004. ENDPOINT SECURITY TECHNOLOGIES
ANTIMALWARE AND ANTIVIRUS SOFTWARE
Computer viruses and malware have been in existence for a long time. On the other hand, the level of sophistication has increased over the years. There are numerous antivirus and antimalware solutions on the market designed to detect, analyze, and protect against both known and emerging endpoint threats. Before diving into these technologies, let us look at some of the viruses and malicious software (malware) and some of the taxonomy around the different types of malicious software.
The following are the most common types of malicious software:
1. Computer virus
3. Mailer and mass-mailer worm
4. Logic bomb
5. Trojan horse
10. Key logger
There are numerous types of commercial and free antivirus software, including the following:
2. AVG Internet Security
3. Bitdefender Antivirus Free
4. ZoneAlarm PRO Antivirus + Firewall and ZoneAlarm Internet Security Suite
5. F-Secure Anti-Virus
6. Kaspersky Anti-Virus
7. McAfee AntiVirus
8. Panda Antivirus
9. Sophos Antivirus
10. Norton AntiVirus
12. Immunet AntiVirus
HOST-BASED FIREWALLS AND HOST-BASED INTRUSION PREVENTION
Host-based firewalls are often referred to as “personal firewalls.” Personal firewalls and host intrusion prevention systems (HIPSs) are software applications that you can install on end-user machines or servers to protect them from external security threats and intrusions.
The term personal firewall typically applies to basic software that can control Layer 3 and Layer 4 access to client machines. HIPS provides several features that offer more robust security than a traditional personal firewall, such as host intrusion prevention and protection against spyware, viruses, worms, Trojans, and other types of malware.
Today, more sophisticated software is available on the market that makes basic personal firewalls and HIPS obsolete. For example, Cisco Advanced Malware Protection (AMP) for Endpoints provides more granular visibility and controls to stop advanced threats missed by other security layers. Cisco AMP for Endpoints takes advantage of telemetry from big data, continuous analysis, and advanced analytics provided by Cisco threat intelligence in order to detect, analyze, and stop advanced malware across endpoints.
APPLICATION-LEVEL WHITELISTING AND BLACKLISTING
Three different concepts are defined in this section:
Whitelist: A list of separate things (such as hosts, applications, email addresses, and services) that are authorized to be installed or active on a system in accordance with a predetermined baseline.
Blacklist: A list of different entities that have been determined to be malicious.
Graylist: A list of different objects that have not yet been established as not harmful or malicious. Once additional information is obtained, graylist items can be moved onto a whitelist or a blacklist.
Application whitelisting can be used to stop threats on managed hosts where users are not able to install or run applications without authorization. For example, let’s imagine that you manage a kiosk in an airport where users are limited to running a web-based application. You may want to whitelist that application and prohibit running any additional applications in the system.
One of the most challenging parts of application whitelisting is the continuous management of what is and is not on the whitelist. It is extremely difficult to keep the list of what is and is not allowed on a system where there are hundreds of thousands of files with a legitimate need to be present and running on the system; however, several modern application whitelisting solutions are available that can help with this management nightmare.
Several of these modern application whitelisting systems are quite adept at tracking what is happening on a system when approved changes are made and managing the whitelist accordingly. These solutions do this by performing system application profiling.