ADVANCED INTEGRITY CHECKERS

Publié le par kareldjag


In a previous article, we've reviewed some free integrity checkers.
On this article, we'll focus in advanced ones (paid for most of them).

Integrity checking for change detection is an important feature for security softwares, especially
in intrusion detection1.
That's why this o
ption is mostly integrated in IDS/IPS.

The most well known integrity checker is Tripwire which was in the past one of the rare detection solution against rootkits.

If we take open-source IDSs for instance, Samhain is certainly one of the most interesting (a comparison between open source IDSs which integrate integrity checking can be found here).
And it's quite surprising that only a few antivirus such as Kaspersky or Solo take into consideration this option.
There's free and paid integrity checkers, and most of them operate in a similar way:

-creation of a baseline of system files with strong algorithms (MD5 is a minimum),

-real-time or regular (on demand) checks in order to detect changes.

And the features provided by these products are often the same:

-possibility to take and verify a snapshot of any file, folder or system's area (registry, drivers and so on), user's profile and restrictions and so on.

-various hashes algorithms,

-email notifications,

-possibility to restore a backed up copy of original files (database) (...)

Unfortunately, integrity checking is only interesting in a multi-layered strategy, not as a unique security solution.
One of the most important disadvantage is the difficulty for most users to distinguish legimate changes from suspect ones (infection, modification, file access or intrusion).
And most of all, the user must consider the need of this kind of solution: if there's no database to protect ( mostly the case of administrations, banks, marketing firms and so on), it can be suited to have a look at personal HIPS based white list.

NB. we won't talk here about Windows integrity protection features.



***INTEGRITY CHECKERS FOR HOME USERS:


-SENTINEL

This product has changed from paid to free and vice versa.
I've noticed recently that it's free again.
A very good reason to add it in any toolbox.
It's not only an integrity checker, but can, be considered as an antimalware based on integrity checking.
It does not use strong hashes algorithms by default (a basic CRC32 only) but has interesting options:

-can be integrated with many antivirus,
-registry monitoring (start up entries),
-task with running applications,
-automatic scans when the system starts and boots,
-detection of created or deleted files (...)


Sentinel is very simple to use and can be highly recommended in any security toolbox.

NB: it's suited to upgrade for SHA-1 algorithm for more reliabilty.



-ADINF32 (about 20 $/Euros)

This is one of the most ancient product of this category (since 1999).
Once installed, it scans the hard disk for a snapshot of the system.
One of the most interesting features is its ability to protect Boot-Sector's integrity.
It's a good add-on to an antivirus, but can't be considered as an antivirus.
Unfortunately, if we consider some antivirus evasion techniques like cryptovirology, we need to repeat that a simple CRC32 is not enough for a reliable change detection.




-WINALYSIS (55 $)

Winalysis is more advanced than Sentinel (more optinons) and as many other integrity checkers listed here, it has the ability to restore clean backed-up files, to warn via email for any change and so on.
If the inteface is really sad for a paid product, this is currently one of the most advanced integrity checker available for a Windows home user environment.



-XINTEGRITY (24.95 £)

It's the lite and limited version of XIntegrity Pro: the primary difference concerns the real-time checks feature which is not included in this version.
More info on the XIntegrity Pro section.



***INTEGRITY CHECKERS MOSTLY DESIGNED FOR A CORPORATE ENVIRONMENT:


-XINTEGRITY PRO (95 £)

This pro version can also be used for 30 free checks..
And the interface is really beautiful (a complete success).
Many options are available: choices for hashes (MD5, SHA etc), database of all files, folders, registry, services or Windows policy (permissions), detection of new ADS and so on.
But the most interesting feature is the ability to scan the file database in the background and in real time.
And if important changes are detected, there is also a possibility to restore a supposed clean files database.

NB.This product is presented as a solution against rootkit:

"File integrity checking algorithms include MD5, SHA1, SHA256 and SHA512.This enables immediate identification of known and unknown rootkits (where an intruder will modify vital system files)" .

Unfortunately, i've choosed XIntegrity Professional as an advanced integrity checker in order to verify if a popular and well known rootkit (Hacker Defender) would be detected by this way.
And it's important to repeat again that this is not the goal of an intruder and a rootkit to modify vital files!

"XIntegrity professional also detects any changes to installed services and detects any new or removed service, including all the services that are not normally visible via the management console."

If mistakes are always possible during tests and experimentations, i've unfortunately not verified this affirmation against Hacker Defender: the hidden service is not detected (no changes is reported in comparison to a safe services database).
More information about the related article here.

But XIntegrity like many other integrity checkers has the main disadvantage: it's really difficult for a non-advanced/experimented user to distinguish chages in relation to an intrusion (virus, trojan, spywares) to changes in relation to legitimates events.

Considering the number of options and the very nice graphic interface, XIntegrity is my favourite: this product can be used as free for 30 checks.
Some screenshots: screenshot 1, screenshot 2, screenshot 3.


-DATA SENTINEL (199.99 £)

If this product is really expensive, it has 2 advantages: very simple to use and very efficient.
It covers files and registry, generates an html report after any verification, and the most important: very fast checker!
But Data Sentinel is mostly intended for a corporate environment.
Here's some screenshot here and here.


-VERACITY

The primary advantage or this solution is that it includes a rollback technology and consequently allows the administrator to restore a clean configuration if necessary (intrusion, damages by virus and so on).
This product is mostly designed for large organisations.



-TRIPWIRE

Tripwire is originally the reference and the forefather of the previous integrity checkers.
This advanced protection is mostly designed to be deployed on servers.
But there is an open source integrity checker which is quite close from TripWire, but less poweful and sophisticated: AFICK (Another File Integrity Checker).
If this software can be used on Windows (perl graphic interface), it is mostly designed for Linux (where integrity checking is more important than in Windows systems).

An intersting example of corporate HIPS based white list which uses integrity checking features is Sanctuary from Securewave.



***Related articles:


-Windowsecurity

-Oregon University

-Infosecsa (powerpoint presentation)

-Securityfocus


1.Openlysecure (pdf paper) : a chapter of one of the Bible of intrusion detection.






Publié dans LINE DEFENSE

Commenter cet article