Anti-virus programs largely protect you from viruses, but what about other forms of malicious code? This software package works to analyze and disinfect your network to assure that you're free from already active Trojans, backdoors, and hacker tools.
There's a perception that once you've installed your preferred anti-virus software on your network, network edges, and end-user's machines; and that you constantly update the scanning signatures, you're safe from viruses, right? Well, to a large extent that may be true, so long as your users follow your cautionary rules. But even then, are you safe from hackers programs?
According to David Stang, co-founder and CTO of PestPatrol, you're not necessarily free from malicious code at all. Stang, also a founder of the National Computer Security Association (1989) and International Computer Security Association (1991), maintains that anti-virus programs catch up to 90% of viruses, 15% of resident Trojans, and 0% of hacker tools existing on an end-users machine or a server.
PestPatrol has been positioned as an adjunct to anti-viral software, and scans and quarantines or eradicates malicious code that does not necessarily spread like a virus. They call these pests, and break them down into such categories as RATs (Remote Administration Trojan), probe tools, virus and Trojan creation tools, port scanners, password crackers, etc. These are distinct from viruses, as viruses are usually a portion of code, and pests tend to be full-blown programs.
The program has been out for awhile, targeted mainly at consumers who, in addition to the pest protection, are very interested in the many forms of spyware that are inevitably collected in cookies or programs that report back to their creators about its usage, such as Go!Zilla or Gator. While less important in the business environment, these programs en masse can affect bandwidth, and can be useful to know just how much outgoing traffic is affected.
However, there is now a version that will work across networks to scan all the Windows-based machines and servers. Rather than using the GUI version preferred by consumers, PestPatrol can be invoked from a command-line, best invoked from a login script or an automatic scheduler, such as Windows AT command. The program itself can reside on the server. The logged results can in turn be sent to a master log on the network, and can in turn be monitored by another program capable of sending an alert to the network manager via Windows Messaging.
Pete Cafarchio, PestPatrol's VP of Marketing maintains that this is the only tool that will search and find cracker tools, or such prominent backdoor programs as SubSeven which will give an outsider 'ownership' of a machine. "Most security programs will watch ports to make sure nothing illicit can get in, but few will look at outgoing traffic on common ports such as Port 80, used for HTTP," he says. "Once a RAT such as SunSeven has taken hold, your internal machines can become zombies for use in Distributed Denial of Service (DDoS) attacks."
PestPatrol can also be used as a plug-in for other programs, such as MailSweeper, for examining e-mail and attachments.
If you're running PestPatrol on your networked machines, clearly you'll need to slend some time planning for the exact parameters you'll want to invoke for your particular needs and strategy. Remote machines can be forced to use a Secure Configuration Verification and establish a clean bill of health before being allowed to connect to a VPN, for example.
The best way to become familiar with the program's capabilities is by running the GUI version. We installed the program and found it to be a quick and simple enough process to get it configured and running its first complete scan. Four tabs at top of the relatively uncluttered window determine your current mode, and each offers subsets:
Scan's first tab is Scan Now, which allows you to begin a scan on selected directories or drives. Monitor Progress keeps you up-to-date on the current findings as the scanner runs. Analyze a File gives you the capability of putting any one file under examination, and returns comprehensive information on it:
File: C:\Documents and Settings\user\Cookies\firstname.lastname@example.org
Creation Date: 05/08/2001
Last Access: 02/08/2002
Last Write: 05/08/2001
Size: 111 bytes
PVT (Pest Verification Token): -2146243967
Pest: Not a known pest
File Type: .txt file.
Compression: No compression or unknown compression method.
Language: Unknown Language.
Strings found of 2+ characters (first 4K bytes): cyberglobalanonymous cyberglobalanonymous ctg000ebecf994c3af82 engage com 219459072 30150118 548976544 29415461
Caution: Use this automated file analysis with caution. Please do not substitute these results for good judgment.
This article was originally published on Friday Feb 8th 2002
The next main tab is Options, and you can always tell where the power lies in most software here. You can establish the action to take when a pest is encountered, and which categories to scan for, including Hacker/Security Tools, Spyware, or Spyware Cookies. You can also set your Exclude directories or files, update checking, Process priorities, and even establish a startup command-line from here.
Info is more useful for educational purposes than anything else, but should prove invaluable to network managers who want to be aware of what security issues currently abound outside of traditional viruses. There are links for advice on command-line, LAN, MailSweeper, and numerous help screens. Here you also will find a list of pests with detailed information, and news about the software dynamically updated.
The power lies in the Logs tab. The Current Log lists all pests and lets you manually determine what to do in each instance, if needs be. The options include isolated analysis, looking up the latest information on the file or pest, quarantine, Ignore (this time or forever), and delete. The most interesting feature here is the Master Log, which will allow you to sort by pest, computer name, or MAC address, among other criteria.
PestPatrol is available for businesses in two forms; per seat with volume discounts, and an auditor's license, which will allow network consultants and analysts to use the product wherever they may travel. A full-functioning trial version is available, as well as more detailed information from their Web site.
The time may come when the giant anti-virus vendors become aware of these issues, but at present, you will probably want to consider whether your network is secure without this program.
Jim Freund is the Managing Editor of CrossNodes.