No one can deny that enterprise endpoints must be protected. After all, most malware incursions result from some type of activity performed on an endpoint.
IT security products vendor Comodo has recognized the importance of endpoint protection as a means to secure the enterprise. The company has developed an array of products that work together to stop infections and attacks from propagating throughout a network. What’s more, the company has also created the means to orchestrate network security with a unified management console that ties protection together into a seamless layer of security across endpoints, servers, and even the cloud.
Comodo Advanced Endpoint Protection (AEP) is actually a mashup of multiple security technologies wrapped into an easy to deploy and manage package. AEP unifies the Comodo Client with the Comodo IT and Security Manager (ITSM) console and Comodo Valkyrie (a cloud-based malware analysis platform) to create a security platform that is applicable to enterprises of any size.
AEP is able to work across physical and virtual networks to bring protection to physical and virtual endpoints that run a multitude of operating systems, including Android, iOS, OSX, Linux and Windows.
Hands on with Comodo AEP
From an enterprise perspective, everything in Comodo AEP begins with ITSM, which acts as a central point of control for Comodo’s various security products. ITSM is actually a browser-based portal. It is also a subset of the Comodo One Portal, which in itself is a cloud-based service offering designed to unify the management of endpoints with Comodo’s various security services and products.
The Comodo One Dashboard is customizable, allowing administrators to bring the most critical elements to the primary view. It fully supports the ability to drill down into subsequent dashboards, which also may be customized. The primary dashboard supports a variety of widgets, which relate to the functions that an administrator can perform. For example, administrators have access to “Quick Actions,” which brings a few wizards together to accomplish such actions as “Add New Device,” “Download Bulk Enrollment Package,” and so forth.
Comodo One also bundles in other capabilities, such as the help request (help tickets) management, SLA tracking, and so forth, which are not necessarily part of the AEP paradigm. Of course, administrators can turn off those features and dialogs to create an ITSM portal that focuses purely on the protection aspects of Comodo’s products. Most administrators will spend the bulk of their time working directly from the IT and Security Manager portal, where tasks are accomplished, reports generated, and policies defined.
Deploying protection to endpoints is straightforward. Administrators can use the “add new device” wizard as a quick way to get started. Users register devices with an email address, which then can optionally be used to send instructions to the device operator on how to enroll the device into the security domain. Alternatively, administrators can download an install package and then deploy that using policies or scripts. Either way, enrolling an endpoint proves to be quick and easy, and that is worth noting because many malware infestations occur simply because an endpoint is not properly protected.
Of course, deployment is only one small part of the protection equation, truly protecting endpoints means that those endpoints must be kept up to date with the latest patches, signatures and so forth, all of which falls under the symbiotic relationship of ITSM and the Comodo Client.
The Comodo Client
The Comodo Client is an endpoint-installed client application which provides protection for the endpoint, while also providing the hooks for management of the endpoint via ITSM. In addition, it communicates with Comodo’s cloud based analysis platform, Valkyrie.
The Comodo Client provides the following capatilibities:
- Antivirus: Integrated antivirus engine designed to automatically detect and eliminate viruses, worms and other malware
- Firewall: Fully configurable packet filtering firewall that is designed to constantly defend endpoints from inbound and outbound Internet attacks
- Advanced Protection: An integrated assemblage of prevention-based security technologies designed to preserve the integrity, security and privacy of the endpoint and user data
- Containment: Automated checking and authentication of every running process and executable on an endpoint to authenticate validity and preventing potentially damaging actions. Unrecognized processes and applications are automatically executed inside a security-hardened environment known as a container, and are strictly monitored. While in the container, those processes are not able to access other processes and only have access to a virtual file system and registry. Through this ‘default-deny’ approach, untrusted (but harmless) applications are able to operate, while untrusted (and potentially malicious) applications are prevented from damaging the endpoint.
- Host Intrusion Protection System(HIPS): A rules-based intrusion prevention system that monitors the activities of all applications and processes on the endpoint. The HIPS blocks the activities of malicious programs by halting any action that could cause damage to the operating system, system-memory, registry keys or personal data.
- Viruscope: Monitors the activities of processes running on the endpoint and, by default, stops processes that could potentially threaten privacy and/or security. Viruscope uses a system of behavior recognizers to detect unauthorized actions and creates the ability to undo those actions. Viruscope also can reverse unwanted actions taken by legitimate software without blocking the software entirely.
- Rescue Disk: Integrated wizard that provides the end user with the ability to create a boot-disk which will run antivirus scans in a pre-Windows/pre-boot environment.
- Additional Utilities: The Comodo client also bundles in advanced utilities, which support other Comodo security products, such as Comodo Cleaning Essentials and KillSwitch.
As mentioned before, the client can be pushed down to endpoints by registering endpoints in ITSM and following the instructions provided. Some important things to note about the Comodo Client are its ability automatically to contain unknown processes via default-deny and its ability to roll back systems to a state before a new process was executed. Those capabilities prove to be of the utmost importance when dealing with the ever-growing scourge of ransomware. Plus, most enterprise endpoints today rely on an increasingly archaic and overmatched default-allow policy, meaning if an application or executable is not known to be bad, it’s allowed to run—letting new, unknown threats run free. With Comodo’s default-deny approach, WannaCry and its successors could have been stopped in their tracks.
A significant part of the AEP solution, Comodo Valkyrie is a cloud-based component that brings an instantiations file check into the mix. THis goes well beyond what the typical signature-based checking for malware accomplishes.
Valkyrie works using an online file verdict system, which tests unknown files with a range of static and behavioral checks in order to identify those that are malicious. Because Valkyrie analyzes the entire run-time behavior of a file, it is more effective at detecting zero-day threats missed by the signature-based detection systems of classic antivirus products. Valkyrie incorporates the following technologies:
- Static Analysis: Extraction and analysis of various binary features and static behavioral inferences of an executable are performed on API headers, referred DLLs, PE sections and other resources. Deviations from expected results are recorded in the static analysis results, and the solution generates a verdict on the file.
- Dynamic Analysis: Works by studying the run-time behavior of a file to identify malware patterns that cannot be identified through static analysis
- Valkyrie Plugins and Embedded Detectors: Valkyrie incorporates different malware analysis techniques developed by various communities and educational institutions and makes them available via RESTful Web Services. Results are incorporated into a final overall verdict.
- Embedded Detectors: Valkyrie uses new methods of malware detection developed by Comodo AV laboratory to compute an overall final verdict on a file.
- Signature Based Detection: Valkyrie uses different signature-based detection sources in order to detect a given sample in the first place. Signature-based detection simply checks SHA1 hash of files from signature sources to determine if there is any match in database.
- Trusted Vendor and Certificate Validation: Valkyrie checks vendor details of a file with Trusted Vendor databases that are continuously updated. If the vendor is whitelisted, then certificate validation is done to ensure that certificate chain is valid and not revoked or expired.
- Reputation System: Reputation data of files that are collected from millions of endpoints through Comodo network and products are evaluated on a big data platform and converted to intelligence form to be used by Valkyrie.
- Big Data VirusScope Analysis System: VirusScope, a part of Comodo Security products, is a dynamic application analyzer system that detects malicious behavior of a file, blocks and reverses those actions when necessary.
- Manual Analysis: Valkyrie system includes submission of files by users for manual analysis by human experts. Comodo expert analysis, which consists of the most sophisticated analysis of a file and provides the ultimate verdict of the file.
Comodo AEP Review
Comodo’s melding of advanced anti-malware technologies with a management pane brings a new level of security to the connected enterprise. By focusing on protecting endpoints and combining the intelligence gathered into a proactive environment, AEP can successfully prevent the spread of malware that resists detection by signature-based methods and effectively contain those threats from propagating through the network. While the threats are contained, the user is still able to interact with the system with no interruption and no harm to the computer. What’s more, the hybrid nature of the anti-malware platform keeps checks and validations up to date, and enables a crowd-sourcing-like iteration of malware protection.
Additional add-ons, as well as subscriptions to Comodo’s other services, round out AEP and can help businesses transform their management and security of endpoints into a unified process They simplify both chores, while bringing a more hands on approach to endpoint management.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant. He has written for leading technology publications including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom's Hardware, and business publications including Entrepreneur, Forbes and BNET. Ohlhorst was also the executive technology editor for Ziff Davis Enterprise's eWeek and former director of the CRN Test Center.