Computerworld

HP puts chokehold on virus throttling product

Windows conflicts see product shelved
  • Paul Roberts (Unknown Publication)
  • 01 September, 2004 22:00

After unveiling cutting-edge technology for choking off the spread of viruses in March, Hewlett-Packard is quietly shelving the project, citing conflicts with the Windows operating system, a company executive says.

The company will not be releasing a security service called Virus Throttler, announced in February. The technology does a good job of stopping viruses and worms from spreading, but is not practical for use in mixed networking environments because it requires operating system changes incompatible with Windows, according to Tony Redmond, vice president and chief technology officer of HP.

Virus Throttler slows the spread of virus and worm attacks by limiting the network destinations that a virus-infected computer can attempt to connect to each second, according to HP. The service was designed to alleviate the network congestion that often accompanies virus outbreaks, as one or more infected machines flood the network with traffic while searching for other vulnerable hosts. Such denial of service attacks often complicate virus outbreak recovery by preventing network administrators from observing network traffic and communicating with hosts on the network, HP says.

The technology notices changes in host machine behavior, which indicates a virus infection. It then chokes off the attack by limiting the frequency of outbound communications from the host machine to "throttle" communications with other hosts on the network, Redmond says.

HP got Virus Throttler to work well in its labs with products using operating systems like HP-UX and Linux. However, the technology required changes to the way those operating systems run that HP couldn't duplicate on Windows systems, because "we don't own Windows," he says.

Virus Throttler was one of two new security services developed by company researchers that HP debuted at the RSA Security Conference in San Francisco. The other technology, Active Countermeasures, is a network scanning service that spots vulnerable computers on a network using techniques similar to those employed by worms and viruses.

Last week, HP said it is moving the Active Counter Measures software into beta tests with some European and North American customers and hopes to release the product in 2005. The service allows administrators to find machines even if they are outside of the company's patch management system or "unmapped," or are unknown to administrators, HP said. Network administrators can then "vaccinate" vulnerable machines by pushing out configuration changes or policies that prevent infection, HP said.

But Virus Throttler will stay in the lab for now, while HP looks for a way to use the technology in typical network environments, Redmond said. HP has demonstrated the service to Microsoft and other partner companies and may ultimately use some of what it has developed in future products, Redmond said.

While both Active Countermeasures and Virus Throttling proved their mettle on HP's internal network of 247,000 hosts, the company may have had a harder time selling the concept to other large companies wanting total protection from worms and viruses, but wary of managing host-based security products, says Tom Ptacek, product manager at Arbor Networks, a network security technology company.

"Worm solutions are an all-or-nothing thing. If your worm defence is going to work and work evidently, so your CEO doesn't notice, it can't be piecemeal or incremental," he says.

Redmond acknowledged as much. While lauding both services for taking a proactive rather than reactive approach to security, he says Active Countermeasures is easier for customers to deploy and solves the problem of unpatched and vulnerable systems that is "here today". In contrast, Virus Throttling only springs into action after a virus has penetrated an organisation's network, which made it "more difficult to sell," he says.

Redmond also defended HP's decision to promote Virus Throttling at RSA, even though the product is unlikely to ever be released in its current form.

"The intention of announcing at RSA was to articulate HP's belief that we have to move from an era of reactive to proactive security — that we need more intelligent solutions," he says.