eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Bit9’s Parity 4.1 is effective host-based intrusion prevention for Windows systems that works by whitelisting applications, allowing only approved applications to run, and blocking anything else, including malware. IT managers at any size organization should immediately consider using application whitelisting to secure Windows systems.
Application whitelisting tools, including Parity, CA’s CA HIPS (Host-Based Intrusion Prevention System), CoreTrace’s Bouncer and Lumension’s Sanctuary Application Control work differently from anti-virus, anti-spyware tools that use signatures and anomaly detection schemes to try to stop unwanted software actions.
Parity 4.1 worked effectively in my tests and the product raises serious questions about the future usefulness of host- and gateway-based security systems that focus on identifying fast-morphing malware signatures.
Application whitelisting isn’t without flaws as a protection strategy-for example, there is the need to painstakingly approve programs to prevent blocking needed apps. However, Bit9’s Parity, with an extensive database of vetted applications along with a nimble agent and flexible policy engine, proved more than able to handle my test environment.
Keep in mind that Parity 4.1 doesn’t clean malware from a system, although it renders toxic executables inert. Parity does make it much easier to identify the systems that are infected, however, and provides a specific report on which machines are installed with unwanted software, thus making it a much easier task to focus cleanup efforts.
Parity 4.1 became available in June and now provides Active Directory integration, a useful “new files” report, software categorization that significantly eases policy creation, automatic device inventory and the ability to virtualize the Parity server.
Parity 4.1 can be licensed in two ways: a perpetual one-time license is $35 per workstation and $350 per server. A subscription license is also available for $19 per workstation, plus a maintenance fee.
Parity 4.1 is a client/server application. I installed the Parity Server in a VMware ESX Server 3.5 environment on a virtual machine configured with dual processors, a 60GB drive, 2GB RAM and a single network interface card with a fixed IP address. This configuration is the minimum required for managing up to 3,500 clients.
Parity 4.1 can now use an external Microsoft SQL Server 2005 database to track clients, which I installed on a VM in the same VMware ESX cluster. There is currently no support for Oracle databases. The Parity Agent, which performs disk inventory, monitoring and policy enforcement on workstations and servers, can be installed on Windows 2000-, XP-, Vista, or 2003-based systems.
Parity 4.1 policies are enforced per Host Group, which I set up in the Parity Server. My policy settings included monitor (watch and report), block (stop all unapproved applications), ask (warn user of unapproved software with an option to continue execution) and local approval (allow trusted users to approve software on their individual system).
The monitor policy was especially useful for understanding what applications were in use on my test systems before making policy decisions on specific applications.
After first installing the Parity agent on a system, the initialization process took from 10 to 40 minutes running in the background. This is a one-time penalty as compared with anti-virus scans, which typically consume 1 to 2 hours of machine time per week. The initial discovery looks for executables installed on the target system and then reports the inventory to the Parity Server. My systems reported more than 17,000 items scattered across several systems that have been used in typical production settings for the last two years. These items are presented to the administrator in a list on the Web-based Parity 4.1 console.
The Real Value of Bit9
This is where the real value of Bit9 comes into play. Based on extensive research, the company has created a hash value for tens of thousands of published applications. Parity 4.1 uses the hashed values of files found on individual systems to compare and identify applications in the production environment.
Parity also provides the ParityCenter (which is included in the subscription license and is provided with a 10 percent annual fee for perpetual customers). The ParityCenter reports back what it knows about the identified files-for example, the file publisher, if the file contains malware as identified by ParityCenter anti-virus and code analysis tools. Based on ParityCenter recommendations, I quickly approved most of the software found on my test systems.
Further, the Parity Server used information from ParityCenter to pass judgment on these files, such as using the new application categorization feature to call out peer-to-peer and other potentially problematic programs for easy identification.
I found that there is still a fair amount of judgment work left to administrators. Many of the VMware files used in my test network had not yet been vetted by ParityCenter. Bit9 is forming relationships with anti-malware vendors, which may speed the identification process for identifying circulating malware.
I easily integrated Parity 4.1 with the Active Directory infrastructure in use on my test network, which made short work of grouping end-user systems.
Once the Parity 4.1 system was initialized, I lived mostly in the “new files” section of the dashboard, checking out the newly found items reported by the Parity agents. This is a real timesaver for users accustomed to the previous version of Parity and greatly increased my confidence that I was making policy decisions based on the most up-to-date information about my user systems.
eWEEK Labs Technical Director Cameron Sturdevant can be reached at csturdevant@eweek.com.