Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Hot Pick: Sana Security's Primary Response 3.0

Sana Security's Primary Response 3.0

Sana Security's Primary Response 3.0
Sana Security
Price: Starts at $875


Sana Security's Primary Response 3.0
@exe Host-based intrusion prevention is often regarded as more or less a point security technology for protecting critical servers. But the increasing threat posed by mobile devices gives new urgency to endpoint security, and improved management tools, agent technology and faster networks have made host IPS a more attractive enterprise proposition.

Sana Security has significantly enhanced the value of Primary Response by extending its heuristics-based protection to desktops (Windows 2000 Professional and XP Professional) in version 3.0. Server agents are supported on Windows 2000/2003 and Solaris 8. (Solaris 9 and Linux are in beta.)

The ability to centrally aggregate, correlate and respond to reports of anomalous behavior across multiple machines makes Primary Response more than a point tool for protecting individual hosts. For example, if a machine suddenly reports IRC traffic through TCP port 10087--indicative of a worm attack--the event would be logged. This gives other machines a point of reference for taking appropriate response action, even if there is no attack signature. Depending on policy, Primary Response can log, block, alert or ignore the anomaly on a global, group or individual basis. Alerts are delivered via e-mail or SNMPv1 and v2.

Primary Response complements signature-based AV, particularly for detecting and preventing the spread of zero-day worms. It prevented worms, Trojans, root kits, keyloggers and bots from executing on our systems.

Client agents collect anomalous events--such as new applications opening ports--and pass them to the management server for classification by severity.

Responses are set according to predefined policy.

Exec Summary
up Blocks known and unknown exploits
down Centralized correlation and response
down Operates at the kernel level
down Only Windows Professional desktops

This allowed us, for example, to run IM in a normal operating state. But when we attempted to infect the client machine with an IM-transferred keylogger, the executable was denied access at the kernel level; the behavior didn't match defined norms. Because Sana monitors executable behavior, it works particularly well with custom applications without extensive setup and policy creation.

Primary Response ships with default application policy templates for protective responses to common threats; policies can also be edited or created from scratch.

Highly granular policies can be created based on groups and permitted applications and processes. Machines in the same group can inherit policy from other machines in the group, and Active Directory groups can be imported.

The kernel lockdown feature is impressive. This prevents device drivers--such as portable storage devices--from loading. Because Primary Response functions at the kernel, policies can be created that protect the system and agent at a fundamental level from sophisticated attacks, such as code injections and registry updates.

The management server operates on Windows 2000/ 2003 servers and Solaris 8. The Java-based console is a tabbed environment for management server configuration, installation of the agents, policy configuration and assignment, creating and managing groups, and setting up alerts, logs and reports. There's an embedded database, and Oracle is supported for larger deployments and is required for Crystal Reports.

In 3.0, Sana applies sophisticated detection techniques to both servers and desktops to elevate its host-IPS to enterprise level.


Article 7 of 13

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All