Wednesday, 12 June 2013

AppSense Application Manager instead of antivirus... I think not.

I've had a number of people ask me over the past few weeks whether or not I would replace my Antivirus product with AppSense Application Manager. My answer has always been no, AppSense Application Manager will compliment your Antivirus product but should not replace it.

Heres are a few reasons why I think this:

AppSense Application Manager is incredibly good at stopping users from executing any unauthorised executables that the user wants to introduce into an environment. For example if a user brings in a USB thumb drive and copies solitaire.exe (an infected file) from this drive onto his/her corporate machine application manager will scream when the user tries to launch the executable regardless of whether it is whiltelisted or not. It will do this because the executable will not be owned by a trusted owner and when the user performed the copy action his/her account took ownership of the file. The problem here is that solitaire.exe (the infected file) is still on the machine and something or someone else who is not restricted could then come along, change ownership of the file, and launch it . This means your network is compromised and you'll probably spend a whole briefcase full of money resolving this, performing root cause analysis, etc to find a simple Antivirus product would have scanned the file and either quarantined it or deleted it.

An exception to the above rule could be a non-persistent VDI or provisioned XenApp environment where the machines are frequently reset to a known good state. In this instance you will still want to have antivirus on your file servers as well as on your mail gateways but you could potentially save some money on your antivirus subscriptions there.

At this point AppSense Administrators typically argue antivirus products will only be able to detect and block viruses, trojans, etc that it knows about. This is true and this is why I think having Antivirus running alongside Application Manager is a killer combination. Think about it for a second... Infected files that the end user brings in on a thumb drive or other format are more than likely going to already have been patched in a fairly recent antivirus definition update. The exception is obviously where you have a malicious employee trying to infect your network. Your antivirus product will deal with these occurrences with their default configurations. Where application manager can make a massive difference is when an uneducated user is browsing the internet or receives a malicious email from their bank and tries to launch the attachment or download. Trusted ownership will fail and your network remains secure. At the same time the user will receive a notification which they will most likely report to IT giving IT an opportunity to investigate and resolve.  Failing that, by the time your weekly (or bi-weekly) scheduled scan kicks off your virus definitions are most likely going to be updated and know about the infection and will then clear them up.

I've also often told that AppSense Application Manager can be configured to use digital signatures or file hashes to allow or disallow applications. This is true, it can, which is considerably more secure than simply whitelisting solitaire.exe but an AppSense Application Manager signature only hashes the first 8 megabytes of a file. So whilst it is highly unlikely that a malicious solitaire.exe will share the same signature with a trusted executable it is possible.

So whilst I am not trying to sell anyone an Antivirus product I am simply saying replacing your antivirus product with Application Manager could leave your endpoints and in turn your network vulnerable and is probably not worth the effort. In addition, I am not sure this will pass any regulatory requirements imposed e.g. PCI, IL2, etc. My personal recommendation is always implementing AppSense Application Manager alongside your antivirus product to complement each other.

These thoughts are my own and are not necessarily shared by my employer however I have just noticed that the Application Manager Product Guide states the following:

Although Application Manager is able to stop any executable script based malware as soon as it is 
introduced to a system it must be noted that Application Manager is not intended to be a replacement for existing malware removal tools, but should act as a complementary technology sitting alongside them. For example, although Application Manager is able to stop the execution of a virus it is not able to clean if off the system.

As ever, any questions get in touch with me on twitter