Desktop Protection Agent (Feedback requested)

[aberration]

Over the past month I have been comparing and testing desktop protection agents (intrusion detection/prevention for the desktop) for our corporate environment. One of the primary purposes of deploying this technology is to prevent any zero-day exploits from taking hold in our environment (yes, it needs to overcome errors in user judgement). In order to provide this type of protection, the agent cannot be reliant upon signatures (with polymorphic virus coding, these are on the way out anyway).

During this time, the comparison has come down to two players: Cisco Security Agent (formerly Okena) and ISS RealSecure Desktop Protector. Does anyone out there have any experience (positive or negative) regarding these products. Your opinions and/or experiences would be greatly appreciated.

Thank you in advance...

~aberration~

[spools.exe]

Actually my dad had downloaded a program that i belive was called "ISS RealSecure Desktop Protector" os something like that. I was fairly simple to use but i didn't care for it too much. After about a month i deleted it due to lack of HD space. As for a rating, i'm not really sure. Its fairly simple to use but as far as protection i'm not sure.

[aberration]

Keep in mind, this is a corporate solution (~50K agents) to be centrally managed and usually operates in a much more defined method than the stand alone consumer installations. Also, the advances in this "science" have been very promising over the past year and the lastest agents from both Cisco and ISS have a great deal of power (and promise).

~aberration~

[DjM]

ISS RealSecure Desktop Protector is formerly BlackIce Defender. I have it running, monitoring my internal network. I have only deployed it to around 15 to 20 devices on my network and have not and will not, roll it out to every machine. I am also using the central management server (IceCap) to deployed the agents and collect the data. Remember, networks, especially Microsoft networks, are nosie, you will pick-up a lot stuff which ISS thinks is suspicious, but is just the norm for your network. If you decide to implement, I would recommend you do not do an enterprise rollout, but rather, install on a few devices around your network. Do not use this product as protection, but rather as a monitoring tool nothing more. If you set it up to block the network traffic it thinks is suspicious, you have a good chance of killing your network.


Cheers:

/edit
PS: ISS RealSecure Desktop Protector is signature based.

[aberration]

Thanks for the feedback. Based on what I have been able to see and test with the Desktop Protector product, it isn't completely signature based. Yes, it has it's typical signature set aligned with the ISS Server and Network sensor, but v7.0 also has more behavioral intelligence built into it. (If you're familiar with the other ISS products, it has integration of the Protocol Analysis Module (or PAM as ISS calls it), which does allow for a fair amount of customization to fit specific needs.)

It sounds like you're (DjM) running BlackICE 3.5/3.6, which is much more signature based than the current release. I also ran the older version (on my home system) and it operated much like a personal firewall and nothing more; the v7.0 product has picked up a few attacks not attached to a signature (e.g., Blaster). If I were to deploy the ISS product, I would manage it using the SiteProtector console (I think ICECap will be EOL'd soon) and I would only block activity I *know* should not be occuring on the network (and with Microsoft's numerous *features*, this could be an interesting challenge).

Thank you again for the feedback, it is appreciated.

~aberration~