Application Whitelisting
Antivirus Software

With seculution you can replace classic antivirus software. The best part? We guarantee protection! Should the protection fail after all or you are not satisfied, you get your money back.

Protect your endpoints and corporate network with seculution and avoid unauthorized access to your system. Test it now for 60 days with full support – see for yourself!

General Questions

seculution Application Whitelisting works with all Windows versions starting from Windows XP.

Of course. In case of Citrix server farms or desktop virtualization, it is actually particularly easy, because one import of a golden image is enough and the whitelist is complete. This takes no more than a few minutes.

Especially when it comes to the use of seculution application whitelisting on medical devices for example, we are frequently asked about certifications. Unfortunately, certifications only work on static code. But since we are constantly developing our product, each new version would have to undergo a completely new certification process.

That process would take longer than the runtime of that version, meaning the next update would be available faster than the certification of the previous version could be completed. For dynamically evolving software, certifications are therefore not an option.

Given the fact that a successful attack on unprotected systems voids any warranty from the device manufacturer anyway, many of our customers therefore prefer to opt for the reliable protection provided by seculution application whitelisting and accept the loss of warranty.

For licensing purposes, we count the number of devices secured with our agent. Thin clients that connect to Citrix or TerminalServers secured by seculution are also counted as individual devices. Fat clients that already use a local license are not counted again when connecting to the Citrix or TerminalServer.

seculution Application Whitelisting can technically be deployed in networks of any size. But since the product requires the operation of a virtual appliance for the administration of each customer's whitelist, fixed costs will arise which are difficult to recoup if the number of licenses required is on the lower side. Nevertheless, if the number of licenses is too small for a direct contract with SecuLution GmbH, our distribution partners can still offer you a deal on the scale you need. Contact us, we will happily broker the deal for you!

If the positive assessment concerning such software comes from our TrustLevel database, it is of course covered by the warranty. Details about the warranty can be found here.

The SolarWinds incident

Yes, and no.

Yes, because the SolarWinds products were not part of our TrustLevel database and therefore had not been classified as trustworthy by us. So technically, seculution would indeed have blocked the execution.

No, because in practice, it is doubtful if this would have held up against further action by an administrator. The attack on SolarWinds occurred in March 2020, and remained completely undetected until December 2020. An admin would most likely have just whitelisted the software themselves (or have been instructed to) during this time period, as there were no indicators that an admin could have used to infer any doubt about the software's trustworthiness.

The software came from a source that could basically be classified as trustworthy, and no virus scanner detected the software as malicious. The TrustLevel database of seculution therefore also classified it as "neutral", prohibiting execution (only software known to be "good" receives a positive TrustLevel in the TLDB, "neutral" is not automatically sufficient), but also not as "malicious", since there were no indicators for this either.

Distinction from virus scanners

In fact, the effectiveness of virus scanners against already known malware is undisputed. Equally undisputed, however, is the ineffectiveness of virus scanners against new, as yet unknown malware. The effectiveness of virus scanners ("now with technology XY") against still unknown malware, which is often claimed by marketing departments, has been disproven thousands of times. A prominent example is the SolarWinds case: the attack started in March 2020 and remained undetected by all virus scanners without exception until the end of December 2020, regardless of which techniques the respective virus scanner used. Only after the attack was uncovered did virus scanners update their signatures, and then the malware was also detected. The fact that more than 1,000 computers are successfully attacked by malware every day, despite having an up-to-date virus scanner in use, disproves the claim of the alleged effectiveness of virus scanners against still unknown malware.

Behavior-based analysis does not bring any improvement either, as it is also based on patterns. Attackers test and modify their malware against the virus scanners until they are no longer effective. Only then the malware is unleashed on the victims. So it doesn't matter if the signature updates of virus scanners today also update behavioral patterns. The fact is that all virus scanner products, with or without techniques such as behavior-based analysis, require constant updates to keep up with the latest attacks. If you're lucky, that update came in time to protect you. Which usually means, someone else had to be hit first. Can you afford to gamble your IT security?

We see it that way, too. But it is the reliability of the individual components of the overall security concept that makes the difference. And this is the huge advantage of Application Whitelisting compared to virus scanner products: seculution Application Whitelisting is reliable.

That's right. Of course, as a new customer, you first need to build up trust in the effectiveness of seculution Application Whitelisting. Nothing prevents you from continuing to use your virus scanner until your trust in seculution Application Whitelisting has been established to the point where you can uninstall the virus scanner without losing any sleep about it.

TrustLevel-Database (TLDB)

The data in the TLDB comes from different sources. Parts are manually maintained entries by personnel of SecuLution GmbH, a large part comes from our crawlers, which automatically obtain and analyze software from the sources of trusted manufacturers. In addition, procedures used which today are summarized under the term "big data". The latter also includes an analysis of VirusTotal's findings.

If the analysis procedure used in the TLDB finds neither enough indications of "good" software (= seculution knows that the software is good) nor of "malicious" software (e.g. VirusTotal recognizes the software as malicious), the TLDB returns a "neutral" value.

First of all, it is important to emphasize that the TLDB results already include information from sources such as VirusTotal. So if a software is known to be "malicious", this will be reported accordingly in seculution Application Whitelisting. For software for which we do not issue a positive TrustLevel, but only a neutral one, we recommend that the admin make sure that he trusts the source from which he obtained the software. This is not an unusual procedure, almost every company uses industry-specific special software, for which the seculution TLDB naturally cannot return a good TrustLevel. But a responsible admin knows the special software they use and can add it to their own whitelist. In the end, each admin remains the master of their whitelist and seculution does not dictate to whom the admin may or may not express their trust. Your systems, your rules!

The seculution TrustLevel database does not offer an API for third-party products.

Technical questions

Each Windows client runs the seculution agent, which monitors the execution of code. The agent connects to the appliance located in the customer's network, which also holds the whitelist of allowed hashes. This appliance, when asked by the agents about running software not yet known on the client's local whitelist, contacts the TrustLevel Database (TLDB) to request information about the TrustLevel of the software in question. If the TrustLevel is positive, the software is automatically learned and added to the local appliance database. The seculution TLDB is located in the cloud and is maintained by employees of SecuLution GmbH.

Any code to be executed (.exe, .dll, .sys, etc) requires RAM, which is managed by the kernel. When this memory is reserved, the seculution agent intervenes and identifies the code, creates the hash of it, and checks it against the whitelist.

The methods used to identify software are based on hashes that are cryptographically considered secure according to state-of-the-art technology. It is therefore not possible to create malware that has the same hash as software already on the whitelist (so-called "pre-image attack").

The delay is < 30 milliseconds for known hashes and < 2 seconds for a one-time query of an unknown hash to the TrustLevel database. Technically measurable, but subjectively not noticeable by the user.

Code that has already been installed is also checked anew each time before it is executed. This also detects changes to software on the drive and blocks them reliably. The moment of checking is when the kernel allocates RAM for the execution of code. Code execution is basically impossible without RAM being allocated for it.

All communication between seculution components is of course encrypted and authenticated using certificates.

We have taken reliable measures to prevent our TrustLevel database from being compromised. These include, for example, constant bidirectional synchronization with the master databases in our specialist department. An attack would therefore have to succeed on all our internal and external servers simultaneously, which is highly unlikely.

A seculution agent runs on each client. This is monitored in several ways: a local watchdog checks for correct execution and the management console logs when agents unexpectedly stop responding.

Subsidy programs

There are various subsidy programs for different target groups. We may be able to help you find the right one for you. Feel free to contact us!

Other questions

Only indirectly, since seculution Application Whitelisting runs only on Windows systems and therefore cannot be installed on printers.

© Copyright 2020 seculution - All Rights Reserved