|
Articles/Reviews/Analytics Safe`n`SecIntroduction
Safe`n`Sec is a product from Safe`n`Soft.
Safe`n`Sec for personal use comes in 3 versions. Besides the standard version which is a pure behavior blocker, there is Safe`n`Sec Pro + Antivirus package (incorporating Bitdefender as an antivirus) and a Safe`n`Sec Pro Deluxe product which includes an antispyware module and anti rootkit. For this review, only the standard version is tested.
Conceptual model
Safe`n`Sec is essentially a combined of a traditional Policy based behavior blocker supplemented by a smart Expert system based HIPS.
First there is an "interceptor" and "identification" module (iTrust)
"To analyze information and make a decision, the System Interceptor transfers full information about the system call and the application that generated this call to the iTrust Engine, an application identifying module. Correct identification is required to distinguish the activities of malicious software from the actions of allowed or trusted software."
Then there is a rules engines.
"After this, the call is processed by the Rules Engine, a module that analyzes calls and makes a decision based on the predefined rules. The Rules & Policies database contains all possibly dangerous activities of applications, such as deleting system files, unauthorized access to user data, changing the operating system settings, etc. A set of such rules and actions (block/allow/ ask user, etc.) comprises the activity control policy. With Safe`n`Sec, the user can define several activity control policies, the number of which depends only on user’s specific needs. If the call matches one of the rules, the Rules Engine makes a decision that complies with the selected policy. After this, the call is transmitted to the next module for the final decision."
So far this is a normal policy based behavior blocker HIPS.
But it includes some intelligence.
"The data submitted to the Intelligent Decision Maker is analyzed taking into account the Activity History of this application. The Activity History records the actions of all applications, which had been analyzed earlier but a decision about the malicious nature of an application was not made due to the lack of such information. The Intelligent Decision Maker makes appropriate decisions based on the sequence of activities, their number, periodicity, and reiteration pattern."
http://www.safensoft.us/technology/
In theory this will warn you of malware as opposed to applications that just break the policy rules. I was unable to test this though because I did not test with any real malware. For people who like to tweak with the system, it should be noted that while you can add or delete individual policies rules (e.g Rule 401 watches for creation of files in system32driveretchosts which essentially protects your host files), this intelligent decision maker module is essentially a blackbox, separate from the policies and cannot be viewed or modified.
Safe 'N' Sec settings
When you first install Safe N sec, you have two main decisions to make. First is to decide whether you will be running Safe 'N' Sec in Beginner or Advanced modes. This will affect how much of the interface is exposed. This surprisingly isn't really such a big decision. As usual you can change between both modes from the Interface screen (see below).
But more importantly the differences between the two modes are minimal.
As you can see from the above screen shots, the activity control screen doesn't change much except for the addition of a few buttons. We will cover what happens if you click on the advanced buttons later, but you might be wondering why the Beginner interface has extra checkboxes.
In beginner mode, these checkboxes control the effects of clicking either allow or block in response to prompts. See below. So for example given the setup above, clicking allow will not only give permission but will put the application into the trusted list, so it will not generate any more prompts for any action.
In advanced mode, these checkboxes are not necessary because you can change these settings on the fly in any prompt box.
Clicking on any of the underlined parts will toggle each option.
For the allowed options, you can toggle between
- this application or any application
- remember or once only
- Always or for this session only.
If the last option is set to 'always' the policy/rule that triggered that prompt will be allowed for that application. However this policy might be actually wider than the actual event parameters, so the last option, "don't use/use" affects actually gives you an opportunity to create a more specific rule.
Confused? Take predefined rule 27, whenever a certain registry value is edited or deleted in HKCUSoftwareMicrosoftWindowsCurrentversionRun you will be prompted . Say you use some program to remove it's own startup entry. If in response to the prompt, you select "don't use" system parameters for creating a new rule, it will give that program the right to ignore that broad rule, in other words the program can delete *any* key in that folder. Toggling it to "use" system parameters for creating new rule, will create a tighter and more specific permission. This is somewhat more secure. The same can occur when broad file write policies are triggered.
For the blocked option, you can toggle between the same options, plus one more additional option to kill or don't kill the process.
Control policies
Regardless of whether beginner or advanced mode is used, the most important decision is to decide on which overall control policy to use. In Safe`n`Sec there are three main modes, Trusting, Strict, Total and are controlled by the lever in the activity control screen. (see above screenshot either in beginner or advanced mode).
Total control mode compared to Tight control essentially alerts you of more registry changes, warns you of attempts to write executables anywhere on the disk, as well as changes to certain personal folders etc. Trusting mode alerts you to even less registry keys and in some cases will just silently block without asking the user.
Users running in advanced modes have the option for more fine grained control.
Firstly they can choose to selectively turn off classes of rules. Clicking on the first advanced button (see above screenshot either in beginner or advanced mode), they can choose to turn off any of the following classes of rules
- File system activity
- System registry activity
- Process interaction
- Network activity
- System API calls.
Users having their own personal firewall would probably want to turn off Network activity.
Even more control
What if you want even more control? Then you must click on the second advanced button. This will bring you to the screen below, that list specific rules for applications.
There are three main classes of applications. Restricted (not shown on the screenshot) which are programs identified by the intelligent decision maker has malicious , Trusted - which are programs that are not restricted by Safe`n`Sec in any way, and Custom - programs which have specific permissions.
What is nice about Safe`n`Sec is that it has a nice database of 198 known applications with very specific rules adapted for each application. These will be automatically added when needed. Unlike say Prevx1 which only states whether an application is known or not, in Safe`n`Sec you can see that great care was done to ensure that each known application , particularly system apps like svchost, Lsass , were given specific tight rules while not overly restricting functionality.
Despite that there are no hardcoded rules, you can move applications to and from trusted to custom to restricted. Though you can't delete default rules (probably an interface thing so you can quickly recover from your own meddling) you can disable each rule individually which is the same thing. You can add your own rules of course.
About rule making
There are two types of rules in use by Safe`n`Sec, the default set by Safe`n`Sec, and your custom rules.
The default rules used by Safe`n`Sec are highlighted in blue (custom rules are in black), and as stated cannot be deleted, though you can disable them by unchecking the box besides them.
Safe`n`Sec , checks to see if there are any specific rules for each application and if the application isn't listed or if isn't relevant, it will go check the General rules which apply to all applications.
You can edit the General rules of course in the same way as specific application rules.
As the screenshot above shows, depending on which control policy used, each rule may block (orange cross) or may not (green tick), the small balloon box icon , indicates if the user is prompted or if it is just blocked.
The default set comes with over 250 rules with the potential for further customization by adding your own rules! This covers everything from registry changes (probably the largest group), files/folder changes, process attacks , network control, plus various special rules (more about them later). Very comprehensive indeed.
Creating your own rules
You can create 5 different main classes of rules either in general covering all application or for specific applications. The five main classes are System registry, File activity, Network activity, Process Interaction, Creating a service. The screenshot below shows the first set of adding a rule to an existing application.
Interestingly enough you might notice that this 5 classes of rules do not fit the 5 types of activites that you can disable on a piece meal basis (see above screenshot). Only the first four match up.
Apparently while there is an option to disable system API calls rules ,you can't make such rules. Such rules are actually special rules in the default set that you cannot create (more about that later). It's also unclear if creating a service rules fall under file system activity or not.
Depending on the type of rule created, you can of course add even more parameters, and they are very detailed and flexible, below shows some of the possibilities You can also set how each rule functions depending on what control policy is active.
Strengths
- Simple to use for beginners, yet highly customizable for advanced users.
Safe N Sec does a great job of catering to users from both ends of the spectrum, both beginners and experts can customize Safe N sec according to their needs. And this is done without over complicating the interface. I particularly like the design of the prompt box, the ability to set a specific rule based on system parimeters (as opposed to simply giving it full access based on the triggering rule) actually makes the registry control even better than specialized Registry control programs like Regdefend!
If they really want to appeal to the control freak, they could give settings for time out.
- Prompts contain adequate help
Most HIPS generate somewhat cryptic prompts , and even the best basically says something like "Some process is doing Something weird is happening on your computer, allow/deny?". Safe`n`Sec impresses in that if you click on details of each prompt each policy rule comes with a detailed, specialised explanation of what is happening and gives advise on whether to block it. For example some of the detailed help give examples of classes of legitmate programs (compiler,debugger) that might request such rights.
- Nice well designed interface.
Many HIPS products are one person jobs, and it shows in the poor tagged on interface , bloated 'cramp as much options into the interface as possible' style of design. While far from perfect, Safe N Sec does a great job in hidding the complexity from the beginner while logically layering out all the various advanced rules together.
- Well intergreted process, registry, network and most importantly file folder control.
Traditionally most HIPS following the lead of ProcessGuard have specialised on process control, protecting them from modification/termination attacks, checking global hooks etc. Intergreting with Registry control was the next logical step. Seeking new features to compete in, HIPS are now adding network control. But as yet very few HIPS (excluding sandboxes of course) have file/folder control, and this is where Safe`n`Sec has an advantage.
The main problem in intergreting this is not merely technical (even though file/folder control is pretty difficult to achieve), but rather the complexity of designing the interface so that it can accomodate complicated rule making for these different areas. E.g Setting customizable registry protection needs a well thought interface or it is worthless. Many HIPS have done this somewhat hazardly, like in Neoava Guard and to some extent Cyberhawk, the file control and network control seem to be completely seperate from the main HIPS. Safe N Sec is one of the first I can see that not only covers all 4 areas, but also puts it together in a coherent whole. Add the optional antivirus and antispyware modules and you have a very capable all in one package.
The only competitor in this area is Ghost Security Suite, which intergretes Appdefend and Regdefend (process and registry guard respectively). But it still lacks a 'fileguard'.
While it's whitelist cannot remotely compare to Prevx1 in terms of size, each whitelisted program is given a carefully designed set of rules to provide a balance between functionality and security. This is very important in particular when dealing with system components, since overly tight restrictions might cause system unstability while overly losse restrictions might lead to system compromise.
Weakness
Most HIPS are one time costs, some provide life time updates , others give you updates for a certain period or provide updates for minor releases. In any case, even if you don't gain access to the updates the software continues to function well enough. Safe`n`Sec however is unusable once subscription runs out. So you basically renting it.
- Lack of execution startup control.
A somewhat surprising fact is that despite covering everything from file control, registry control, network control, process manipulation attacks etc Safe`n`Sec lacks a feature that many people would consider critical in a HIP. Yes, it lacks execution startup control. Any process is allowed to start without so much as a whimper from it. This makes it similar to Cyberhawk another newbie friendly product that claims to have intelligence to detect malware.
On the plus side, in my experience execution control is the chief source of prompts, so lacking this feature means it is less frustrating for users who don't value this features. Still given how configurable Safe`n`Sec is, it would be nice to have such a feature for the control freaks. As it is, I can imagine many hardcore users rejecting the product for this reason, or more likely adding another layer just to add execution control.
One concern I had is whether the lack of execution control including parent-child control will mean that leak tests will have a field day bypassing firewalls. Apparently not. While leak tests that depend on dll injection and other process manipulation methods will be stopped by process interaction rules (as expected), it also has a special default rule -no. 58 (which you cannot create normally) which will stop other methods like simply passing parameters through Internet explorer.
There are in fact many such special default rules,that show up as "undefined" in the rule editor. You can disable them, even though you won't know what they do.
- Default general rules are difficult to edit
There are over 200 rules in the general rules and they are all lumped up into one table instead of having seperate tables for say process interaction rules, registry rules, network rules, folder rules etc. The rules aren't labelled with a descriptive name. Instead you get names like Rule 56 (altough there appears to be some system in the way they are named)!
As such If you want to add your own personal rule and check to see if it is already covered , it is extremely difficult to see if an existing rule already exists.
It has no learning mode, however because it lacks process execution startup control it doesn't matter as much. It has a personal assistant feature that allows you to scan for hidden files.
The personal assistance also helps you protect critical confidential data files and folders without manually editing the rules.
June 15, 2007
Print this page
08.12.2006 12.10.2006 02.06.2006 28.07.2005 20.06.2005
| 
