Security Analysis And Testing Research For Host Monitoring And Auditing Product Based On Windows

With the enterprise network security issues become more and more prominent, host monitoring and auditing products are increasingly favored by the company in recent years. These products can not only effectively prevent internal staff from misusing the network resources or leaking sensitive information, but also can record the illegal tracks. However, due to the difficult techniques for their design and implementation as well as the complex application environment, there always exist security vulnerabilities in some modules of these products and client-side agent which makes the monitoring function less effective. Also Products safety has gradually become a major concern. Base on testing more than20different kinds of products in NSSTEC, the vulnerabilities which may be utilized to escape monitoring and keep client-side agent invalid have been found totally in this paper.This paper focuses on the achievements made on the products’the functional modules and their safety, specifically introducing security vulnerabilities of three functional modules and three means of undermining the safety of the client agent Security vulnerabilities can be summarized as follows:1.Modifying the matching information of the process can help escape the process monitoring;2. The unauthorized access monitoring function can be easily out of work just through binding the static IP-MAC address, intercepting ARP spoofing packets or intercepting/tampering/sending data packets;3. The lack of log correlation analysis makes product can use matching signatures to capture the anomalies, but no unknown anomalies. As to its self-security, the client-side agent will easily collapse of its terminating or the local log/configuration tampering by destructing dual-process protection and deleting automatically start item.On analysis, a test tool has been developed for detecting products which mainly consists of three modules respectively in charge of process monitoring, unauthorized access monitoring and the client-side agent. Among them, the test module of process monitoring incudes getting/modifying copyright information and MD5for exe files; test module of the unauthorized access monitoring are IP-MAC address binding, ARP firewall and packet intercepting/tampering/sending; test module of the client agent is managing the information of process/automatically start item.