WZSysGuard was designed and developed to fix some issues you may face when using other UNIX/Linux IDS software.
Following is a list of those issues:
1. Far too many false alarms by default.
2. Very difficult to tune to reduce false alarms and in the same time maintain security coverage.
3. Could easily miss some should be detected changes under some situation.
4. Unable to prevent malicious person to change the behavior of the software.
5. Either every files in the system is covered or hard to configure for the coverage to not miss some important files.
6. Unable to detect software based password stealing attacks, making the scan report's trustworthiness very unreliable.
A number of UNIX/Linux security software for detecting file change are kernel based. When using that way to detect file change, the advantage is it could detect file change instantly. But it can also cause many problems:
a. If it reports every change to the file, it could be too many. If it does not report every change, then when to report and when not to report: a malicious person could write a program to read a block, write the same block, wait 5 seconds, read next block, write the block back to the file, ...., and after several hours, make a real change to the file. If the activities got reported earlier, and checked, you won't find any real content change at that time.
b. If malicious person made a change to a file not through filesystem calls, the kernel module may not be able to know which file was changed.
c. When machine needs to do maintenance and boot from other media, any change made during that time won't be detected by the kernel based software.
d. It makes OS upgrade very hard, and could also cause compatibility issues to third party software.
Most of the existing UNIX security software are not able to prevent root to make changes to the software. So if malicious person has root access, the scan reports given by those software are not trust-worthy.
1. The false alarms generated will be much less than other similar function software.
2. Won't miss persistent file changes.
3. It's very hard if not impossible, for malicious person to change behavior of WZSysGuard. In other words, scan reports of WZSysGuard are more trust-worthy than those generated by other similar function software.
4. WZSysGuard covers more complete set of security sensitive files, and customer can easily add extra class[es] to cover other files they think that should be covered.
5. Can detect most types of software based password stealing attacks.
WZSysGuard is designed as single-thread application, so with the modern multiple-core systems, you can run the scan randomly at any time, for an 8-way system, it will only consume less than 13% of total CPU power, won't affect your application performance much.
Why you should use WZSysGuard for UNIX/Linux security