Dear WSF readers,

as first international forum we want to offer you a pre-beta version of our new product Mamutu for testing reasons. Mamutu is a standalone behaviour blocker, the name comes from "malware" + "mutu", where the latter means "stop".

You can find the setup here: http://download1.emsisoft.com/mamutusetup.exe (2,8MB)
Old accounts from any a-squared product can and should be used.

Feedback is welcome 8)

:o OK here's genuine feedback without even installing this PRE-Beta build.

No offence ment but soliciting alpha testers in open forum like WTF?

Its one thing for Beta/RC but another for something you need to get inhouse debugged before you let community members act as *lab rats* by installing it with the usual discalimers attached.

Roll it out after its out of alpha test phase and stop trying to play catchup with other simmilar recent entry tools released:thumb:

I agree with the above poster, get it inhouse debugged first, and then I will test this ubun...mamutu thing :)

/C.

We would not post it here if we needed laboratory rats :)

The version itself is stable in our eyes, there are some other things we need to finish before releasing it as public beta (what will happen probably within the next days). Installing it sooner or later or not installing it at all is of course up to you ;D

More info about this toy would be appreciated.
I don't like the 30-day trial when testing.

Gerard

cheers ill give it a whirl 6month free for testers lol Nice GUI thou ;D

-{ Quote: "We would not post it here if we needed laboratory rats

The version itself is stable in our eyes" }-

If you believe it is so stable then why not offer this on your own web site ? (unless i'm missing something)
http://www.emsisoft.com/en/

30 day beta......Think i'll pass.....

-{ Quote: "We would not post it here if we needed laboratory rats :)

The version itself is stable in our eyes, there are some other things we need to finish before releasing it as public beta (what will happen probably within the next days). Installing it sooner or later or not installing it at all is of course up to you ;D" }-


So if thats the case why not come back in a weeks time with news of Beta/RC release.

No matter how much your smiling you are soliciting testers for your alpha version.

So look forward to seeing a public Beta but use your employees computers as wider test bases or are they clever enough not to do that outside the lab;)

-{ Quote: "
No matter how much your smiling you are soliciting testers for your alpha version.

" }-

C´mon, there have been other alpha software offered for testing purposes at this forum without this kind of reception :-X
So why the "hostility" now? Especially if you havent tried the software ???
I think that the majority of the members here are mature enough to decide themselves if they want to help the developers by testing alpha software. No one forces anyone to install it. Personally I hang around here to find out the latest in security.
And Shaddi stated that it was a "pre-beta"

Of course I will drop you a line when it becomes public beta. This posting is meant as a privilege to the Wilders community to be one of the first at all testing Mamutu. If you do not see it like that it is okay but please let others who are curious enough just test it.

We can not remove the 30 trial issue as we of course need to test that one, too. The time period until the final release will probably be less than 30 days. Anyways, if your license expires during testing just send me a private message and I will extend it. Beta testers giving good feedback will be provided with a full license though.

As I mentioned our internal tests with Mamutu are finished. The only reason why it is not on the page and in public beta yet is, cause we are finishing the product page. Expect this to be done within the next days, possibly even tomorrow. By the way, of course I have the program running myself, to be exact: since some weeks and it works fine.

Maybe just relax and see that the idea really was not to use you as alpha testers. Would be stupid to do that in a forum full of IT security experts, eh? :)

Cheers,
Thomas


PS: And yes, I like to smile as it is a symbol for friendlyness ;)

-{ Quote: "C´mon, there have been other alpha software offered for testing purposes at this forum without this kind of reception :-X
So why the "hostility" now? Especially if you havent tried the software ???
I think that the majority of the members here are mature enough to decide themselves if they want to help the developers by testing alpha software. No one forces anyone to install it. Personally I hang around here to find out the latest in security.
And Shaddi stated that it was a "pre-beta"" }-

Actually if i had read a simmilar solicitation/invite from any other software vendor my responce would be the same.My hostility is based apon principal and past **** ups by companies offering buggy alpha software(Lavasoft years ago:thumbd: causing widespread problems by pushing out software that had not even gone to Beta sticks in the mind).

FWIW i'm sure Emisoft have healthy following of beta testers to call apon etc so why prematurely widen the test field afterall who is doing who the service at this point;)

As always the standard disclaimer kicks in *install at your own risk* and that makes everything ok dose'nt it::)

But you are absolutely correct folks can decide for themselve's but with reguards alpha testing it should be kept in within closed arena's to protect the curious etc

-{ Quote: "
Maybe just relax and see that the idea really was not to use you as alpha testers. Would be stupid to do that in a forum full of IT security experts, eh? :)

Cheers,
Thomas


PS: And yes, I like to smile as it is a symbol for friendlyness ;)" }-

Ok Thomas.

In all sincerity i wish you and all your user's the best from the product.At the end of the day ultimetly it all boils down to helping defends folks computers/data etc

Just to reiterate IMO maybe a beta launch next weekend might have been more wiser but like we have to acknowledge its a very competitive market for brand and product.

I should not be surprised about the rushed rollout since some competitors already have high profile software already released to the mainstream security community gaining coverage/market share etc:

Anyhow wishing Emisoft every sucess:thumb:

Jesus, why don't you just read what he wrote instead of writing your biography? It looks too much like you really need attention. Whatever, gonna download now.

-{ Quote: "C´mon, there have been other alpha software offered for testing purposes at this forum without this kind of reception :-X
So why the "hostility" now? Especially if you havent tried the software ???
I think that the majority of the members here are mature enough to decide themselves if they want to help the developers by testing alpha software. No one forces anyone to install it. Personally I hang around here to find out the latest in security.
And Shaddi stated that it was a "pre-beta"" }-

I was puzzled as well, until I remembered that fcukdat is now associated with a "competitor"...

-{ Quote: "I was puzzled as well, until I remembered that fcukdat is now associated with a "competitor"..." }-

Not a competitor for HIBS/Behavioural software which this software is:thumb:

I'm all associated with several data pooling/malware research groups that serve a very wide range of vendors inc Emisoft are beneficiaries of but then that means nothing now dose it:wacko:

-{ Quote: "Not a competitor for HIBS/Behavioural software which this software is:thumb: " }-

Well isn't it supposed to be a cutting edge malware tool using new technologies or something? Sure looks like a competitor to me...

-{ Quote: "
I'm all associated with several data pooling/malware research groups that serve a very wide range of vendors inc Emisoft are beneficiaries of but then that means nothing now dose it:wacko:" }-

A red herring there... I'm not saying that you are targetting Emisoft or any other anti-malware specifically.... But rather you are targetting *all* of them...which you confirmed by saying you would say the same thing no matter who the vendor.... And i fully believe you.

but the question here is about consistency of behavior... You are not a newcomer to Wilders, and such offers as pointed out by another poster is not unusual, so why this reaction only now??

The only thing that springs to mind is this change in status... Not that I'm saying this action is deliberate... but biases often aren't conscious... Where in the past you would see no problem, now you take offense.... (Not that I'm saying it's not reasonable to question this...it's just the change in reaction that makes me curious)

Well I know you are proud of your work with that malware hunting thing, which of course incidentally earned you a place in the big leagues and opened other opportunties..........

Well I am game. Downloaded and installed. It seems it provides very extensive coverage. I like it.:thumb:

A few screenshots
194034

194035

194036

What is it regarding A2 AM? Is it the BB from A2 AM, or something better?
What's the difference?

I´ll add this shot of the settings. It looks interresting.

-{ Quote: "I´ll add this shot of the settings. It looks interresting." }-
Yes, just like A2 AntiMalware. So my question stands.

Screenshots look interesting.Thanks for posting them.
I'm gonna try it.

Struck me as very similar to Prevx2. My VM machine hung on reboot. Tried several times, and gave up.

Hello,
I can say one thing so far - the name sounds really unappealing.
Something like a hybrid mammoth ... not really softwareish.
Mrk

I tried a few leaktests and it passed about half. I tried XP-killer and prueba and it slept like a baby. :thumbd: Nice interface though. :thumb:

-{ Quote: "Hello,
I can say one thing so far - the name sounds really unappealing.
Something like a hybrid mammoth ... not really softwareish.
Mrk" }-

ROFL. I totally agree.

-{ Quote: "I was puzzled as well, until I remembered that fcukdat is now associated with a "competitor"..." }-
Thanks, Lusher, I didn't know that.

Until I read Lusher's comment I was getting the idea that a king had died, and fcukdat had ascended to the throne.:dry:

I am glad to see Emsisoft is entering the HIPS arena & shall likely give mamu2 a spin.

The pre-beta installed with no problems here.
Resource usage is 18,104k.
The GUI is designed well,easily navigated.
Thanks for posting the link shaddi.

Hi shaddi

A quick test on WINXP SP2 Real System (Not VM)

A) Appearance:
The GUI is nice, but I think a more eye catching color is required.
Icon is washed out and not crisp, also the difference between active and disabled protection is not noticeable enough.

B) System Resources Utilization
I didn't notice any system delay, Mamutu has only 2 process :A2service.exe about 6200K, and mamutu.exe about 5600K

C) I tested Mamutu against the followings:

TEST 1 -A commercial Trojan "Bifrose version" which do the followings:
*create a server file in windows/system32
*Add autorun entry in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
*Inject code into iexplorer.exe
*Run the hijacked iexplorer.exe
*Use hijacked iexplorer to connect to internet.

TEST 2 -A Themida Protected version of the same above Trojan.

TEST 3 -An innocent exe file in which I impeded Ardamax Commercial KeyLogger which do the followings:
* Create a hidden folder in windows/system32 which contains it's process + logs
* Hide it's plog.exe process from task manager
* Create autorun entry in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
* Use plog.exe to capture key strokes

TEST 4 - Copycat.exe Leaktest File

TEST 5 - Scoundrelsimulator.exe

TEST 6 - DFK-threat-simulator

TEST 7 - Martin Undetectable KeyLogger



Default Setting test (intelligent false alerts reduction is active) "MINIMUM SECURITY"

Test 1 : Mamutu Failed 100%, all Trojan's activities were allowed including reg. autorun !

Test 2 : Mamutu catch the reg. autorun entry only, and failed in stopping all other activities !
I think it succeeded in catching the reg. autorun this time because the encrypted Trojan takes a longer time to do it's activities, so Mamutu has enough time to catch the reg. autorun adding.

Test 3 : Mamutu Failed 100%, all Ardamax activities were allowed including reg. autorun !

Test 4 : Mamutu Failed, and injecting code in iexplorer.exe was allowed without any alert .

Test 5 : Mamutu Failed 100%, and Scoundrelsimulator was able to:
*Change IE homepage
*Disable Internet Options
*Disable Registry Editor
*Add startup in Registry
*Add startup in startup folder

Test 6 : Mamutu Failed 100%, and DFK was able to do all it's dirty jobs including planting a rootkit and all others which are very well known so no need to nominate them.

Test 7: Mamutu Failed.

Note: Mamutu detected AVGAS while it was updating it's database and fired the alert "Connecting Internet Invisibly", While its a good sign to detect this, but on the other hand I think there is no need to detect such activity of legitimate app in this "Minimum Security" setting which failed completely against real threats, and may be a white list of known common security apps will do the job, or even to suspend this kind of detection for the resident visible windows applications which have visible tray icons. "just my opinion"

Conclusion: This default setting with "Active intelligent false alerts reduction" is worthless and by no means should be the default settings.




Disabled intelligent False Alerts Reduction test "MEDIUM SECURITY"

TEST 1 : Mamutu Succeeded, Hide Installation Alert was received, When DENIED all Trojan activities were stopped, When Allowed Trojan create it's server file but failed to start iexplorer.exe process and another alert of Autorun Key Creation was received.

TEST 2 : Mamutu Succeeded, Hide Installation Alert was received, When DENIED all Trojan activities were stopped, When Allowed Trojan create it's server file but failed to start iexplorer.exe process and another alert of Autorun Key Creation was received.

TEST 3 : Mamutu Succeeded, Hide Installation Alert was received, When DENIED all KeyLogger activities were stopped, When Allowed Ardamax create it's hidden folder, but plog.exe "the main process of the keylogger" was not allowed even to be created also no autorun entry registered.

TEST 4 : Mamutu Succeeded, Code Injection Behavior Alert was received, but iexplorer.exe which was the targeted process for copycat has been hanged and a end iexplorer.exe process from task manager was necessary to close IE.

TEST 5 : Mamutu Failed 80%, it only succeeded in preventing registry autorun addon, but failed in all other 3 registry change tests and startup folder addon test.

TEST 6 : Mamutu Failed 80%, Rootkit was allowed, KeyLogger was allowed, Spyware Simulator was allowed and it's automatic startup by adding ""Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run" registry key was also allowed, but Mamutu has succeeded in stopping swfactive.exe trojan firing the alert "Backdoor Behavior" and also has stopped vanquish.exe from injecting it's code into other processes firing the alert "Code Injection Behavior"

Test7 : Mamutu Failed.

Conclusion: I think Mamutu doesn't monitor service or driver installation in this setting.




Disabled intelligent False Alerts Reduction & Activate Paranoid Mode test "MAXIMUM SECURITY"

TEST 1 : Mamutu Succeeded, Same results as above "MEDIUM SECURITY"

TEST 2 : Mamutu Succeeded, Same results as above "MEDIUM SECURITY"

TEST 3 : Mamutu Succeeded, Same results as above "MEDIUM SECURITY"

TEST 4 : Mamutu Succeeded, Same results as above "MEDIUM SECURITY"

TEST 5 : Mamutu Failed 80%, Same results as above "MEDIUM SECURITY"

TEST 6 : Mamutu Succeeded 80%, swactive.exe Trojan was stopped, win23l.exe Keylogger was stopped firing the alert "Code Injection Behavior", RootKit was stopped firing the alert "Service Installation" against vanquish.exe, also IE was successfully stopped from downloading extra malware firing the alert "Trojan Downloader Behavior", but Spyware Simulator was allowed and it's automatic startup by adding ""Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run" registry key was also allowed.

Test7 : Mamutu Failed.




Personal Final Conclusion:

Mamutu is lite on resources.
Mamutu GUI is nice but not eye catcher, and by the way A2Squared is a real eye catcher.
Mamutu is powerful security addon when used with "Maximum Security", However there are more powerful Behavior Blockers available.
Mamutu is a joke or a complete worthless security app when used with it's default settings.
Mamutu needs a lot to do in securing registry, since it monitors only a very few startup locations.
Mamutu doesn't monitor where the files are created.
I think "MAXIMUM SECURITY" setting should be the default setting.

By all ways Mamutu is a very welcome application in the field of Behavior Blocking, and I think this alpha release is a very good start in making a robust and nice behavior blocking application.

Thanks Emsisoft for giving us this test drive opportunity, and all the best for your very welcome MAMUTU.

Metting

hi where do beta testers send info? feedback so we get free liscence thanks ??? Also above poster what other applications do same thing ?

If i'm to understand right this will be a Portable or otherwise in 98 terms, a standalone app, right? If so, it should prove to go over very well once MANY misses are addressed and code improved on.

I also pass along my own thanks for offering us Wilder's members first shot if you will at the alpha, but i stand in full support of fcutdat's apprehension. Maybe he expresses it more aggressively than most, but plz keep in mind, MOST if not ALL security vendors and especially Emisoft would as common practice already run it in alpha form thru it's in-house and outsourced (Free) testers "FIRST" before making such an announcement.

I don't take either side for or against, only you have to admit that based on past similar distributions from the likes of Lavasoft a few others, any alpha pushed out the door to the public so early is bound to stir up serious concerns, and especially for the more experienced users (which Wilder's abound with), which as a matter of course can't help but to make for thought to just what the motive really is, if any.

I harbor only one disappointment in this practice, and that is setting a hard coded time limit on an alpha? :blink:

Anyway, let's see what develops.

Peace. Out.

-{ Quote: "hi where do beta testers send info? feedback so we get free liscence thanks ???" }-


Emsisoft forum soon,according to this quote from shaddi's last post-
"The only reason why it is not on the page and in public beta yet is, cause we are finishing the product page. Expect this to be done within the next days, possibly even tomorrow".

Mamutu caught Trojan Simulator.
That's with paranoid mode setting.

I agree with Metting's assessment of the tray icon.
It needs to show the difference between active and disabled better.

Hi, as a happy user of A-squared anti-malware, I will be watching this thread with interest. This new product looks like the IDS feature already incorporated with A2 AM. Thanks for the pics sukarof :).

I consider the IDS as a huge strength for A2, but wonder about it's separate viability. It would be nice to know more about what Mamutu is. I also don't like the name so much although it's different. Thanks for considering Wilders as a test group.

innerpeace

Hi all,

First: I am just an A2 Malware user, not related to A2.

My thoughts about the alfa status.

It seems to me the IDS module of A2 Malware. The IDS module of A2 Malware is still somehow connected to the real-time blacklist. For example it considers keyloggers as risk-ware. Protection against risk-ware is an option of the on-demand blacklist part of the software in stead of the IDS.
When you re-assemble the module structure of a program, in principle you have to test all the posisble logic paths again (Google for TMAP the worlds leading testing method). That costs a lot of effort when it is 'only' a subset of existing software. So what you do in practise, run your existing test cases against the new re-assembled program and when it passes, you will directly put in a life shadow environment for a functional acceptance test. We the members of Wilders are considered this life shadow environment. PCTools did the same with ThreatFire when it altered a proven program (CyberHawk Pro) by adding a blcklist module (more or less the same process only the other way around (Mamuto is A2 Malware without the black list). When you stick to the testing theory you should name it an alfa. When you are pragmatic you can also name it a Beta. It is just 'grundlichkeit' over pragmatism, so have some tolerance to this status.

Testing A2's IDS = mamuto
Metting great job, thanks for the test. They are consistent with my tests. My tests were also the reason to run A2 IDS with Intelligent False Positive Reduction OFF and the Paronoid mode ON. As I said in the above, the IDS only protects the run locations. As said Vista has some file and registry virtualisation in UAC mode, so this 'hurts' XP users more than Vista users (enabling UAC)

That is why I use WinPooch with the posted filterset see http://www.wilderssecurity.com/showthread.php?t=186829 .People using A2/Mamuto in XP can use the attached winpooch filter (optimised for A2/mamuto), open with notepad, save as Ansi file with extention .WPF The startup folder addon is not guarded, because XP calls this folder differently depending on the installed language. You can easily add this in WinPooch, just click on the asterix, select + (for add), select File::Write for reason, select Path with Wildcard for parameter 1, enter the directory to watch e.g. C:\Documents and Settings\All Users\Menu Start\Programs\Startup\* (Programs and Startup is language specific), Select for response 'ask' + 'reject' and verbosity 'log'. Repeat this for the user startup directory.

Your test showed that keylogger protection is indeed not incorporated in the Mamuto program. So it is still part of the blacklist realtime protection module (called the 'protect against riskware' when checking started programs' option).

I have had a lengthy discussion (PM-ed not in the public A2-forum) with the guys from A2 on the above topics. They claim that the IDS still protects against most real threats (because the sequence of events triggers the IDS then), while most test programs only test against a single anomoly. Because A2 is running on my wife's PC I am not willing to test this with real malware. Other argument is that A2 with IFPR OFF and Paranoid ON is still a user friendly program.

The real good thing about A2 compared to others, is the availability of a lot of language files and the clear pop-up messages. A2 is also one of the first to start in XP startup process and delays the system less than for instance ThreatFire (startup time of webbrowser tested).

Regards Kees

Thansk for the tests Metting :thumb:

It may seem bad, but I guess that is due to alpha stage of the software.
I´ve been running it for a day and so far it is very stable. I´ve had no issues at all. We´ll see what happens when they "enable" or fix the protection. I have the paranoid mode and it has not bothered me at all when using windows (XP) normally, just one warning when I uninstalled a program with "Your uninstaller". But I just white listed it. That is a good sign, if they manage to make it intelligent enough to not give warnings when not needed (without having to train the software) this might be a keeper (if I ever decide to go back to admin mode that is :) )

been running for a day and no complaints. Very lite and does work well, as I found out.

it seems that with it set to the paranoid setting, web pages in IE7 seem to have a tougher time loading.

-{ Quote: "

They claim that the IDS still protects against most real threats (because the sequence of events triggers the IDS then), while most test programs only test against a single anomoly. Because A2 is running on my wife's PC I am not willing to test this with real malware.
" }-

I didn't test A2 against real threats, but I'm very comfortable to say that this claim is not true in the case of Mamutu or A2 IDS alone without black list.

I tested Mamutu against 3 Real threats; test1, 2, 3, all of them do lot of anomalies (see descriptions in my test post) also test6 DFK is by all means a real threat and it doesn't test against a single anomaly it tests against at least 10 anomalies. Unfortunately Mamutu or A2 IDS has failed against all those real threats in it's default setting, and didn't succeed 100% against them in it's paranoid maximum security mode.

Cheers

I also do not understand why people are being this negative, I think most people on this forum are smart enough to not test alpha/beta apps on their "real" machine, so what´s the problem? ::)

And now about the product, I think it´s ridiculous that you need to have an account before you can start using this app, this really needs to be changed. Currently I´m having internet connections problem on my VM so I couldn´t even test it. But anyway, how does Mamutu (silly name btw) compare to other powerful HIPS like ProSecurity, SSM and Neoava Guard?

And it would be nice to know what settings like "watch for possible worm/trojan/dialer/keylogger like activity" exactly cover, now it´s a bit vague. To be more clear, I wonder what actions will trigger any of these alerts. But I guess Emsisoft wanted to keep it as simple as possible.

No issues yet :)

It is still in beta, isnt that what others shove down your throat. Give Mamutu a chance. If it is detecting well now, but missing a few, then when it actually is released, it should be even better. I like it and think everyone should be open minded and give it a chance. Time will tell, wont it.

Metting,

After I did my tests, I was satisfied with their answer (claiming that the default settings would protect against most real malware), but you are right the tests you did contain multiple anomolies.

I asked them whether they would provide more registry protection in the future, they replied that A2's IDS (Mamuto) would provide more registry protection in the future. Until then I use WinPooch besides A2's IDS (I tested it against DFL ThreatSimulator 2 and the WinPooch filter posted tackles it).

A2's support desk, told me that they classified keyloggers as riskware, which the real time protection of A2 Malware protects against. So A2 Malware will protect (on black list basis), but Mamuto won't. They also told me that would re-consider that. That is why I thought that Mamuto would provide protection against it.

The combo Mamuto (A2 IDS) + WinPooch really works good. What I still like about it is the clear messages which are provided when an anomoly occurs.
I am wondering how they are going to market it, because ThreatFire free offers also a broad protection (keyloggers included, rootkits as scan).

Regards

All I know is, it is getting along fine with my apps and I really like this one.

Hi, folks: Hi, Thomas @ Emsisoft:
I do admire your courage to have a testing-invitation note landed on doorstep of this security forum filled with more than handful gurus. I am not an expert, therefore I can only ask you one quick question from an average Joe's perpectives. I am currently using two excellent behavior blockers: PrimaryResponse SafeConnect and Threatfire. They are matured programs which have gone thru what you are about to embark. My simple question is this: can you provide me three reasons why I should try out your pre-beta or even post beta program while I am very much content with what I have now(in terms of those two apps mentioned). Thanks.

After trialing Mammoth, I don't really see where it's reputation of clear, concise alerts come from. All it has is a short description of what happened, similar to ThreatFire, and a mostly-useless list of DLLs loaded by the offending process. I'd still rank the Kaspersky PDM as the most transparent behavior blocker, with TF/Mammoth coming third after PRSC/AntiBot's second.

Hi Perman, :)
I don't think Thomas will give you 3 reasons or should, although I don't want to pre guess his actions. We know it is a pre-beta and cannot replace what you are already content with, he has just offered Mamutu up for preview so if you are inclined test it and let us know what you think.

Hi.Meriadoc:
Thanks for your points. It does make sense, however, I somehow feel it is very illogical if Thomas has chosen silence evading any potential customer's simple request which he and his marketing people will eventually have to face. If one has something so proud to show and tell and can not list just three reasons to explain why. Don't you sense that a bit odd ? I am confident that Thomas will be more than happy to answer my simple request. Unless----. Have a nice one, folks.

-{ Quote: "After trialing Mammoth, I don't really see where it's reputation of clear, concise alerts come from. " }-

Well I know one member has being constantly saying that, but I'm not sure if that alone counts as a reputation. Like you, I have never found anything particularly special about A2 IDS prompts.

Compare it to Cyberhawk.
whatever.exe looks mighty suspicious doc. block?

-{ Quote: "Until I read Lusher's comment I was getting the idea that a king had died, and fcukdat had ascended to the throne.:dry: " }-
Well, there's more than one type of throne.

-{ Quote: "Well I know one member has being constantly saying that, but I'm not sure if that alone counts as a reputation. Like you, I have never found anything particularly special about A2 IDS prompts." }-

Lusher,

I feel responsible, so comment noticed, I won't tell it anymore. ;)

Ccsito and InnerPeace are also happy A2 users. Remember that I also like ThreatFire (posted the how to o custom rules), EQSecure (also posted the first usage explanation), WinPooch alll because they are great aps and free. GesWall Pro, DefenseWall and PRSC are also favoured by me. That is the 'luck'of having three PC's at home.

Regards K

Hi, folks: I am trying to stay as impartial as possible when make this post, so you are noticed. Kees, do not feel anything out of normality just because what you have been contributing to this forum, I do learn a lot from you. Your testing and experiments are helpful to end users, but not necessarily be seen as such by some. That is OK. This is an open forum, any, I mean any opinion from all sides are counted, not been discounted, as long as all terms are met . Keep up your good contributions, and enjoy others' (including mine) appreciation. Have a nice one.

-{ Quote: "That is the 'luck'of having three PC's at home.

Regards K" }-

I have seven of them at home myself. ;D :P

-{ Quote: "Hello,
I can say one thing so far - the name sounds really unappealing.
Something like a hybrid mammoth ... not really softwareish.
Mrk" }-

Really? The name gives me visions of lying along a Polynesian seashore. LOL
;D :-*

-{ Quote: "Lusher,

I feel responsible, so comment noticed, I won't tell it anymore. ;)
" }-

No, No, tell it to everyone you want, as long as you really believe it. Doesn't mean we have to all agree of course.

-{ Quote: "
Ccsito and InnerPeace are also happy A2 users. Remember that I also like ThreatFire (posted the how to o custom rules), EQSecure (also posted the first usage explanation), WinPooch alll because they are great aps and free. GesWall Pro, DefenseWall and PRSC are also favoured by me.
" }-

Yes, Yes, you like all wilders members here basically like all security apps. :)

-{ Quote: "
That is the 'luck'of having three PC's at home.
" }-

only 3? I have 5 excluding laptops.

Lusher,

You still beat us, my wife and I also have two laptops supplied (so that totals to 5). But we rarely use these privately (only VPN for work off course).

Regards

Finally managed to get around to running some very basic tests on this thing. My first impression was not a good one, as I do not enjoy software that forces me to provide an email address to sign up for a username and password before I can use the program.

I initially set Mamutu to its highest protection settings, but apparently Mamutu is completely unfit for its intended purpose with intelligent FP reduction turned off, as the first two things it flagged were Windows components: IE6 (backdoor trojan, lol?) and msconfig ("tries to install itself invisibly"). In both cases simply executing the programs was enough to produce the FPs. Logging seems to not work (maybe because it's a beta?), and there's no further way to find out what happened.

Still in the middle of trying to figure out the quarantine. Does Mamutu quarantine only the offending file and process it detects, or does it do a smarter job like ThreatFire and AntiBot, and clean up all related files and registry entries as well?

One interesting thing to note is that Mamutu fails against kernel unhooking malware. ThreatFire and AntiBot already defend against this, but apparently not Mamutu. Copies of Bifrose and Small were allowed to execute without so much as a squeak from Mamutu.

Not impressed so far, ThreatFire seems to be heads and shoulders above this thing. But we'll see.

solcroft do you think a squared anti-malware which has IDS would have the same results? i know Mamutu is pre beta but shouldn't it still be close to the IDS of a squared?

-{ Quote: "only 3? I have 5 excluding laptops." }-I have 1 computer & 7 sorobans. Banzai! 194220

Meanwhile, back at the thread -- I like what I am reading here about Mamutu. Will give it a spin when it goes beta.

QUESTION- Does it need a reboot during installation?

-{ Quote: "solcroft do you think a squared anti-malware which has IDS would have the same results? i know Mamutu is pre beta but shouldn't it still be close to the IDS of a squared?" }-
I've never tried a2 IDS personally, so I can't comment. I do remember aigle testing it before, however, and the results were less than impressive as well.

-{ Quote: "QUESTION- Does it need a reboot during installation?" }-
Nope.

I've never tried a2 IDS personally, so I can't comment. I do remember aigle testing it before, however, and the results were less than impressive as well.

all right thanks solcroft. well aigle or Keese1958, you both test software so how does Mamutu stack up against a squared IDS? and is either one as good as say that of ThreatFire?

-{ Quote: "the first two things it flagged were Windows components: IE6 (backdoor trojan, lol?) " }-
I was always wondering what MS was doing inside your PC. ::) :shifty:

-{ Quote: "I've never tried a2 IDS personally, so I can't comment. I do remember aigle testing it before, however, and the results were less than impressive as well.
" }-
It was a very very short play. Just few minutes and I tried few malware samples on default settings with false positive reduction option and the results were poor. Keese' experience is different though.
The sort of online activation is a big turn off BTW. 30 days trial for a sort of pre-beta is another one.

From snapshots it seems almost same as A-sq,s IDS. I once wished that they launch a behav blocker based upon a-sq,s IDS without any signature data base.
Seems they took the idea without even thanking me.;D

-{ Quote: "I have seven of them at home myself. ;D :P" }-


I'll see your 7 and raise you 3. ;D ;D :P

Hi all,

Mamutu conflicts with Ad Muncher. AM stops filtering web flow :-[

Regards,

MaB

-{ Quote: "I'll see your 7 and raise you 3. ;D ;D :P" }-

LOL that cracked me up ;D ;D ;D

Wordward, Solcroft, Aigle

Mamuto looks to be the IDS component of A2 (I would guess an exact copy).

I ran A2's IDS against:
1. TrojanSimulator = Pass (autostart via server)
2. TrojanDemo = Pass (downloader activity)
3. Zapass = Pass (dll injection)
4. Regtest = Pass (first process manipulation, then auto starts)
5. Badrkdemo = Pass (install driver)
6. Securable = Pass (memory access + service instalation)

Aigle is right Mamuto is not strong against worms, that is why I use WinPooch beside it with a special A2 filter set, see http://www.wilderssecurity.com/showpost.php?p=1091240&postcount=35

Solcroft has also noticed it is has weak self protection (e.g. APT)/unhooking protection.

On the positive side:
- it is very low on resources
- is available in several languages
- provides messages (sorry Lusher) which my wife seems to read and listen to, a feat which I have not been able to accomplish in many years

It will problably become payware and will run on Vista32, so on XP and Vista32 teh free ThreatFire will be a better option (on Vista64 PRSC is the only option in this category).

Together with WinPooch it also passes DFK Treath Simulator V2.

Regards Kees

-{ Quote: "I'll see your 7 and raise you 3. ;D ;D :P" }-

I can get more PCs if I really wanted to, but that would reduce the amount of living space. ;D ;) :isay:

Can someone perhaps post any screenshots of the alerts? :)

You can find some screenshots of Mamutu and the alert boxes on the new Mamutu website: http://www.mamutu.com

Btw. the Mamutu Beta is now officially published on our website. ;)

I think u must consider changing its name.

Hi, folks: I would, if I were wearing your shoes. A name sounds like a cartoon character, a primitive culture, even worse when it can not reflect its marketing/technical properties and values. Time is still on your side. I can pronounce the name, but can not even remember it just two seconds later, let alone thinking to use it again. Take care.

-{ Quote: ".. even worse when it can not reflect its marketing/technical properties and values." }-

Our intention was to avoid the typical word joinings of Virus/Spyware/Trojan/Malware with Stopper/Blocker/Protector/Sweeper/No-More, etc.

The discussion about the name confirms our idea. It's so unusual that everybody thinks about its name - positive or negative doesn't really matter. I'm sure you'll remember it better than a boring word combination. ;)

Who said to use anti-spyware, virus etc- buzz words. The sound effect of Mamuta is not impressive at all.

There are other names free of these buzzz words but still with good effect and u will not forget once u listen it: Prevx, ThreatFire, CyberHawk etc

-{ Quote: "The discussion about the name confirms our idea. It's so unusual that everybody thinks about its name - positive or negative doesn't really matter. I'm sure you'll remember it better than a boring word combination. ;)" }-
So you don't mind even if the name is an object of ridicule, as long as it gets talked about?

A rather... unique marketing strategy, to say the least.

@ Christian Mairoll

-{ Quote: "You can find some screenshots of Mamutu and the alert boxes on the new Mamutu website: http://www.mamutu.com" }-

OK cool, but will you now please scrap the internet account activation "feature", so that I will finally be able to test it on a virtual machine? Earlier I wrote:

-{ Quote: "And now about the product, I think it´s ridiculous that you need to have an account before you can start using this app, this really needs to be changed. Currently I´m having internet connections problem on my VM so I couldn´t even test it." }-

-{ Quote: "OK cool, but will you now please scrap the internet account activation "feature", so that I will finally be able to test it on a virtual machine? Earlier I wrote:" }-That,s really feels bad, atleast to me!

Rasheed, not to sound like a smartass, but if you know full well it's your VM that's not working, perhaps you should be trying to fix that problem instead.

Looks like the beta still has the same problem as the pre-release. This alert pops up less than five seconds after completing the initial wizard. And I thought TF was an FP machine...

Execute trojan. Trojan installs LSP driver. Mamutu steps in with alert, user selects to quarantine trojan. Mamutu destroys the LSP stack while trying to quarantine trojan, cutting off all internet access, and forcing the use of netsh + reboot.

Mamutu was more destructive than the trojan, no contest. It didn't last more than ten minutes on user's machine.

OT:

-{ Quote: "Rasheed, not to sound like a smartass, but if you know full well it's your VM that's not working, perhaps you should be trying to fix that problem instead." }-

Actually, even without any problems (seems like the upgrade screwed my VMware Workstation up) it´s still a pain to get my VM internet connection working, I basically have to reboot and wait for like 4 minutes before my USB ADSL modem gets recognized. So I hate all products who need internet activation, I had the same problem with DriveSentry, it´s ridiculous, anti malware tools shouldn´t need to connect to a network.

I have used a-squared Anti-Malware with IDS enabled for several months without problems, and I just don't understand how Mamutu can cause such troubles. I know it's still in beta and some things were added, but it is based on a-squared's IDS which is top notch.

-{ Quote: "I have used a-squared Anti-Malware with IDS enabled for several months without problems, and I just don't understand how Mamutu can cause such troubles. I know it's still in beta and some things were added, but it is based on a-squared's IDS which is top notch." }-
It has some problems trying to quarantine certain types of malware without chainsawing Windows off at the knees as well.

But I'll agree, it should provide good protection. I have yet to test it extensively, but this is usually the case for FP machines.

-{ Quote: "Execute trojan. Trojan installs LSP driver. Mamutu steps in with alert, user selects to quarantine trojan. Mamutu destroys the LSP stack while trying to quarantine trojan, cutting off all internet access, and forcing the use of netsh + reboot." }-

The LSP should be correctly deregistered before quarantining the file, you're right. We'll take care about this problem, thanks.

-{ Quote: "Our intention was to avoid the typical word joinings of Virus/Spyware/Trojan/Malware with Stopper/Blocker/Protector/Sweeper/No-More, etc.

The discussion about the name confirms our idea. It's so unusual that everybody thinks about its name - positive or negative doesn't really matter. I'm sure you'll remember it better than a boring word combination. ;)" }-
Hi,

During our teatime break, someone in our group(product development) raised this question, I thought you may be interested in. The question is: Have you ever asked computer-major students in college/university nearby about the NAME of your product ? I have 10 to 1 favor in this reply: What? What is that ? A creature from out of space, it does not sound very human----. Just a laughing tea-time material, do not get too serious. Take care.