Sitecom Cloud Security - Hitman Pro in the Router

Discussion in 'other anti-virus software' started by Habakuck, Sep 3, 2012.

  1. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,769
    Location:
    Outer space
  3. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    That thread is over a year old. Haven't heard anything more about it good or bad since.

    Al
     
  4. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,424
    Really interested in this. does anyone own this? How is the performance?
     
  5. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    I would appreciate a comment from a Hitman Pro employee to explain how exactly the technique works.... :thumb:
     
  6. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    No one here who knows how the technique really works?
     
  7. DX2

    DX2 Guest

  8. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,031
    Location:
    Hengelo, The Netherlands
    Sitecom Cloud Security uses HitmanPro.UTM technology (patent pending).

    HitmanPro.UTM calculates fingerprints of fragments of a binary download and consults the cloud to verify them. So basically, signature fragments are in the cloud, and the router is consulting them. So there is real AV scanning on the router, the signatures are just in the cloud.

    If an unknown binary is found, the cloud downloads the file as well and classifies the file using multiple AVs. Signatures are then generated and served through the cloud to the routers. Each router contributes to building the signature database.

    In addition the cloud is fed with malware binaries from 40+ security vendors.

    Sitecom Cloud Security uses 4 scanning engines (BitDefender, Emsi, Ikarus and an undisclosed scanner).

    A rough comparison:
    • Barracuda Web Filter 210 (ClamAV, filter capactity 5Mb/sec) Price: 1899 EUR
    • Juniper SRX 220 (Sophos, filter capactity 35Mbit/sec). Price: 2650 EUR
    • Sitecom WLR-6000 X6 (4 AVs**, scan speed 100Mbit/sec). Price: 119 EUR
    • Sitecom WLR-2100 X2 (4 AVs**, scan speed 80Mbit/sec). Price: 35 EUR

    Both Barracuda and Juniper only use a small signature database on the router. Sitecom Cloud Security has an entire cloud for its signatures (no on-device signatures needed).

    Also HitmanPro.UTM uses host name filtering and URL page level filtering (e.g. it allows www.facebook.com but can block www.facebook.com/user/malware.php). This in contrast to solutions like OpenDNS which can only block an entire host.

    A few disadvantages:
    • Cannot prevent malware being dropped via USB-stick; it can only block malware coming in through the network
    • No protection outside the router network (e.g. smartphones used beyond the router network are no longer protected).
    • No protection when the internet connection is down. But then you can't get infected through internet either :)

    Sitecom Cloud Security protects every connected device. PC, MACs, Xbox, PlayStation, SmartTV, smartphone, tablet, etc.

    In addition, Sitecom Cloud Security has an integrated Ad Blocker. It successfully blocks advertisements in free iOS apps as well ;)

    To conclude, filtering is currently only done on port 80. All other ports are unfiltered and work full speed (not limited by the AV filtering).

    Hope this helps.
     
    Last edited: Sep 7, 2012
  9. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Your browser will slow down a bit because all network traffic needs go trough the proxy server which is build in the Sitecom routers. Most of these devices have blacklists of known malware, phishing websites , ... and if there is a match you will not be able to visit that website or download something.

    In fact what Sitecom have made is a stripped down version of Vasco's Axsguard Gatekeeper business solutions.
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,031
    Location:
    Hengelo, The Netherlands
    The slowdown of Sitecom Cloud Security is not noticeable. The cloud messaging uses AES encrypted UDP traffic and respond within 40us (micro-seconds; the cloud leverages AES-NI hardware cryptography to decrypt requests and encrypt responses). The network round-trip largely depends on your network latency. On average, the total time needed for a cloud consult is around 20ms. I don't think anyone will ever notice this in its browsing experience.

    During various press events in Europe, the press was highly impressed with the speed and the fact that the security does not affect browsing experience.

    Sitecom Cloud Security relies purely on its cloud. The router has limited CPU and memory. So it leverages the cloud for its signatures as the cloud obviously has a lot more signatures than a SOHO router can ever possibly hold. Sitecom's cloud has Windows, Mac and Android malware signature fragments.
    Again, downloaded binaries are scanned on-the-router. The router just consults the cloud to get signature classification.

    I've never heard of Axsguard Gatekeeper but from the looks of its specification its the same as the above Barracuda and Juniper offerings.

    As being the lead developer of this solution you'd might consider me slightly biased though ;)
     
    Last edited: Sep 7, 2012
  11. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Hello erikloman,

    First of all, thank you for implementing this kind of security in devices for consumers. I don't think that are yet any similar solutions available such as Sitecom and Hitman Pro cloud security in normal routers.

    Before, it was only available for businesses.


    The slow down I was talking about maybe comes from my personal experience with Vasco Axsguard Gatekeeper at my work. I was explaining in general what the purpose of a proxy is, when we are speaking about protection against malware. Yes, you are right about it's something similar then the other solutions you mentioned.

    Also thank you for explaining the technology about it, and correcting my mistakes.

    Regards
    Niels
     
  12. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    erikloman, thanks very much for this detailes information. It's very much appreciated!

    I searched for this kind of system for a while now..

    I will go for it.
     
    Last edited: Sep 7, 2012
  13. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    One additional question:
    What exactly is an unknown file?
    If I choose a known malware file and change entry point, header and some other typical signature related code segments in a way that the code is still executable, what will happen if this file is seen by the Sitecom router?
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,031
    Location:
    Hengelo, The Netherlands
    Depends on which parts are changed (as it calculates partial signatures). If not too much is changed then it is still blocked. When too much is changed then the Sitecom Cloud will download the file as well (again) and determines whether it is malicious. If it is, the according fragment signatures are served. In addition, the exact URL is added to the black list. All automatically.
     
  15. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Thanks again erikloman!

    Will the download be hold until the analysis is done, so will the first user hitting an unknown file be protected or does the cloud need some time to accomplish the categorization of the bad file?
     
  16. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Good question :thumb: +1

    /E
     
  17. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,031
    Location:
    Hengelo, The Netherlands
    The download will not be blocked while the cloud is processing the unknown file. This to not hinder the end user browsing experience.

    Hope this helps.
     
  19. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    OK thanks! :thumb:
     
  20. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    657
    Location:
    Southwestern Massachusetts
    I would absolutely LOVE :thumb: to test one of the new Sitecom Cloud Security routers, especially the WLR-6000. Does anyone know where I can get my hands one of these in the good old U.S. of A.o_O??
     
  21. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    What you are saying is that the first user "seeing" this file will download it as a potential malware, but the second and so on should be protected as the processing of the file is done in seconds, or?

    I for one would not mind "waiting" for a result, maybe you could add this as a option?
    If you have the time, install and take a look how Sophos (Astaro) UTM 9 solves the download with a web page coming up showing 3 steps: Downloading the file, scanning the file, and finally you press a download button presented by the UTM.

    /E
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,031
    Location:
    Hengelo, The Netherlands
    Sophos (Astaro) UTM 110 (their low end) runs on hardware with X86 2GHz+ processor, 2GB RAM and 160GB HDD. AV proxy throughput 70MB/sec.

    Sitecom Cloud Security (HitmanPro.UTM) runs on 300MHz MIPS processor with 16MB RAM and no HDD, just 4MB flash. The proxy application is ~200KB (uncompressed) and consumes ~1.3MB of RAM while in use. Proxy throughput Sitecom WLR-2100 X2 80MB/sec (price 35,- EUR incl VAT).

    Sophos UTM scans unknown downloads ON THE APPLIANCE (Sophos AV).

    HitmanPro.UTM scans unknown downloads IN THE CLOUD (BitDefender, Emsisoft, Ikarus, SurfRight). The cloud handles requests of hundreds of thousands of routers in Europe. You can see that the cloud has to handle A LOT more downloads than a single appliance.

    While Sophos UTM can wait on scan results (the scan on the appliance), the Sitecom router cannot because it is not deterministic how long a scan will take in the cloud (from a few seconds to up to several minutes, depending on the load).

    Hope this helps.
     
    Last edited: Sep 15, 2012
  23. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    Next week Sitecom will be announcing new products to the press. Some of these new products include a new version (!) of Sitecom Cloud Security (our HitmanPro.UTM technology) which is updated with new security and privacy features. We will be releasing a press message too so stay tuned :)

    Note that Sitecom's routers with our UTM technology are available since April 2011 in The Netherlands, United Kingdom, Germany, France, Italy, Spain, Portugal, Poland and Russia.
     
  24. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    I know it scans on the appliance (Sophos and Avira), if you choose to have 2 engines enabled.
    This also takes some time depending on how big files you choose it to scan, and how many users have files scanned at the moment.
    I would say the appliance is not deterministic how long a scan will take as it depends on the scenario I mentioned above.
    Still I do not mind waiting a minute or 2 for this, and I do understand that the cloud would have to handle a lot more downloads.
    But would it be possible with the wait for the scan scenario in your solution if we do not mind waiting?
    Or do you mean while scanned in the cloud the Sitecom router looses it´s connection to the file scanned?
    Sorry for all the questions but your solution is exacting to say the least :p and I want to understand all I can about it.

    Cheers

    /Esse
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,031
    Location:
    Hengelo, The Netherlands
    Technically it is absolutely possible to wait on the scan result but we chose not to. Mainly because there can also be downloads that are not handled by a browser but a download manager. Then the user has no option to click the Download button.

    In any case, keep the questions coming. I think I can answer most of them ;)
     
Loading...