eEye Digital Security Blink Professional 4.0

2008-05-01

John Hawes

Virus Bulletin, UK
Editor: Helen Martin

Abstract

John Hawes takes an in-depth look at the security features of eEye Digital Security's Blink Professional and finds a solid package with impressive breadth of power.


Founded ten years ago and based in Orange County, California, eEye Digital Security first made its name as a vulnerability research company, providing security advisories on flaws found by its teams investigating a wide selection of software and offering businesses a range of security auditing services. From this grew the company’s current range of security offerings, which include several packages focused on protecting network-facing servers from the vulnerabilities presented by flaws in software and configuration, managing policy enforcement and incident reporting across corporate networks, as well as monitoring network traffic for potentially dangerous activity.

The company’s vulnerability alerting service continues to offer privileged detail and early warnings on upcoming dangers, as well as a forum for administrators to debate the latest flaws and the hottest techniques for locking down systems and networks. The company boasts more than half of the US Fortune 100 companies amongst its clients, and its early research successes include spotting and alerting on the IIS flaw, which soon after allowed the Code Red worm to spread across the world’s web servers.

The Blink desktop offering first appeared about four years ago, and has grown from a simple HIPS product into a full endpoint suite, combining the standard ingredients of anti-malware and firewall with proactive defence in the form of intrusion prevention and vulnerability management. The suite is available in a full-featured ‘personal edition’ for home users, and the professional edition, which offers greater flexibility of configuration and can be combined with a centralized management and reporting system.

Version 3.0 of the product, using anti-malware technology provided by the Norman engine, received its first VB100 award in June last year in some style. The latest version (4.0) is due for release shortly, featuring the redesigned interface introduced in version 3.5, additional Windows Vista support and a number of improvements under the hood.

Web presence, information and support

eEye’s main web presence is at www.eeye.com, a site dominated by product marketing with in-depth coverage of the firm’s various offerings. All products are available as time-limited trial editions, with the personal edition of Blink currently free for home-user purposes while offering the same level of protection as the professional suite, and all are backed up by a wealth of information about them and the security problems they address. The site also carries the usual items of company and product news, as well as links to a number of favourable reviews and test performances.

On the more technical side of things, a research sub-site is the home of the company’s vulnerability information, most of which seems to be available only to subscribers to the company’s ‘Preview’ services. This offering is available at several levels of detail, the higher of which include personalized network security scanning, advice and insider information on the latest undisclosed vulnerabilities, as well as the standard alerting, in-depth analysis and newsletters on significant software security issues. The area also includes a selection of security research tools available for download.

Technical support for the products is similarly available at a range of subscription levels, with the most basic providing access to email-based support via an online form. A knowledgebase of common issues is available to all, however, and provides brief and often highly technical details on a range of common issues, focusing on the server range of products and the management suite. In fact, all the searches I carried out specifying Blink as a filter returned information on issues associated with deploying Blink across the network (generally solvable by setting Windows networking controls correctly). Behind the customer login area resides access to further documentation and guidance, including the user manuals which are also accessible directly from within the product, more on which later.

Having spent long enough looking at the information available online, it was time to get my hands on the product and see whether it would stand up to the impressive boasts made about it in the wealth of marketing material.

Installation and configuration

Initial installation of the product is a pretty standard process. The installer for the latest beta build of version 4.0 of the product comes in at a very reasonable 45 MB and runs through its business pretty rapidly, with the usual installation location options and EULA to be got through, as well as an unusually long activation key. On one system, the installer complained about a freeware browser sandboxing utility I had installed, insisting it be removed before the installation could continue, but there were no other hitches.

At the end of the process a dialog provides some information on the product’s default settings and status – this begins with the firewall in rather minimal protective status, set to allow anything that is not specifically blocked by a rule. This gives something of a clue as to how the product operates – this is no simple set-and-forget tool for the average unskilled user, and although the default set of functions do provide a basic level of protection against the majority of attacks, the beauty here is in the depth of control available. A huge range of optional extras are available to achieve maximum lockdown, while the product’s initial state is to apply only those thought suitable for all situations. Tuning the product to meet the individual requirements of the user requires considerable understanding of the problems being faced and the means provided by the product to mitigate them.

The interface provided to access this vast configuration is simple and reasonably appealing, being modelled along similar lines to built-in Windows tools such as the ‘Security Center’ or other system configuration applications, with menus of options on the left and details in the main panel. This gives it a straightforward and no-nonsense feel, achieving a sense of simplicity and authority without the unfriendly starkness which often comes along with more business-oriented products. This again reflects the product’s ethos, not bending to the whims of the inexperienced user with lots of twinkly cartoon graphics.

Navigating the system is pretty untaxing. There are five main categories, of which at least three are pretty obvious – the firewall, anti-malware and vulnerability scanning components. The other two, labelled ‘Intrusion Prevention’ and ‘System Protection’, seem to overlap somewhat and it is not immediately obvious what each covers, but looking inside soon clears things up. The system protection area covers guarding of registry and applications, while everything else, including anti-phishing measures, is included under intrusion prevention. With most of these now fairly standard in security suites, I opted to start off with the most novel, the vulnerability scanner.

System hardening functions

With the product installed, there are several steps required before the host system is fully secured to Blink’s satisfaction. The initial interface shows several items to be lacking the comforting green tick that signifies that they are fully active. The most interesting and unusual of these is the vulnerability scanner. This requires an initial run to find any problems with the current setup of the system, and the setting up of a schedule to look out for any further flaws.

Running the vulnerability scan is a pretty simple process. The module has few options, simply the ability to schedule scans or run them manually, and a report viewer to analyse the results. The scan itself was pretty fast, taking no more than a minute or two even on crowded and low-powered systems. In test systems in the sealed VB lab, a large number of problems were easily identified thanks to the lack of access to recent updates from Microsoft. To emulate a real user more closely, I fired up a well-used and by now rather wheezy old laptop, which had languished powered down under a bed for several months. With the product installed and updated, the vulnerability scanner found an even wider range of issues – the majority of which were easily resolved by letting the Microsoft updater carry out its slow and tedious business of downloading and installing missing patches. However, for the remaining issues it seemed that considerably more work would be required to satisfy Blink’s stringent requirements.

Several of the remaining issues concerned various pieces of software installed on the system, ranging from several Adobe and Mozilla products to more surprising ones such as WinRar. While some had their own updaters, several required manual update or even reinstallation. Among the most serious problems found was a ‘zero-day’ vulnerability in some Microsoft software which, as the report pointed out, was as yet unpatched; instead a workaround was suggested, with a link helpfully provided to advice from US-CERT on applying it. One item remaining on the ‘high risk’ list was a problem with anonymous registry access, a slack setting which could be closed down with a few tweaks in the registry.

Browsing further down the lengthy report, a slew of entries detailed potential weaknesses in my system. These included a lack of fully trackable logging, unsafe caching of usernames, passwords and page file contents, as well as various issues with unnecessary services, drive sharing and allowing unaccredited users to perform various activities. The autorun default, a spreading vector of a lot of recent unpleasant worms, was also highlighted, and even the fact that users could insert USB key drives and use them to move data off the machine was mentioned as a potential means for unwanted data extraction.

Each entry was accompanied by details of how to correct or mitigate the problem, usually in the form of instructions for doctoring registry keys, changing settings using Control Panel tools, or links to more involved instructions in appropriate places, predominantly Microsoft Knowledge Base articles. Each entry was also accompanied by links to alerts and advisories on the subject, from the likes of Secunia and iDefense as well as eEye’s own vulnerability pages, Microsoft bulletins and articles and other alerts from the software developers involved in any given flaw, with CVE numbers included where appropriate.

The depth of detail provided was remarkable, and the range of areas covered, from potential remote exploits and sources of data extraction to problems with fully accountable logging and physical access points for abusive users, was quite staggering. The sheer scale of the issue of locking down a system could easily be overwhelming, particularly for the less technically minded user, but for a network admin wanting to ensure all the systems in his charge are as secure as possible, and with the power to automate most of the tasks involved, this is surely an invaluable tool.

Vulnerabilities in software are a huge vector for malware, particularly in the ever-growing area of web threats which are rapidly increasing in complexity, subtlety and scale, with more and more legitimate sites playing unwitting host to attacks. Most of these attacks make use of long-patched flaws, probing systems for holes to sneak malware onto new victims, and the importance of keeping a system fully patched is greater than ever. Since this task is also more complex than ever, having details of all the potential dangers in a single report, along with information on remediation, and having it regenerated rapidly on a regular basis to keep up with the latest developments, is an enormous advantage.

The only feature I could think of that would be a useful addition would be an option to disregard some of the entries, as either unfixable in a given situation or not applicable under a corporate policy, but given the attention to detail it seems more than likely that such functionality is already available to admins using the separate management tools. As it was, it was tempting to try to eliminate each and every one of the issues flagged up, if only to see what would happen when a scan found nothing to complain about – surely some kind of fanfare or shiny virtual gold medal would be an appropriate reward for such diligence.

Sadly time was too pressing to go to such great lengths, and I left my test machines with a few minor issues remaining unfixed to look into the more common security measures provided by the suite.

System protection functions

Of course, once the system is fully patched and configured to the product’s liking, the vulnerability scanner becomes a core part of the ongoing protection offered. A scheduled scan will highlight new patches as and when needed, including updating the status of those nasty as-yet-unpatched flaws. New configuration tips are also added as researchers spot new vectors and new potential issues with the standard setup of a Windows system. Beyond this rather special functionality, however, the product also offers a full set of the more usual protection features provided by most other security suites on the market.

At the core of the standard anti-malware protection provided is the Norman engine with its strong ‘sandbox’ heuristics. Running it over the VB test sets showed a high level of detection, which was improved still further after upping the heuristic settings. The interface to the engine and all the file-hooking and other integration is developed by eEye, and operating the scanner and adjusting the on-access settings proved a pleasingly simple business, with defaults seeming well chosen and appropriate. Any on-demand scans required were also available from the context menu. On its own this seemed something of an improvement on Norman’s own interface to the same detection technology, which I have frequently found rather complex and fiddly when adapting it to the specific needs of VB100 testing.

Scanning speeds and on-access overheads closely mirrored past test results for Norman and Blink, implying that little extra burden was being placed on the systems by the range of added extras. The Norman engine has a long and illustrious past in VB100 comparative testing, and with a few recent problems caused by a batch of polymorphic items now behind it, it looks set to continue to do well. It also regularly achieves decent scores in other independent tests, making the ‘Advanced’ grade in the most recent AV-Comparatives test and scoring ‘Satisfactory’ or better in all but the speed category in AV-Test’s latest set of results. In our own speed measurements, both Norman and Blink products appear in the middle of the field, somewhat behind some of the zippiest products but never imposing the sort of overheads seen in the weightier ones. Using the product on a range of systems I never observed any intrusive slowdown, although when running the updater on a particularly aged and underpowered machine whilst trying to carry out several other tasks, things did become a little slow to respond for a few minutes as drive lights flickered and crackled with effort.

Moving on to the intrusion prevention filters, these again seem to focus to a large extent on vulnerability monitoring, watching numerous protocols for suspicious data which could indicate an attempted attack. The large set of categories comes fully stocked with long lists of known bad behaviours, and a separate tab presents a lengthy list of signatures for known exploits. The majority are active by default, but some are provided for those who have more specific needs, which include a website-blocking section populated with common social networking sites.

The process of adding more rules and signatures is via a simple and straightforward wizard, which in all these modules advises the user to be sure they know what they are doing before setting up a rule which could impinge on important system operations. With the default settings already pretty thorough, exploit signatures can be extended by adding pattern strings of one’s own design, providing the user with a level of control over what comes through to the machine usually only available to network admins. The phishing controls, listed under ‘Identity Theft Rules’, cover a range of common tricks found on phishing web pages, including hidden or spoofed URLs and links, and again can be extended to the user’s content.

The system protection setup operates in a similar manner, this time with far fewer built-in rules but with the same straightforward system to allow the user to generate their own. Setting controls on specific applications, ensuring doctored versions cannot be run, or even allowing them only to be run by a specific parent process, is a pretty straightforward task achieved in a few clicks, and a similar system prevents (or allows) access to specific areas of the registry.

The firewall also uses the same system, giving a pleasing consistency across the product. The various options, with a handful of default system-wide rules and more for specific applications, are presented clearly and legibly with a good level of plain-language description to assist the less technical user. Its initial rather passive setup does require a few extra steps to ensure a decent level of protection, but this can be done with a couple of clicks of check-boxes, and it seemed to operate well once fully up and running.

Most of these rules function in a quiet and unflashy way, not bombarding the user with a deluge of hyperbolic warnings about blocked activities and simply logging unwanted events, if desired. Even the on-access malware scanner produced small, simple popups with the minimum of fuss.

The settings can be programmed to provide a training popup, filled with detail and options, when an unknown application attempts a restricted activity. In my tests, these managed to block the handful of malicious items that managed to get past the signatures and heuristics of the anti-malware engine, as they attempted to leak data from the system, contact base to download further nasties, doctor important registry entries or perform other malicious activities. The popups default to a deny action if left for 45 seconds.

My only quibble with the whole setup is that the descriptions of the rules are often considerably longer than the display space available. Double-clicking the title bar boundaries shrinks the area even further rather than expanding it to the required width, which means that it takes some fiddly stretching of boxes and dragging of sliders to read the full detail of any given rule or setting. That this detail is available at all is impressive, however.

Help and guidance

The provision of clear and useful information, a pattern repeated across the product, caters more than adequately for the complexity of configuration available. While this is not a simple set-and-forget system, and may appear daunting to many inexperienced users at the desktop level, the product provides plenty of information for those willing to put a little effort into deciding for themselves how to set things up.

Beyond the basic information provided alongside each individual rule, vulnerability alert or malware warning, a superbly detailed manual is provided, alongside an equally well thought out help system. Unlike many help pages, which often do little more than list the available buttons and what they do, this is properly task-oriented, detailing the steps required to achieve a given objective. The manual PDF runs to some 99 pages, providing even more step-by-step information on how the various features should be operated, including detailed instructions for defining new rules. All are written in lucid language with a minimum of jargon, and are clearly aimed at putting the exceptional power of the product within the reach of the humbler user.

Conclusions

With such an in-depth product to look at in a very short time, it has not been possible to do more than skim the surface of Blink’s capabilities. I have focused predominantly on the vulnerability scanner as it is a rare if not unique component in a security suite, but the rest of the functions (apart from the straightforward anti-malware scanner) are also unusual in the sheer depth of configuration available. In the right hands, this product can do far more than provide solid security from malicious code and attacks; it can implement a complete usage policy, managing many aspects of how a system and its user operate, including controlling access to unwanted software and web resources, maintaining hygiene standards and accountability through logging.

Of course, those hands need to know what they are doing, but as I have come to see through longer exposure to the product and its support systems, they do not necessarily need to be those of an expert. Enough background information and links to further resources are provided at almost every level of the product to allow an informed and committed novice not only to implement a solid security regime on their system, but also to learn a considerable amount about it along the way. The home-user version, offering the same full range of tools and options, can be put to use fairly simply using more or less the default settings to provide a very decent level of security, but with a little effort, and some trust in the assistance provided, can allow anyone to take control of their computer and take a little responsibility for their own online safety.

Of course, I can understand how this could be rather too much to bear for many home users, and they may be better off investing in something more cuddly, but for those willing to put in the effort the rewards should be well worth it. In a more professional setting, for those requiring absolute control to enforce a detailed and demanding security policy, Blink can provide a superb breadth of power to do just that, in a single well-designed and solid package.

Technical details

eEye Digital Security Blink Professional 4.0 was variously tested on:

AMD K7, 500 MHz, 512 MB RAM, running Microsoft Windows XP Professional SP2 and Windows 2000 Professional SP4.

Intel Pentium 4 1.6 GHz, 512 MB RAM, running Microsoft Windows XP Professional SP2 and Windows 2000 Professional SP4.

AMD Athlon64 3800+ dual core, 1 GB RAM, running Microsoft Windows XP Professional SP2 and Windows Vista SP1 (32-bit).

AMD Duron 1 GHz laptop, 256 MB RAM, running Microsoft Windows XP Professional SP2.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.