Trying to prevent malware attacks is difficult because the malware is always changing. Anti-virus and other security products
attempt to keep up with changing file signatures and behaviors, but this means they are always slightly behind because they have
to analyze a new malware before they can protect against it.
An alternate approach is to use Application Whitelisting, which is a way of specifying which applications should be able to run
and access files. Any process which is not on the list doesn't get to run. This will be a smaller, and most importantly, a finite set for any given computer.
PA File Sight does Application Whitelisting with a Trusted Applications approach. The system administrator defines rules that
define which applications can run, and which files they can access. The second point, defining which files can be accessed, is critical
as there are many applications that are perfectly safe and valid when used properly, but can also be used in nefarious ways
such as Powershell, the command shell, etc. By controlling which files these trusted applications can read (to read a script file as input for
example), system security can be greatly enhanced.
The Trusted Application feature of PA File Sight looks at every file access (read, write, delete, move/rename) that takes place on a computer and looks at data about:
Attributes of the file being accessed
Attributes of the process that is accessing the file
The user account running the process
With these sets of information, rules can very quickly be run to determine whether the file access should succeed or not. If the
rules are not met, the access is blocked, with optional alerting and logging.
An important concept to understand is that before a process starts, it is initially read into memory as a file (by
whatever process is staring the new process). So the FILE_xxx statements will first be applied to it, and then once it is running, the PROCESS_xxx statements
will apply as the process reads in additional files.
For example, double-clicking Notepad.exe from Explorer.exe will cause:
Explorer.exe (process) to read Notepad.exe (file) as part of loading and starting the Notepad.exe process ... then ... Notepad.exe (process) will read additional files
Stopping a process before it starts is usually done by blocking Reads of the process file with FILE_xxx rules.
PA File Sight Ultra can protect servers (both where the Central Monitoring Service and Satellites are installed) as well as client computers
where the optional Endpoint is installed.