Never have we seen anything like this one. In fact, we had to scratch our heads a bit to be sure that it fit into this category. But there is no doubt that this product - with its objective of defeating persistent malware - is a fit for active breach detection. It just goes about solving the problem quite a bit differently than one might expect. Our first clue that this was going to be an interesting demo was when we logged into the demo system and found ourselves looking at a webcam shot of a PC screen and a computer. Add that to our list of firsts. We've never done that before.
The purpose of SCILock (sky lock) is to defeat malware persistence by creating a sandbox beyond any sandbox we've yet seen. Before we go any further, today sandboxes - especially virtual ones - are defeated fairly easily by experienced intruders and advanced malware. So "just" a sandbox would not impress us much. But this tool is an entire hard disk. This disk replaces the boot drive in your computer. When it finds that it is infected, all you need to do is power off the machine and when it comes back it's clean. The easy way to describe this one is Deep Freeze on steroids.
At a glance
Price $399 - $749, depending on capacity and configuration.
What it does Protects against malware persistence.
What we liked Ease of use, bullet-proof functionality and reasonable price.
For those not familiar with Deep Freeze, its purpose is exactly the same as SCILock, but it is not the heavy duty industrial strength tool that this is. To give you an idea of an application of Deep Freeze, about three years ago I had some Polish exchange students in one of my classes at the university. In my lab classes the students always worked in pairs and, of course, these two paired up and we were treated to a semester of chattering in Polish (a few of our American students got pretty good at Polish along the way). On the last day of class, unbeknownst to anyone but themselves, they changed the language on their lab computer to Polish.
They went home to Poland and the summer passed. In the fall, when we sat down to our first lab session, the students at their former workstation were presented with a Polish computer. Great prank and a lot of laughs but it started a trend of messing with the lab computers. We deployed Deep Freeze and after that every reboot returned the computer to its original, pristine state. SCILock does much the same thing, but it is the really heavy duty version.
Now to the serious side of SCILock. Far beyond pranking students, today we are faced with such persistent threats as ransomware. A computer infected with ransomware is, at best, a nuisance to fix and, at worst, a complete loss of data. If a SCILock-protected computer is infected, a reboot will fix the problem at once. Fundamentally, with SCILock the changes never really occur.
So, how do you update if you cannot change the drive 0 disk in any way? Fortunately, there is a dongle. You simply insert the dongle and login to make your changes, remove the dongle and reboot. You're all set. We watched the demo of this interesting tool and we must say, for something that appears so simple it certainly did a great job and went as easily as any other disk.
Today this product is available in the standard 3.5" form factor but the smaller laptop version is on the way. The neat thing in our view about SCILock - besides completely defeating malware persistence and ransomware - is that recovery is done in a fraction of the time it would take you to re-image and restore from backups. Since all configuration changes are covered, anything that tries to plant itself where it doesn't belong - such as in the kernel - is out of luck. It cannot be mode changed or turned off without the dongle.
The tool is priced very reasonably for what it does and just one ransomware recovery will pay for it many times over. Support is solid and, as this is brand new and we have not seen its documentation, we still would assume, based on past experience with CRU, that it will answer all of your questions.
An interesting thing about CRU - and another surprise for us - is that they are best known for their forensic tools. However, what is more appropriate than a company that knows disk geometry inside out than developing a tool that makes use of that knowledge?
Of course... makes sense to us.