Sana Security has released a new version of its Primary Response product that it claims will help customers detect a new generation of online threats, including Trojan horses and malicious remote monitoring software, or "rootkits".

Primary Response 3.0 is the latest version of Sana's intrusion prevention system (IPS) software. Its aim is to spot and block threats before they have been formally identified.

The product uses software agents on servers and desktops to monitor and respond to threats. A heuristic detection technology called Active Malware Defense Technology (Active MDT) protects servers and clients from malicious software, including rootkits, which often imitate normal programs, Sana said.

Sana offers agent software that runs on Windows NT, 2000 and 2003 or Sun Solaris 8 servers, and on machins running Windows 2000 and XP.

Active MDT analyses the behaviour of memory processes or applications on a machine over time and flags anything suspicious. Unlike signature-based detection, Active MDT uses a combination of behaviours to determine whether or not a program is malicious, Sana said.

Primary Response can be managed centrally and deployed across hundreds of servers and PCs on a corporate network, or on machines used in remote locations or branch offices using a management server, Sana said.

Rootkits and Trojan horse programs are of growing interest to network security managers, because the programs are increasingly distributed along with Internet viruses and worms, and can be used for sophisticated identity and intellectual property theft. Unlike traditional viruses, rootkits and Trojans are often able to avoid detection by traditional security products such as anti-virus software, intrusion detection system (IDS) and firewall software.

A new generation of so-called "kernel rootkits" is becoming more common. They attack the kernel, or core processing center of an operating system, and can intercept data passing to and from the kernel, making it difficult for administrators or detection tools to see signs that the system is being attacked.

Products like Primary Response detect infections using an approach called "adaptive profiling". This studies the way an application normally behaves, then issues warnings when abnormal behavior is observed, Sana said.

Primary Response 3.0 is available immediately and costs $32 for a single desktop licence, with volume discounts available. Server licences start at $875 per server.