploitation attempts in a series of three tests. We disabled each product's firewall component to focus the test exclusively on HIPS functionality.

ENDPOINTS | Exploit Protection

    Requires Free Membership to View

The good news
Overall, eEye performed best in detecting exploits.

The bad news
CA fared poorly in detecting and blocking client and services exploits.
First, we attempted to exploit client-side software running on the protected hosts, trying to attack Internet Explorer via the IE CreateObject vulnerability (MS06-014) and VML flaw (MS06-055). We also tried to exploit the Fire-fox browser using the Mozilla_CompareTo vulnerability.

HIPS Hydra

Host-based intrusion prevention system (HIPS) functionality means many different things to the vendors that include such capabilities in their endpoint security suites. The goal, of course, is to prevent the end system from being compromised by an attacker, but the technological approach of the vendors implementing HIPS varies widely. We interviewed each vendor, asking them to describe their technical approach to blocking exploitation attempts. We wanted to focus specifically on defenses against buffer overflow and related code execution exploits. Based on our interviews, we identified seven essential forms of such exploit detection and prevention:
  • System call backtracing analyzes various system API calls to ensure the calling address exists in a known code segment.
  • Spawn blocking limits which programs can run new programs (for example, blocking a browser from running a new command shell process).
  • Behavior checking monitors system calls for combinations that historically have indicated that an attack is under way.
  • DLL loading checking looks for unusual or unexpected DLLs to be loaded into running applications on the machine.
  • Call verification ensures the return address for the current function is immediately preceded by a call instruction.
  • SEH validation protects against exploits that overwrite exception handlers by validating the Structured Exception Handler chain.
  • Network-based IPS monitors network traffic for known vulnerabilities and exploits.
CA implements spawn blocking, DLL loading checks and network-based IPS. eEye relies on system call backtracing, call verification and network-based IPS. IBM ISS uses system call backtracing and network-based IPS. McAfee has created a patented "generic buffer overflow protection," although it declined to share details with us before press time, as well as network-based IPS. Sophos uses system call backtracing. Symantec implements behavior checking and network-based IPS. Trend Micro focuses exclusively on network-based IPS.

--Ed Skoudis & Matt Carpenter

This was first published in November 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: