Another hotfiksov Cisco Security Agent (hereinafter CSA), intrusion prevention system at the host (HIPS) for operating systems Windows, Solaris and Linux. The system monitors the behavior of the application code running on the machine, local network connections and identify anomalies in their work, to determine whether to allow this activity . The obvious advantage of such systems to prevent attacks is that they do not require attack signatures. The system has the architecture of an agent server.
Features CSA Once installed on the target system CSA begins to monitor system resources and make a table with information about everything that happens in the system. Using these tables, CSA ensures that the pre-set rules of behavior of this system are not violated. The agent monitors all that is possible: the use and access to files and applications, network transactions, access to the registry, use the kernel, access to COM objects and other system components. The purpose of all this: to guarantee the excellent work of the system according to set rules.
With such a deep knowledge of everything that happens in the real-time CSA can control whether to allow or forbid the action items. This occurs when certain actions are made by a user or malicious code tries to execute himself. When the CSA discovers that the request can not be resolved in accordance with local security policy, the agent blocks the action and sends the wrong message about the system behavior.
Nestled deep in the system and directly controlling it, and any of its behavior, the agent performs multiple roles, preventing both known and unknown attacks, including the following features: • Global event correlation and automated response. • Distributed management of protected hosts. • Control applications, protection against buffer overflows. • Protect files and directories. • Network Access Control, a personal screen • Research distribution in the newly installed applications and their behaviors. • Automatic change of control policy depending on the user name and its location in the network. • Audit user experience. • Stops leaks through USB ports, DVD-RW, external devices, PDAs, network , via the clipboard. • Blocks keyboard hooks. • Integrates with Network Admission Control (NAC). • Control of integrity. • Protection from Spyware. • Protection from rootkitov. • Protection from downloading prohibited content (eg, MP3 files). Or is it easier to say that the agent controls improperly running applications in the operating systems Windows, Solaris and Linux, thus inhibiting the exploitation of existing vulnerabilities in these applications as remotely over the network, and locally with a random start malicious code. And, most importantly, the agent protects against theft of information from the host.
It is worth noting that the product is complicated and requires skill to install, configure and use. Not bad, but outdated article on Russian Opportunity CSA v4.5: here.
Important: • The distribution is designed for Windows Server 2003 / R2 (SP2). In fact, installation of the system is as follows: the server is installed Management Center for CSA, which after the deployment generates links to client-side user hosts. • Starting with version 5.0 CSA does not require preset CiscoWorks VMS. • This distribution contains 2 files license of your choice.