Avatar is part of the VFind™ Security Toolkit Professional, and it's primary function is to maintain the system Baseline Configuration. It does so by executing system security policies that act as an intrusion detection and response system. The most important aspect of Avatar is response time. If the system Baseline Configuration is modified for any reason, it will be detected by Avatar and returned to the correct Baseline Configuration. The value of Avatar's response system is that it enforces discipline by using a non-subjective automated process, which can execute many times per day.
Intrusion is defined as any unauthorized modification to the system Baseline Configuration. The reason for this broader than normal definition is that it allows for unauthorized modifications by authorized and unauthorized personnel. When an unauthorized person breaks into a computer, their actions will always be dictated by their goals. If they are a passive reader, then their activity will be captured in the system logs; if they are using the system as a platform for further attacks, then they will download attack programs for execution and they'll want to insure future access. To ensure this, they will have to change the Baseline Configuration. Modification of the system logs such as changing permissions, insertion of Trojan back doors into critical system applications, modifications of the Baseline in any form, or just plain destruction of critical system files can all be detected - and corrected - by Avatar. The addition of new inappropriate files to a system can be detected by CIT.
The ability to maintain the Baseline Configuration also provides extensive immunity to new unknown software attacks within the Baseline. If a binary or script virus infects a file, then the file will be overwritten by the Baseline version of the file. This effectively destroys the virus and is far superior to any form of virus disinfection used by any other company. When a virus infects a file, it modifies it - in the process of infecting the file, it is common for the file to be damaged. The disinfection process used by most antivirus companies may or may not remove the actual virus, since it is most common to not remove the virus, but merely change program pointers so that the program executes around the virus without executing the virus. If necessary, the virus is then modified so that it is no longer detected by the same antivirus program as a live virus. This preserves the damage created by the virus and potentially adds new damage if the pointers are modified incorrectly. In addition, not all viruses, especially new unknown viruses, can be disinfected. None of these problems exist with Avatar since a captured copy of the original file is used to overwrite the infected file. This also works for all forms of software attacks in Baseline configured programs, not just viruses or hacker attacks.
If Avatar is used on internet-based systems (such as web servers) and a hacker modifies a web page, Avatar can be automatically invoked, restoring the damaged page. If Avatar is run dozens of times per day then the hacker would literally have to break in and modify the system dozens of times per day, inciting a huge incentive to leave the system alone.
>back
Questions or comments about this website? Please contact the webmaster. 
© Copyright 2007 CyberSoft, Inc. All rights reserved.
