Sana Security Delivering Enterprise Threat Protection
Why Sana? | Contact Us 
About Us|Products|Active MDT Center|Resources|Partners|Press Room|Support
Support Support » Enterprise/SMB/Partner Support » Primary Response Memory Shield » 

Primary Response Memory Shield FAQ

 

What is Primary Response Memory Shield?
Based-upon Sana’s unique SanAPT technology, Primary Response Memory Shield products provide specific protection against broad types of threats, rather than focusing on individual attacks, which are already known and have already inflicted harm. And, this protection is delivered out of the box, with no signatures to apply or rules to configure. Primary Response Memory Shield is easy to install, either at the time of manufacturing or in the aftermarket. Primary Response Memory Shield runs transparently in the background and does not degrade system performance or have any impact on the machine.

The first product in the Primary Response Memory Shield family, Primary Response Memory Shield Client, is specifically designed to protect against the highest risk attack class—network worms. Network worms have caused considerable damage for organizations ranging from small businesses to large multi-national enterprises, receiving high visibility due to their notable impact on IT infrastructures. To better understand the magnitude of the threat that this attack class imposes, consider the trains halted at CSX , and the delays and cancellations at Air Canada that resulted from the Blaster worm[1]. With Primary Response Memory Shield, no signatures are required and updates are a thing of the past. Instantly, upon software installation, all your systems are protected from known and unknown network worm attacks.

Back to Top »

Primary Response Memory Shield Features & Benefits Summary

  • Easy-to-install, out-of-the-box intrusion prevention for desktops, notebooks and embedded systems.
  • Protects Internet-connected systems from PC network worms, the largest risk class of attacks.
  • Complements antivirus efforts and protects against known and unknown worms.
  • An essential and painless element for maintaining network health, especially at a minor investment of just $10 USD per machine.
  • Leverages established Sana Adaptive Profiling Technology (SanAPT) to understand underlying operations, vulnerabilities and attacks. This information is then used to protect machines from memory-based code injection threats to Microsoft Windows core services.

Back to Top »

What is a PC worm and how is it different from a PC virus?
PC worms are all too familiar to most computer users. Virtually everyone has received a suspicious e-mail message with an unfamiliar files attached that beckons to be opened. This is the common PC e-mail worm. However, a more insidious type of worm is the network worm, stealthily propagating itself through entire enterprise systems, often without users’ knowledge.

A PC worm is similar to a PC virus, in that it spreads from computer to computer through some kind of connection or contact. While a virus requires an action by a user to send it to another computer, a worm has self-propagating features, making it a more dangerous threat. Worms typically use the basic transport mechanisms of your computer to spread, and attackers using worms can take control of systems and execute malicious behavior. Examples of worms include Sasser and Blaster, both of which caused serious and widespread damage.

Back to Top »

Are there different types of PC worms to watch for?
Yes. PC worms are classified by their method of propagation. PC email worms travel as executable files attached to emails, often using Outlook or Outlook Express as the propagation mechanism.

PC network worms propagate through networks by using code injection exploits of Windows core services.

While PC email worms are generally quite prevalent, they tend to have a relatively low impact due to the following factors:

  • Given their identifiable characteristics (i.e., an email with an executable attachment), a combination of corporate policy and antivirus programs is generally effective in detecting and preventing email worms today.
  • Even when email worms do reach a user, they are slow to propagate because they require the user to execute or open the file.
  • Most users today are aware of email worms and know to avoid the actions that enable them to propagate.

Alternatively, PC network worms are less frequent (three major cases in the previous year), but their impact is high. The factors that make network worms more dangerous include:

  • No user action is required for network worms to propagate. Once they are on a network, they can spread unchecked.
  • Network worms take advantage of vulnerabilities in the most popular operating system, Microsoft Windows. They do not rely on specific email tools, for example.
  • Network worms can masquerade as core Windows services and thus gain a high level of system authority.

Back to Top »

Why do organizations need Primary Response Memory Shield?
Worms are now the largest class of Internet attacks. PC network worms propagate through networks by using code injection exploits of Windows core services.

Primary Response Memory Shield protects machines from memory based code injection threats* to Microsoft Windows core services with:

  • No signatures to develop
  • No policies to configure
  • No rules or behavioral requirements to be learned over time
  • No training to learn what an attack is
  • No impact to machine performance
  • No end user intervention required

    *like Sasser, Blaster, Slammer and Code Red

Back to Top »

How does Primary Response Memory Shield work?
Sana Security’s Primary Response Memory Shield tracks the behavior of core Windows services at the system call level. This means that any abnormal behavior, including a code injection from an unknown worm, is prevented. Code injection that originates system calls from read/write memory (heap, stack or static memory) is blocked.

Because this protection is focused on core services, it does not hamper run-time programs such as Java applications. Java is an example of a programming language with built-in memory management, which eliminates buffer overflow vulnerabilities, and does not need monitoring in the same way as other programs.

For more detailed information on code injection and buffer overflows, see the Sana Security document “Code Injection Technical Note.”

Back to Top »

What is a code injection threat?
A code injection exploit takes advantage of a buffer overflow vulnerability to inject code into memory and execute its own commands.

At a high level, a network worm exploits a buffer overflow vulnerability or other programming vulnerability. Programs use memory buffers for temporary storage and processing, each buffer has a limited size. If a program does not check the bounds of a buffer an attacker can overflow the buffer with their own contents. This allows malicious code to be injected and executed from read/write memory. Normally, code executes from a part of memory marked read-only. Network worms target vulnerabilities in Windows core services because these programs are common to all Windows systems providing a worm with the largest possible target and high levels of access, allowing the worm to do the most damage and to propagate through the network.

Back to Top »

Doesn’t antivirus software protect my systems from network worms?
No. Because antivirus programs detect existing worms based on known signatures and code injection into file systems, antivirus protection from worms is inherently limited and reactionary. Until a worm is known and a signature created and updated, the antivirus program cannot provide protection against the malicious code. Even when the worm is known, if it executes itself from memory without executing from the file system, most antivirus programs are not capable of protecting a system against it. Even after the signature is developed anti-virus software typically monitors email attachments and file directories that are accessed by the user through Windows explorer. Most worms hide themselves in less accessed system directories which will only be processed by AV Software during the full file scan. Which means that in most cases AV will help clean up the worm after it infected the machine and infected many other systems.

Back to Top »

In an organization with thousands of users, how easy is it to deploy Primary Response Memory Shield?
Primary Response Memory Shield is extremely easy to deploy. Users can easily download the self-installing software from a secure web site. The software can also be distributed via SMS and other management applications.

Back to Top »

Does Primary Response Memory Shield require dedicated security expertise to manage and maintain?
No. Primary Response Memory Shield runs as a background service and requires no ongoing management since there are no signatures or rules to update, no policies to change or reconfigure, or false positives to troubleshoot,. Primary Response Memory Shield integrates into existing management systems and does not impact Microsoft Windows® updates.

Back to Top »

How much impact on machine performance does Primary Response Memory Shield have?
None. Primary Response Memory Shield exerts zero performance degradation, negligible CPU and memory utilization, and is transparent to OS service operation.

Back to Top »

Don’t other vendors offer products that provide an identical level of protection?
No.

Other products that claim to protect enterprise systems from network worms prevent known attacks only (while Primary Response Memory Shield also protects from zero day or unknown attacks).

Other products rely on signatures and rules, which require significant dedicated security personnel to configure and update.

Other products are sold only as “add-on” software which adds cost and requires significant dedicated IT personnel.

Back to Top »

How is Primary Response Memory Shield distributed?
There are currently three distribution options for Primary Response Memory Shield:

Built-in during manufacturing – with UI.

  • Self-installing executable within software image
  • One-step user install, no configuration necessary

Built-in during manufacturing – without UI

  • Pre-installed within software image
  • No configuration necessary

Electronic distribution for installed PCs

  • Establish Immediate Presence
  • Co-branded “store” – Sana hosts landing pages (no fee for template)
  • Take Orders- Full eCommerce capability
  • Fulfill Orders - Delivers downloadable, self-installing product
  • Support Promotions
  • Process Promotion Redemptions via Landing Page

Back to Top »

What platforms does Primary Response Memory Shield support?
Primary Response Memory Shield software runs on a desktop or notebook equipped with:

  • Microsoft Windows Platforms:
    • Windows XP Starter Edition
    • Windows 2000
    • Windows XP
  • Pentium or Celeron processor running a minimum of 233 MHz
  • 64 MB of RAM

Back to Top »

Who do I contact to find out more about Primary Response Memory Shield or to buy the software?
Contact Sana Security’s sales team by calling 1-866-900-SANA or send an email to

 

» See Features & Benefits
» See System Requirements
» Read Primary Response Memory Shield Literature
» Privacy Policy © 2007 Sana Security, Inc. All Rights Reserved.