Frequently Asked Questions about ImmuneSoft

Version 1.0.3, June 7, 2006.

 What is ImmuneSoft?

ImmuneSoft does for computer security what Office productivity suites (Database, Spreadsheet and Word Processor combos) have done for business.  It is an architecture combined with security and administration tools used to simplify managing security.

 What are the Internet resources for ImmuneSoft?

 The following internet resources are available:

 Is ImmuneSoft a SIM (Security Information Manager)?

ImmuneSoft is a SIM, but not in the traditional form.  Most SIM technology is based on some variation of relational database technology (Oracle, MySQL, etc.) combined with a web server and possibly a Windows control application that accesses the database or SIM Server.  From the ImmuneSoft perspective, the traditional SIM is far too slow and too expensive of a beast.  ImmuneSoft expands on the concept of a SIM, but does a lot more.

Is ImmuneSoft going to completely change everything around when I install it on a computer?

No, nope, nonono!  In its default mode, everything enters into a "look but don't touch" mode.  New groups are to be created that agents are assigned to that will increase security, but this is expected to be a staged event for the administrator.  In the "default" configuration, its possible to "play around" by running various tools and such, but to actually damage a system would require an act that's akin to deliberate sabotage (such as deleting system configuration files from a remote system's C:\ or C:\WINDOWS directories.)

Is ImmuneSoft another one of “those” hacker Trojan horse projects?

It’s hard to explain the difference, but its true that ImmuneSoft is an agent based system that “behaves” similar to a Trojan horse in that it is a single program that controls a computer from a remote location.  However, its design is vastly different as is its purpose.

The architecture of ImmuneSoft is designed to take advantage of “entrenchment” – the ability for the system to take precautions, know its own environment, and establish good security management practices.  Once it is installed, it will defend the computer with the effectiveness of the security defenses that are available to it.

Trojan horses are typically just “remote management tools” and have very little functional management.  That is, it can run a program and transmit the results, but doesn’t analyze or react to the data unless instructed by the administrator.

In most ways, ImmuneSoft is a higher (and friendlier) evolution of remote management technology and definitely isn't designed to be used maliciously.

 Is this another IDS central management tool like ACID?

 Like ACID, the IDS system included with ImmuneSoft is capable of running multiple sensors.  The systems are different, however:

  1. Graphical displays in ImmuneSoft are of a different design and are not web based.

  2. Analysis system for IDS exists allowing interactive investigation.

  3. Real-time analysis + Red Alert system exists as well

  4. Direct response to security problems

Of these, the last entry, “Direct response” means that its possible to remediate problems using ImmuneSoft through its remote management capabilities.  This the most compelling reason to use ImmuneSoft over other IDS management systems.

 Is ImmuneSoft like “Knoppix” for Windows?

There are similarities.  The idea of integrating computer security tools together under a single Linux live-CD is similar to ImmuneSoft because the goal of simplifying security management is the same.  However, ImmuneSoft wraps the GUI around the tools in many different ways including by scheduling system, policy, etc. and extends to agents on multiple computers.  Also, it is not a “Live CD” or bootable CD.

 What types of tools are included with ImmuneSoft?

 The list is quite long right now and growing each day:

  • Intrusion Detection and Analysis
  • Anti-Virus Management
  • Anti-Spyware Management
  • Remote management
  • Patch management
  • Trouble Tickets
  • File Integrity Checking
  • Registry Integrity Checking
  • Security Policy
  • Hardware Baseline and Inventory
  • Penetration Testing
  • Network Profiling
  • System Task Investigation
  • Reporting
  • Audit Log Analysis

 Is ImmuneSoft complete?  Why is ImmuneSoft considered “alpha” software?

It is believed that most of the architecture problems have been corrected and that the program functions under the workloads it was designed for.  At this point, the software is ready to GROW in all directions. 

HOWEVER...

ImmuneSoft is a massive piece of middleware (compressed source code is 11 megabytes – roughly 800 icons and 500k lines of source code) The focus has been mostly on its infrastructure, not it supporting tools.  As such, the supporting tools (anti-virus, IDS, etc.) can use more improvements.  Also, integrating tools that are supposed to be in it or can easily be in it are another factor.

As a result, the tools that ImmuneSoft uses are currently in various states of disrepair, simplicity, or even functioning at all.  It is true that the existing software can definitely help the security of a small network, but it’s also true that even the most of the existing features may lack critical components that an administrator might expect (i.e., exporting logs but no way to automatically import them, etc.) and such.

ImmuneSoft would rather integrate with existing tools than create their own, but some had to be created to test the framework’s ability to function in some mode of operation (scheduled, real time, user on-demand, etc.) and the results of the test were not as important to the development team as if the infrastructure handled the output correctly.

As time goes by, the features that are present will be enhanced to meet commercial levels, or they will be replaced by tools written by others that meet acceptable criteria.

Snort(tm) isn't working, why and how do I get it to work?

SourceFire, Inc. had granted the use of Snort(tm) as free open source, but the database of signatures that it maintains is not.  Because of license limitations, the Snort Rules need to be downloaded from http://www.snort.org and installed on the AGENT in the <installation directory>\Free Tools\Snort directory.

How do I get Clam Anti-Virus working?

Simply install it on any computer with the ImmuneSoft Agent, in case it wasn't installed automatically.  ClamWin's installation files, source code, and support can be found at http://www.clamwin.com/

How do I get ViruScape to work?

Simply install it on any computer with the ImmuneSoft Agent.  This Anti-Virus has preference over Clam AV since it also has virus removal abilities.  Make sure the command line tools are selected during installation.  ViruScape can be downloaded at http://www.terainnovations.com/

How do I get SpyBot Search and Destroy to work?

Simply install it on any computer with the ImmuneSoft Agent.  Spybot S&D can be downloaded at http://www.safer-networking.org/ and is free of charge.

What are the requirements for running the ImmuneSoft Server?

The design for ImmuneSoft was to be usable on normal hardware that everyone would have available to them.  The original development computer was a Celeron 366 with 256 megabytes of memory, and the present development system is a Sempron 2400+ with 512 megabytes of DDR333.  It does NOT require installations of database products, web servers, LAMP or .NET architectures, etc.

The minimum requirements are (judging from in-house tests):

  • Windows 2000, XP, or 2003 Server

  • Approximately 18 megabytes of memory + 4 megabytes per each connected agent

  • Minimum of 100 megabytes of hard drive space, more recommended depending on how it is being used.

What are the requirements for running the ImmuneSoft Agent?

The agent requires space according to its activity.  If its being used as a network profiler + IDS sensor on a high traffic location, its very likely to need either a lot of muscle or a devoted computer.  For most uses, the agent will take up about as much memory as any normal security application (AV, Anti-Spyware, etc.)

The minimum requirements are (judging from in-house tests):

  •  Windows 2000, XP, or 2003 Server

  • Approximately 20 megabytes of free memory if being used as an IDS sensor

  • Minimum of 50 megabytes of hard drive space

 What are server certificates?

The server certificates contain unique identifiers for each of the agents and explain the ownership of the network in a way that is cryptographically verifiable.  In short, they help validate the server to ImmuneSoft’s update services, the agents to the servers, and the end user to their organizational point of contact.

These can be acquired, free of charge, at http://portal.immunesoft.com/

 Why do I have to register with ImmuneSoft for server certificates?

Server certificates establish an identity trail for agents. Each agent requires a license that is a number inside the certificate.  This license is simply a server “seat” of sorts, and of course they are free so there isn’t a charge for them.  Each server certificate holds 250 agents licenses which is the design limit of the server.

The original distribution contains a single “5 agent” certificate that is enough for either a very small home network or enough for testing.  However, these agents are always the same and are easily predictable.  It is recommended that a fresh key with completely unique numbers is generated if you are using ImmuneSoft in a production environment.

 How many people work for ImmuneSoft?

Eric Knight (head programmer) and Alan Kasloff (accountant/business intermediary.)  There isn’t much of a “company”, so to speak.  However, all the efforts possible were made to create a solid image of a professional software company from the software to the web site.  We are trying to be both open-source AND professional.