Special Attributes of the VFind Security Toolkit for 2012

The North American Electric Reliability Corporation (NERC) is a federally sanctioned organization that sets and enforces standards for bulk power systems in the United States.

CyberSoft Operating Corporation has been in the business of supplying computer security tool kits since 1988. We invented many of the items that seem common today and we are still innovating. Our primary product is the VFind Security Tool Kit (VSTK) family of products. As the name implies this is not a virus scanner but an entire tool kit of computer security products that lets you fit the tool to the problem.

In the VSTK tool kit the first product we created was called VFind. As you can imagine VFind is a contraction of the words Virus Finder and that is what it does. It is a virus scanner that has several engines. Each engine is designed to perform a specific task. For example, analysis of Java Byte Code is not reliable because each time Java source code is complied it can create a different binary. The JADE engine produces transitional code that is reliable no matter how the Java source code was compiled. Other engines include the CVDL and CVDL Case Insensitive engines as well as an MD5 hashing engine. The CVDL engines are high-speed general-purpose pattern analysis engines that compile CVDL pattern description language files and search data for many thousands of patterns that match a pattern description. While this is happening VFind uses the MD5 hashing engine to produce a unique MD5 cryptographic hash of the data for comparison against a list of known dangerous values. While CVDL is fast, MD5 is faster. The MD5 addresses Trojan attacks which it's designed to do. Meanwhile CVDL can be used for attacks that modify other files by infection or modify themselves.

While the VFind tool comes supplied with CVDL files that describe many thousands of software attacks it can simultaneously be used for any other pattern analysis the customer may need against the same data! Some of the uses that VFind CVDL has been put to in the past were lexical analysis, HIPAA and SEC compliance, as well as testing files at transit ?for both safety and privacy. The CVDL Language and CVDL Lexical Analysis handbooks are available for free download from www.cybersoft.com.

One of the perennial problems in computer security, especially virus scanning is understanding what you are scanning. Applying the correct analysis to the specific type of file is important. In all file systems, like Linux/Unixs there may be no relationship between the filename and the contents of the file. Therefore, it is necessary to look inside of files that contain other files. It is reasonable to consider that files might be nested three or more deep. An example is a mail file, which contains a mime-encoded attachment of a zip file, which contains a document. You had to go through three container files to get to the actual file that needs analysis. The UAD tool solves this problem. It will examine the contents of a file to determine what it is. It cannot be fooled by the filename. It will then recurse the file until all of the containers contents have been fully rendered down to their simplest level. This makes virus scanning significantly more accurate. In addition, when a human analyst needs to examine a suspected file the UAD tool will provide a great deal of information. Sometimes hackers will create container files that will “splat” files into high security areas of the computer. For example, it might overwrite a system command with a trojanized version of the command and since the overwrite was done in the middle of extracting dozens of entries it was not noticed. This can not happened with the UAD tool. The tool automatically invokes an anti-splat feature that insures that all files are written to the local directory.

The next tool in our kit is a baseline management tool that has a lot of useful features in a small, light, easy to understand product. That tool is called CIT and in keeping with our descriptive product names it stands for Cryptographic Integrity Tool. The CIT tool performs baseline management and it does it fast and easy! The product is also accurate and designed for both human and program interface. That means that it is easy to customize the output to work with other programs. This simple to use tool manages the baseline for the entire or any part of the file system desired. It produces simple text based reports that are easy to generate and understand. The reports tell the user what files have been modified, added, deleted, duplicated or otherwise marked as dangerous. It also produces a target list of files that need to be virus scanned which can automatically be input to VFind saving a large amount of system resources and speeding the entire scanning process. All CIT databases and reports are kept in simple text files, which can be read by other programs. One of the features of CIT is because it is simple, fast and light it is ideal in systems where rapid helpdesk analysis of problems may be needed. A help desk doesn’t have to look up multiple passwords or wait for hours for analysis of the system to take place. They can start a whole system analysis while testing specific critical or suspect files for change. Once the problem has been identified by changes in the baseline file system it is usually simple to fix the problem!

Another special feature of CIT is its ability to use any CIT database, no matter when or where created. In normal use, CIT will keep track of the changes in a system within a window of time consisting of its last run and the current execution. This provides the most valuable running total that most people need but the ability to run against an older CIT database can tell you how the system changed over a long period of time. Alternately a CIT database from a similar but different system can be used to do a comparison between any two systems. How does system A differ from system B can provide valuable insight. Finally, if a CIT database is maintained that conforms to the organization’s idealized baseline configuration it can be used on any system to see how that system differs from the mandated baseline!

One of the interesting things about the tools in the VSTK toolkit is their ease of integration with each other and with customer written programs. Many of the tools were designed to work together in order to solve complex problems in the shortest amount of time with high accuracy. All of the tools are fully scriptable in any scripting language such as shell, Perl, QT, Apache CGI and others. As expected all of the commands can be executed individually at the command line or an operator can use the Visual Scan graphical user interface that makes operating the tools a click of a button. For customers who want to integrate the UAD and VFind tools with their own programs we offer a fully documented daemon API with source code examples!

The final tool considered in this paper is Visual Console. Visual Console provides a birds-eye-view of the status of all VSTK products installed on a network along with the system’s status. In addition to the overview at a glance the operator can drill down to any system and to any VSTK tool on the system. The operator can act as a central distributor of updates including forced updates and has the ability to force any VSTK command to execute on a client system. This provides a fantastic overview that can save time for an overworked helpdesk. In addition, multiple Visual Consoles can run at the same time so distributed help centers can each see what they need to see. Visual Console was designed so that it can run from a thumb-drive so a help desk analyst need never be away from the console!

There are a lot more features of the VSTK product line. To discuss your specific need contact the sales department at CyberSoft and we will be happy to discuss it.