Crystal Anti-Exploit Protection 2012 Beta

@Tomwa: Thanks for downloading and giving it a go! The installer uses CreateInstall and I actually haven't tested it in scenarios where an AV blocks access to the install target directory so thanks for letting me know that it misbehaves, I'll add that to my list of things to do!

The epileptic command prompt is actually a command line pre-install checker that I had to write to make sure that .NET is installed, that the system isn't pending a reboot etc, but I could do it without displaying the command window so I'll make a note of that too!

@jdd58: That's great news about the other programs, so I will definitely make Chrome a priority and try to fix that issue. Is the ROP alert issue with Chrome intermittent as with Comodo Dragon or does it always seem to happen?

Is it the CrystalAEPUI.exe process that uses 2% CPU when IE is running and 10% when Comodo is running, or those respective processes themselves using extra CPU? CrystalAEPUI.exe does receive "realtime logs" which can be displayed under the More section of the main interface, and I suspect that polling for this information is what is causing the CPU use. I can probably optimise that functionality without changing too much, so that's now on my todo list.

Thanks again to you both for the feedback!

 

The ROP alert for Chrome on Vista was every time. Dragon on Windows 7 was intermittent. Usually the first time or two a tab was opened then OK after.

Yes, the CrystalAEPUI.exe process uses the CPU. I guessed the extra processes of Dragon due to extra extensions installed was causing the higher CPU over IE.

 

@jdd58: Apologies for not having a chance to reply to you sooner. I think I've fixed that ROP bug at last! If you would be so kind, could you confirm for me with the latest installer at http://www.crystalaep.com/download.html ?

As before I haven't pushed out a fix via the update mechanism because I'm hoping to make one or two additional minor changes to the code and test them more thoroughly before I do so, but at least this issue will be fixed for all users from this point onward (assuming the fix works for you!).

Thanks again for all your help, and to everyone on the forum who has given me feedback!

 

Success with the ROP error on my Vista PC. I do have a persistent message box asking if I want to allow wow_helper.exe however. I added wow_helper to the list of protected programs and the problem disappeared. I did wonder if I should have added it to the executable whitelist instead? I have not tried it yet on the Windows 7 laptop.

Some of the protected programs are also in the executable whitelist, what is the reason some are in the protected list and whitelist? Should Chrome's pdf.dll be added to the dll whitelist?

If it makes a difference I have Chrome installed in Program Files x86 instead of the user profile folder. Also would it make a difference if CrystalAEP is installed there instead of the default root directory?

CPU usage of CrystalAEPUI is at 5% with 8 chrome processes. Will there be a way to disable logging?

Thanks a bunch for your effort on this project.

 

@jdd58: Superb! That's good to know! I'll be addressing the wow_helper.exe issue by adding it to the whitelist and adding/enabling a setting to persist your decision to run a given executable after it has been accepted a certain number of times (say three) by adding it to the whitelist automatically. That should hopefully make the product less whiney when used often, and shouldn't reduce the level of security provided.

If I haven't explained properly in the documentation (as I'm sure I haven't), the Protected Process list contains the list of executable which will be protected by Crystal when they are run, and the Executable Whitelist just contains the list of programs which the protected programs can start without warning you. By default though programs on the whitelist will be protected by Crystal if they are started by a protected program, but not if just run in their own right (i.e. by running the program directly), so it can become a source of confusing if just looking at the main UI!

The DLL whitelist is actually only used by the "Disable RWX Memory" feature (in "Expert Options->API Monitor [1]") which - if the processor supports non-executable pages - allows certain DLLs to be exempt from the restriction on allocating executable memory.

The Disable RWX Memory feature is actually designed as a strong mitigation against the execution of malicious code because it prevents a program from being able to request executable memory (a requirement of almost all software exploits seeking to execute shellcode or a similar payload). As some DLLs (like those which perform just-in-time compilation as does Java, Flash and Silverlight, or which rewrite code in loaded DLL using a framework such as Microsoft Detours) require the ability to allocate or mark memory as writeable and executable, I support exemptions in the form of the DLL whitelist.

Thanks again for your help! I appreciate all the feedback and guidance.

 

I will also address the realtime logging issue, I'll try to optimise it so that it doesn't take up noticable CPU - there's no good reason that it should take as much CPU as you report!

 

Thanks Peter

Should I re-download? I haven't had any issues (At least not notably) since installing.

Also, the GUI can be a little confusing do you have any intentions of altering it?

 

@Tomwa: Sorry for the late reply, my computer fubared over the weekened and I've only just managed to get it back into working order!

I wouldn't think you need to download the updated version yet, I am actually working on a few enhancements based on some further research and I'm hoping to incorporate as much as I can in terms of fixes and improvements into the next release (that will then be available by auto-update) which I hope to push out in a few days (work permitting!).

I will try to improve the GUI (as you can probably tell, interface design isn't my greatest strength - I write most of the software I use day to day in C++ and never bolt a UI onto it); an overhaul would be nice but for the time being I'll probably focus on features and effectiveness first.

I hope also to soon put together some Youtube based demos of the software effectively blocking many of the historic and present software exploits as it seems that a number of users of the software don't fully understand what sets it apart from antivirus and antimalware products. Almost certainly my own fault however!

 

Just a suggestion. How about a button in the expert options to reset everything to default?

I don't mind the GUI, I think it's fine. The tray icon needs some help though, ha!

 

That's technology for ya

Alright in that case I'll wait for the update

Trust me its leaps and bounds above what I'd have made it look like (I don't design) and I'm glad to hear that functionality takes precedence (I can learn a UI). I just want it to be usable by as many people as possible

I'm sure that'll help spread the word I would offer to post up links to social media sites but I stopped using the stuff a long time ago (I like my privacy )

 

i can't open the gui
it is only from the gadget ?

 

It's like a ghost town in here. Any new developments?