Posted by Tony Berning / August 30, 2017
In July, I gave a presentation on a new feature for Metadefender Kiosk and Client: digital signing and verification. If you missed the webinar, titled "Why Digital Signing and Verification Is Paramount in Cross-Domain Environments," you can watch it here now.
In the webinar, I talked about how critical infrastructure networks are regularly targeted by attackers, and infected USB drives are often the attack vector of choice.
Metadefender Kiosk is widely used to protect secure networks and critical infrastructure – in fact, Metadefender Kiosk is deployed in most nuclear power plants in North America. The physical kiosk sits at or near the entrance to critical infrastructure facilities, and all users are required to scan USB drives and other media at the kiosk before bringing them into the network.
Up until our release of the digital signing and verification feature, use of Metadefender Kiosk at these facilities was only enforced by organizational policy and user education. Organizations had no way to guarantee that users scanned all media before connecting it to their endpoints.
This is why, in the latest versions of Metadefender Kiosk and Client, we added a "digitally signed manifest" feature.
Metadefender Kiosk can now add a digitally signed certificate to every USB drive that is scanned. This certificate validates that the files on the USB drive have been scanned and have not been modified. When a user connects a digitally signed USB drive to an endpoint that runs Metadefender Client, Metadefender Client verifies the Kiosk digital signature and will allow the user to access the files.
If the USB drive has no digital certificate from Metadefender Kiosk, Metadefender Client can still block the USB drive and scan all the files.
This accomplishes two key things:
- All USB drives that are connected to an endpoint within a network are guaranteed to be scanned.
- USB access through Metadefender Client is much quicker, because Metadefender Client only has to scan files that have not already been scanned by Metadefender Kiosk. All Metadefender Client has to do is validate the digital signature from Metadefender Kiosk, which takes a fraction of the time.
One of the great aspects of this system of digital signing and verification is that Metadefender Client and Kiosk do not need to be connected or even on the same network in order to make this verification. The digital signature that Metadefender Kiosk adds to the USB drive is enough.
The digital certificate will appear in a new folder that Metadefender Kiosk creates on the USB drive, called ".OPSWAT." The certificate contains a variety of information about the contents of the USB, including scan results, the number of files scanned, and the digital signature itself. Users can open and view the certificate if desired.
Left: OPSWAT folder on USB drive; right: contents of digital certificate
Click image to expand
Customers who are running the latest versions of Metadefender Kiosk, Core, and Client can enable digital signing and verification by following these steps:
- Metadefender Core (4.8.0 or later):
- Add certificate to inventory
- Select certificate to be used for rule
- Metadefender Kiosk (4.0.1 or later):
- Include Media Manifest
- Metadefender Client (4.0.9 or later):
- Install certificate in <App Data>\Roaming\.ssh
Or, you can watch my presentation to learn more about this new feature and how to set it up.