If you're not familiar with this product, you can take a look at the lofty claims Finjan makes here:
http://www.finjan.com/Products/HomeUsersSu...Pro/default.asp
Essentially they intend this product to be better than "reactive" antivirus (i.e. all the "standard" apps you know out there that are definitions-based). But it is also designed to run in conjunction with antivirus to add another layer of protection.
Here is an example of their claims:
QUOTE
First-Strike Security®
A "first strike" is the first time a new malicious code attack is launched. Using patented behavior-inspection technology, Finjan products can detect and prevent malicious behavior before damage is inflicted.
A "first strike" is the first time a new malicious code attack is launched. Using patented behavior-inspection technology, Finjan products can detect and prevent malicious behavior before damage is inflicted.
Also, buried in their FAQ for the product (http://www.finjan.com/ServicesAndSupport/S...finGuardPro.asp) they back off of some of the marketing dept's lofty claims:
QUOTE
Does SurfinGuard Pro replace traditional anti-virus software?
Summary
SurfinGuard Pro does not replace traditional anti-virus software. SurfinGuard complements anti-virus software by providing a new line of security that can proactively prevent new malicious code attacks on their "first strike".
Full Explanation
Unlike traditional anti-virus technology, SurfinGuard Pro represents a new way to combat hostile active content based on code behavior, not by static signature recognition. Because SurfinGuard Pro does not rely on database updates, it defends against new variants, unknown and "yet-to-be-created" attacks on the "first strike".
SurfinGuard Pro was designed to complement, not replace, anti-virus products. The security coverage provided by SurfinGuard Pro and anti-virus products does not completely overlap, so Finjan recommends that you keep your anti-virus software and install SurfinGuard Pro as an additional layer of defense.
Summary
SurfinGuard Pro does not replace traditional anti-virus software. SurfinGuard complements anti-virus software by providing a new line of security that can proactively prevent new malicious code attacks on their "first strike".
Full Explanation
Unlike traditional anti-virus technology, SurfinGuard Pro represents a new way to combat hostile active content based on code behavior, not by static signature recognition. Because SurfinGuard Pro does not rely on database updates, it defends against new variants, unknown and "yet-to-be-created" attacks on the "first strike".
SurfinGuard Pro was designed to complement, not replace, anti-virus products. The security coverage provided by SurfinGuard Pro and anti-virus products does not completely overlap, so Finjan recommends that you keep your anti-virus software and install SurfinGuard Pro as an additional layer of defense.
So, by now you're probably asking...well...what is the point of this post then? Well, I guess I'm trying to understand how it works. They claim to have some kind of "realtime" protection, but when I deployed the product to a Windows 2000 Professional (no patches) honeypot (with no AV to aide it, and ports 135,137,138,139,445 open to the Internet) it was infected within a couple hours and even "standard" lsass.exe (microsoft-ds attacks on port 445) buffer overflows caused reboots like normal...so my question is - what good is this product???
Here is the zip of the entire infection, with forensic analysis logs and screen grabs:
http://www.sk3tch.com/files/f0mered_infected_finjan.zip
The strange thing was that when I found the honeypot it was spewing out network traffic just like normal (f0mered.exe is a W32.Spybot.Worm variant) and an infection had clearly taken place:
Task Manager:
The "Run" key in the Registry:
Meanwhile, Finjan SurfinGuard Pro was just hummin' along without a care in the World...it hadn't noticed anything yet!
So I did my standard analysis and capture procedures. Once I was done, I ran the suspicious files through Finjan SurfinGuard Pro using their built-in "Run Safe..." interface - shown here:
Here are the results by file (there were only 3 suspicious files):
ymnz.exe
mnyz.exe
f0mered.exe
So...what we have here is the product recognizing that these files are indeed malicious (according to it's own built-in default rules!)...but they were not recognized by the realtime scanning methodolgy used by Finjan!
Does anyone have any experience with this product??? This is only day one of my running a honeypot with it deployed as the sole line of defense, so I am sure there is much more interesting stuff to come!
Oh...and BTW I am using the default configuration in case anyone is wondering. My current "standard" within my honeypot product testing is to use default options for all.
