FOR

When we reviewed Preventon’s first IT security offering, Personal Firewall, late last year, we were struck by the fact that the company had approached the firewall’s development from a different angle than the competition. This policy of looking at the problem differently has also been applied to the development of Veto.

Veto is an application control package that, in a nutshell, allows users, parents or managers to control which software will run on a Windows-driven PC. The reasons why users seek to control which applications will run on their system can be varied, ranging from a parent seeking to control what their offspring get up to with downloaded software on the home PC, right through to a company wanting to control which licensed applications can be run on employees’ PCs. Veto also has the advantage that it will act as a backup to a firewall or anti-virus package. If an applet or similar executable manages to get past the first layer of IT security on a user’s PC, Veto will stop the executable in its tracks.

What’s interesting about Veto is that it seeks to be complementary, rather than competitive, to other IT security applications. This approach, the company says, is deliberate, and one it plans to continue with a third package in its range, Web Protect, a web server protection application being developed for release later this year. Although the software has been designed to run on a variety of Windows environments, including Windows 98, Me, 2000 and XP, its interfacing with the kernel and other basic elements of the Windows operating system is at a very fundamental level. This means that the package is unlikely to be compromised by malware that uses both ‘legal’ and ‘illegal’ operating system jumps in the future. By constantly monitoring the majority of activity on a user’s PC, the software is looking for unauthorized events.

The package operates on an exclusive basis - i.e. blocking the ability of an application to execute unless permission for that executable or applet to operate is expressly included in its database. The analogy here is with a cellular phone that a parent buys for a child - the mobile can be programmed to only dial those numbers which the parent has entered in the numbering memory. Other numbers dialed are simply blocked at the dialing stage. As well as keeping an eye on the registry and I/O ports of a PC for unauthorized software activity, Veto also scans the entire PC memory and system resources for the beginnings of any unusual activity. If it encounters a potential executable, Veto takes appropriate action, depending on which mode it is operating in.

There are three basic modes the package operates in: preview, quarantine and lockdown. In preview mode, when Veto encounters a process starting under Windows, it moves the entire process environment into the background and opens up a dialog box onscreen. A process, for the non-Windows programmers out there, is the environment that Windows creates whenever the operating system receives a request to allocate system resources for a program to execute. At its simplest, a process contains details of the application which is preparing to execute, including memory attributes, executable addresses and so - effectively a fingerprint for the program code that is attempting to run. When Veto is in preview mode and spots a process starting to occur, it freezes the process in the background until the PC has responded to the dialog box onscreen. If a user answers ‘yes’ to the screen request, the process is allowed to continue. If the answer is ‘no’ to the screen request, then the process is stopped in its tracks.

In quarantine mode, Veto scans for unauthorized and/or unknown processes and stops them from continuing, while at the same time alerting the PC user that something has happened. This mode is recommended by Veto as the best, once users have ‘taught’ the package what their ‘normal’ software applications are. Under quarantine mode, Veto has an ‘allow to run next time’ option, which adds the executable to the permitted list. It’s important to note here that Veto does not simply store a note in its database to allow, for example, “Lotus Notes to operate in the future.” Instead, and to prevent anyone simply renaming a piece of malware or similar unauthorized application to that of an authorized package, Veto logs the ‘fingerprint’ of an authorized package, allowing that same set of executables to run without intervention in the future. If, for any reason, the user later updates the authorized application, then the quarantine mode will flag the fact that the authorized software has changed and request a go/no-go input from the user once more.

Lockdown mode, the third of the three modes that Veto supports, is the most cautious of the modes, since it simply blocks unauthorized applications and processes from running. This mode is ideal for parents or companies who want to rigidly control which applications a PC will run - in lockdown mode, any other system activity is blocked, period.

Installing Veto takes around 10 minutes using the supplied CD-ROM and mini-manual, although the ‘learning’ process, which Veto undergoes as it gets to know its new owner, and what they want from the package, can take some time. Unlike many security applications, Veto is not static - in preview and quarantine mode, it continually alters its parameters to meet the changing needs of a user. In lockdown mode, however, Veto operates on a very rigid basis, preventing any unauthorized actions by the user of the PC that the package is installed on.

One of our criticisms of Preventon’s first release, Personal Firewall, was that the documentation of the package was too lightweight. We’re glad to report that the company has clearly taken this to heart with Veto, and has included a quick-start leaflet, as well as a relatively in-depth 32-page manual, as standard. Both the leaflet and manual are A5-sized and fit neatly inside the supplied ‘DVD-style’ casing for the software, which comes in CD-ROM format.

The $64,000 question with this package has to be - can Veto be beaten? Based on our current understanding of the way in which Windows can be circumvented, this writer does not think so, even if malware writers discover a new way in which to exploit loopholes in the Windows operating system environment. It’s just conceivable that a hacker may come up with a new and devilish way to distribute a new and revolutionary piece of malware to a user’s PC, but, because Windows uses processes for almost all executables, Veto should be able to spot such malware pretty quickly. The only exception to this rule is the latest generation of spyware, which try to conceal from Windows they are operating. Our research, however, suggests that, while it is possible to conceal that a spyware application is executing from Windows, Veto’s approach of monitoring all PC system activity, right down to BIOS level, will ensure that such malware can be quickly and easily spotted.
 

SC On-Line
SC Magazine
www.scmagazine.com