Solved

Trendmicro IDF

Posted on 2012-12-28
5
1,383 Views
Last Modified: 2016-03-23
Anyone used Intrusion Detection Firewall from Trendmicro in client workstations
Is this efficient - Can prevent zero day exploits ?
Is it overkilling worstations ( makes it slow)?
What about Buffer overflow  attacks?
Can it prevent know exploits?
What about network backdoors?
can it prevent worms spreading across client machines?

I need independant opinions from experts. Pl comment
0
Comment
Question by:anishpeter
  • 2
  • 2
5 Comments
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
Trend Micro consistently has one of the lower records for customer satisfaction, support, and efficacy: http://www.customerservicescoreboard.com/Trend+Micro
And why would you want to pay for IPS when one of the best is public domain (free): http://www.snort.org/
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
Comment Utility
One thing about IDF (Intrusion Defense Firewall) is a network level  plugin for the officescan HIPS for Endpoint. Assume that you already saw their datasheet and whitepaper

http://apac.trendmicro.com/apac/products/enterprise/officescan/intrusion-defense-firewall-plugin/

Its key strength focus on the various filter it is supporting at the network perspective like any FW and IDS/IPS. E.g. Stateful FW, DPI, Exploit, Vulnerability, Custom filter. I will say if the threat is known, it is easy kill and if it just "happen" to bypass all the Enterprise network appliance (e.g. due to SSL to the browser) or simply going into the internet via 3G or untrusted n/w (w/o vpn etc), this is another layered defense to deter attacker onslaught. But then, that we are saying security through diversity (diff player in defending - not relaying in all single provider).

But this isnt a web appl FW, so web exploit via the OWASP top 10 vulnerability may not necessary be detected - understanding the logic of the HTTP / Web 2.0 traffic and parameters used...then again, network layer is still essential as SAN Institute also mentioned "It is only when we can see our networks as individual components that we can adequately secure these levels." (OSI stack levels)...but then IDF is prime to do network level (TM will have other to cover the appl level e.g. at browser guard etc)

I am doubtful whenever zero days are mentioned to be detected. If it does, it is most likely a known unknown (just you dont know but already out in the wild in stealth). Behaviour,  Heuristic and Rule based is another level to tap besides only signature - especially all threats are riding on the HTTP/HTTPS...whitelisting is another way on top of blacklisting. HIPS would already be supporting it

Another area, you may want to note is also the performance. There are two quick article which I say TM seems to be not too bad though on average in scan speed and caching. Also it is only Windows system support only (if I am not wrong)

http://la.trendmicro.com/media/wp/officescan-indusface-whitepaper-en.pdf
http://www.mcafee.com/in/resources/reports/rp-avtest-endpoint-security-2011.pdf

Overall, I will also want to look out for self healing and product anti tampering mechanism which are just as critical. If malware does penetrate through, they will target and  "switch off" the security services esp the HIPS, so what will be the defense or layer to deter it.

btw, I believe it has the location awareness to switch network profile when you are in wireless, intranet etc. Then again other hips also has that so what is the differences which I will ask as well...
0
 
LVL 1

Author Comment

by:anishpeter
Comment Utility
Hi Breadtaan,
 Thanks for your detailed analysis. I was going through NSS Labs report , ENDPOINT PROTECTION PRODUCTS 2010 GROUP TEST SUMMARY.  Trendmicro is slected as no 1 in Endpoint Security. But was behind from Mcafee in these aereas.
1. Memory only Payloads  -  Mcafee-100%, Trendmicro -0%
2. Payload Encording - Mcafee - 60% , Tredmicro -40%

How you feel the result?
Also Mcafee representative told me No buffer overflow attack prevention is avilable for trendmicro and the datasheet of trendmicro also not mentioning anything about it.  what do u think
 
I think trendmicro will be more memory and cpu starving as compared to Mcafee and Kaspersky (some other reports.

I got the Endpoint suite including IDF with same expense of my license this year. I installed it. I can find almost 200-300 Deep inspection rules and almost 12 rules for 2012.  how u rate this? very less ,  as compared to other products?

about application control - i can  black list some applications. but are u thinking, it is effective? what about whitelisting programs like lumension do. pl comment
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
>How you feel the result?

I do not have the 2010 report but NSS lab has been a respected independent lab which some public tender quoted them as reference to get the appropriate capability recognition. They do paid service but in this test, this is not supposed to be the case, of course the vendor will want to fare well too. I do not doubt their testing capabiity and the scope of of the test does cover common scenarios as below. For the scoring and ranking, I leave it out but would be more interested where the failure is commonly missed out. There again, it is 2010 technology.

¿ Exploits downloaded from the web (aka drive-by downloads)
¿ Malware downloads from the web
¿ Malware sent in email, opened by outlook clients
¿ Malware accessed via network file share and USB flash drive
¿ Evasion techniques used to disguise the malware and exploits used above

I saw finding stating "Malware protection varies greatly depending on the entry point for most vendors. AV engines are not uniformly applied to keep malware off the machine." and "No vendor has coverage for all of the basic evasions, a serious concern, which allows cyber criminals to easily circumvent EPP products". These would be something to find out why TM HIPS would fall into as weak spot in current 2012 engine and capability.



> what do u think

I am not so sure why the concern since you can easily ask TM instead to verify - I am not surprised if competitor say something against. But then again buffer overflow can be detected by signature in IDS if payload is available - e.g. NOP sled or even blocking known faulty or malicious application ports doing such overflow. IDF prime to do DPI so it should be checking against the payload if it is avail and alert if pattern match (signature based). Unless, we are saying attack is doing evasion techique and obfuscating the payload in staged attacks which is more sophisticated and behavioural based.

I saw it is reflected in one of the TM blog - Server (Deep Security) Endpoint (OfficeScan with Intrusion Defense Firewall Plug-In) For CVE-2010-3333: Rule #1004498 (Microsoft Word .RTF File Parsing Stack Buffer Overflow Vulnerability)

http://about-threats.trendmicro.com/RelatedThreats.aspx?language=apac&name=Luckycat+Leads+to+Attacks+Against+Several+Industries

Likewise I also saw them mentioning for Browserguard in (search for "buffer overflow"), so I am not taken over if there isnt mentioned in the brochure but it is still good to get TM to advice accurately, too many hearsay

http://community.trendmicro.com/t5/Web-Threat-Spotlight/IE-Zero-Day-Vulnerability-Opens-Door-to-HYDRAQ/ba-p/3304

Importantly, as end user, we do not want to have false sense of security - one thing to note is also TM OfficeScan leverages on their cloud-based Smart Protection Network infrastructure, where bulk of signatures aren’t deployed to the endpoints. If there is no SPN< they would be lacking a fair amt as well too.



>I think trendmicro will be more memory and cpu starving as compared to Mcafee and Kaspersky
Will be great if those competitor cna shed more info if they really say so...at least TM is putting it in public the info (though I am not saying it is the best estimate but at least they shared it openly).



>how u rate this? very less ,  as compared to other products?

Do we want to rate by the number of rules provided by each HIPS? Is that the best way of assessment? My point is as long as it gets the job done in a secure and fast manner not worst off in security state then before, I would see them better in fulfilling the job to be done. There is too many ramification to drill into the specific why no of rules and defence does not correlate well or in term of efficiency and effectiveness - we cannot compared apple with orange since all HIPS wrote their own engine - unless we are saying the rules can be ported to each other easily - snort rules ?? there is also tones of way to achieve one same rule but each can be performance impacting and hence some split into different rule sets etc...Let the outcome be the judge ...


>but are u thinking, it is effective?

I suggest whitelisting as end user better know what is allowed rather than what is not allowed and the latter is growing with major effort to keep up. Whitelist rightfully does not grow at that pace and is managed with more control and visibility. This is part of the goverance and policy process enforced at Enterprise level. I am not so sure about Lumension but in the past, CoreTrace was one of the better one in this domain. They are actually acquired by Lumension ...so the question to Lumension, how is this going to be embraced with the suite and we wouldnt want to have a break in the different component not managed centrally. Operational fatigue is one key challenges to address..

Actaully Windows has Applocker that does nto too bad for whitelisting appl and GPO to check on device control for USB and WPD. The HIPS rightfully should have some sort of this as I shared SEP has that ...
0
 
LVL 1

Author Closing Comment

by:anishpeter
Comment Utility
Trendmicro IDF is recommemd and cost effective
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now