Playing with Cyber Hawk

Some very crude sort of playing with CH and malware.
First thing after install I got warning from SnioopFree that is logging keyboard, never got such a warning while installing any security software.
Seconly it disabled system restore, still the bug remains.
It seems that it has some signature based protection as well because it detectecd some malware with esxact name as u will see down.
It is really hard for me to judge its effectiveness as unlike other softwares it is not a scanner or malware remover, it seems more of a malware blocker + real tiem cleaner as needed.
Also it is not good to judge it by installing some malware which work just like a legitimate software like some rouge antispyware/ anti-malware software. It is not the fault of CH if it they are not dtected by CH.
I saw that it monitors Start up Registry enteries very well and will give a pop up with warning whether the entry is by a legitimate software or a malware. However it still need work. Sometime i saw incinsistent no of pop ups on running same malware more than once and some time there was a significant lag between the nlawrae event and the pop up from CH.

Here is the pop up from SnoopFree on install of CH.

 

Resource Usage of CH.
BTW this version is running good on my system so far with many other security soiftware including GesWall. So I think at least they have managed the conflicts

 

WinFixer 2005 -- not detected. Fail

Browsezilla -- CH gave successfully Very High Risk warning that an application is trying to copy itself in different locations, I denied but inspite of that files were copied. Lter when I launch browsezilla from copied files, here was no warning ( that is a bit understandable as it was just like a browser launch). Fail

Jokes Toolbar and
NewDotNet -- these two were dtected by signature I think as u see the warning pop ups. I denied their installation but they were at least partially installed but might be disabled, not sure it stopped the harm or not.

SpySheriff installation was detected by signatures but when I ran its scanner componenet there was no warning. Again not so sure. Infact my installer for this malware is probably corrupt but I found a file in the collection that will launch scanner without any installation.
Qcan IM worm -- successful risk warning and stopped it from disabling Task manager and RegEdit( not sure about effect on messenger as I could not check it). Pass

CEDP Stealer-- gave very high risk warning but failed to stop its installation and subsequent launch- at least partially. MAy be malicious code removed from it.
Morgud,s threat simulator -- Gave one High Risk warning only and I asked to stop the malware. Rootkit was installed and Antivir Guard was killed effectively. Fail

Martins Undetectable Keylogger -- keylogging detected and it was stopped. Pass
Family Keylogger -- Stopped -- Pass

Paq Keylogger -- no detection. Keylogger successfully logged my keys.Fail

Elite Keylogger -- gave High Risk pop up and stopped it successfully. Pass

Ghost Security Registry Test -- Pass

Intcodec -- Spyware was installed inspite of one pop up by CH and I denied the installation of spyware, however the installation was probablly partial though I am not so sure.

XP Killer trojan -- Fail

KillDisk virus -- Not tested. I am just mentioning it as I wish to test against KillDisk but my tset Pc is gone, so can,t check it out. May be some other person can do.

Here are some sample pop ups. The one on the bottom is for Elite Keylogger installation detection.

Edit-- better description at some points

 

On the whole i think it has potential but still needs work. I think when it will become more better it might be just acquired by some other company to be incorporated in their suite. ZA security and KIS already have some sort of behavioural blockers. Just a wild thinking. How about Eset incorporating an improved version of CH in their suite in future?

Here are the pop ups indicating that it has some signatures data base as well.

 

Thanks! for the tests aigle

So, not signatureless,

Source

 

I think it has some signatures otherwise it can,t give the type of alerts u see in red.

 

This is the obnoxious adware trojan that got into one of my PCs earlier this year.
This is not good if it got past the program.

 

As I know there are two versions of WinFixer- 2005 and 2006.

2005 was detected by ST and Ws Defender in real time but both missed 2006 version in real time.

 

How about AVG Anti-Spyware, I wonder if it detected either one?

 

I am not sure but I think it will detect both in real time, will try to check if I got chance later. WinFixer seems a common spyware.

 

@aigle

Have you tried disconnecting first your computer from the internet before trying to test CH with malware? Just to be sure that it does not access its database via internet and use it for detection. If you are not connected and CH provides detection then CH does rely for malware signatures to protect.

 

It was disconnected.

 

Thanks aigle! Youre doing a great job with all this testing of different software.

If CH would prove to be some hybrid between behaviour analyze and blocking, with an addon signature list for those malware that the programmed analyze function could not find - then I dont know if I am so interested.

Hope CH will jump in on this thread.

Best Regards

 

I think it is not a bad idea to add a very small and clever data base of common/ dangerous malware. Ofcourse behavioural detection should be the main priority.
Lets, wait if they explain some thing.

 

You are correct that Cyberhawk does complement its behavior-based security with a blacklist of known malicious threats.

Cyberhawk is first and foremost a strictly behavior-based software that prevents and blocks threats by constantly monitoring for any suspicious behaviors. This is how we're able to block new or "zero-day" threats before there are specific signatures for them provided by the signature-based security vendors. We do not require a signature to block a threat--we're looking only at the behavior.

However, we do use "signatures" in a certain sense. Once Cyberhawk has identified a specific threat as something definitely malicious, we do add information about this threat to a blacklist. If one of these threats happens upon your system and attempts to engage in malicious behavior, then rather than present you with our standard "potentially malicious" yellow alert where you have to choose whether to Allow or Deny the threat, we automatically block it and notify you with our "Known Malware" red alert. (Further details on the different threats explained in the CH Help file.) If we identify a known malicious threat we do automatically block it. This is to enhance the overall user experience and not require an Allow/Deny choice when the option is clearly always Deny. Our behavioral analysis always works first to identify a threat, and if it finds one that is on our blacklist it simply presents a different, more straightforward alert.

Aigle--I having our lab test against the threats you mentioned to see if we can confirm the behavior you describe. We appreciate any heads up on any threats that seem to defeat Cyberhawk.

Also, for any specific threat analysis questions, please feel free to contact our support technicians through our online support center.

Again, we appreciate the discussion and interest in Cyberhawk.

Becky Dubrow

(Edited to clarify confusing language regarding blacklist behavior)

 

Thanks for your interest in Cyberhawk, Aigle.

First, I would like to repeat that Cyberhawk is not a signature based product. It really is behavioral based.

Secondly, our team is looking into the problems that you have raised. Because evaluating a behavioral-based product is a complex undertaking, we want to review both our set of samples, your set of samples and your testing methods. We will work on it with you and are working on it right now.


Thanks much,
Kurt Baumgartner
Chief Threat Analyst -- Novatix

 

Aigle,

Thx, for the test

CyberHAwk Support
I really dislike the idea of signature based scanning. I think when cyberhawk protects against dll injection, data injection, outgoing connections, vulnarable windows directories, ini-files, start up of services, installationof drivers it would be a grat HIPS.

Just focus on the anomolies, not the bad ones.

(by the way CyberHAwk failed Kapimon, but beated APIspy)

Regards

 

I think CH's 2-way concept (blacklist + behavior blocker) is absolutely splendid.

IF I correctly understand what Becky wrote, CH uses a black list but it is NOT blacklist-dependent because, if a nasty isn't picked up by the blacklist, it will STILL be subjected to behavioral analysis. It's a double-check, which is something I really really like. It gives malware yet one more hurdle to try & get past, in its ongoing efforts to penetrate my virginal computer's chastity belt. Shazam!

By the way, I have read that ...

+A signature is a record of nasty coding, obtained by analysis of nasty processes.

+A behavioral pattern is a record of nasty behavioral patterns & tendencies, obtained (at least in part) by analysis of nasty processes.

+In a way, therefore, behavior blockers & community-based solutions are ALSO working based at least partly on signatures, but those signatures describe behavioral patterns instead of coding patterns.

+Code signatures can be defeated (for a time) by such tactics as polymorphism. Ergo, code signatures require persistent updating.

+It is also a fact (I have heard) that proponents of nasty processes are persistently working to subvert detection by behavior blockers -- by finding new behaviors or by disguising behaviors, etc. (I feel fairly certain that many proponents of malware own & use a copy of CH -- as well as other security programs -- in order that they can do such things as reverse engineering CH, and repeatedly testing their malware against CH in an effort to penetrate its safeguards.)

+Behavior blockers don't usually need the same frequency or speed of updates as do code-signature-based programs. HOWEVER, even behavior blockers cannot remain stagnant. It's like a giant chess match between security programs & malware. That's what makes it so interesting. I, for one, am gratified that CH is making use of blacklists as well as behavior analysis.

 

Thanks for the nod on the blacklist, Bellgamin.

I would like to clarify the analysis Cyberhawk performs on malware when it provides its red "definitive" dialog. It seems that assumptions are made about "signature" usage in the product when these definitive prompts are presented to the user by Cyberhawk.
Hopefully, this post will clear up any questions about whether Cyberhawk is a practical implementation of a behavioral based security solution, or a signature based product.

Cyberhawk is a behavioral based product, and its behavioral monitoring and protection is complemented by a blacklist. When analyzing activity on a system, Cyberhawk first will identify a malicious behavior and then Cyberhawk will consult its blacklist. (The blacklist is a database of information about malware that Cyberhawk has already seen. It is consulted only after a malicious behavior on the system is identified.) If the malware running on the system is clearly a piece of malware that Cyberhawk already knows about, it won't prompt the user with an Allow/Deny decision. Instead, Cyberhawk immediately will prevent the malware behavior and kill the process, then let the user know aliases for the malware that was prevented from running on their system. We think it makes sense. The blacklist benefits users by helping to reduce the number of decisions they need to make, and makes for a better experience.

While signature based products often are vulnerable to code perverters, packers and crypters, Cyberhawk is not vulnerable to these common techniques because it is purely behavioral based. The blacklist does not create weaknesses in the product, it enhances the product and the user experience.


Thanks again,
Kurt

 

I like the addition of a blacklist personally.
As I said it was just a crude playing. I feel u are in abetter position to actually test CH and I will share my sample set of course9 these are bt teh way very commomc samples, nothing rare).
Also you have not commented about the system restore issue?

Thanks

 

Actually like most posts by vendors that try to clarify, I find I end up even more confused, perhaps because i don't know enough.

How would the database indentity that it is definitely this culprit? It would be based on some characteristic of the file no?

It seems to me that using packers, malware can evade your blacklist, the prompt will still be displayed but not in red. correct?

 

Keep in mind that it the blacklist is a complement to the behavioral trigger. To answer your question directly, yes, Cyberhawk maintains some descriptions of malware in its blacklist.

The blacklist is an enhancement to the product -- it is a complement to the behavioral monitoring and prevention. Whether or not something is in the blacklist does not change the behavioral monitoring and malicious behavior identification and prevention.

Simply put, Cyberhawk's behavioral analysis is enhanced by a blacklist:
1. If a behavior is malicious, Cyberhawk stops the action and prompts the user to deny the action.
2. If this malware has been seen before by Cyberhawk, the blacklist enhancement may provide aliases for that malware and a definitive red dialog.

Hope that helps clear it up, Devil's Advocate.


Kurt

 

Sorry, I didn't directly answer your question -- yes, the "Deny" prompt along with a risk rating still will be displayed if the malware performing a malicious action is not in the current blacklist.

 

Just to clarify, we hope we addressed the issue with System Restore in our v. 1.2.0.37 release. If you have that version installed and are still having trouble, then please contact our technicians at http://www.novatix.com/support.

Again, the issue with System Restore is that Cyberhawk was interfering with access to the System Restore interface. However, even if you are seeing this behavior, you can simply temporarily disable Cyberhawk to access System Restore. System Restore is still fully functional when you access it.

Becky Dubrow

 

I also made a few tests against CyberHawk:

Elite Keylogger 3.0 - pass
Keylogger Lite 1.5 - pass
Martins Undetectable Keylogger - pass
Paq Keylogger 5.0 - fail
Perfect Keylogger 1.64 - pass
Spy-Keylogger 1.31 - pass
Trojan Simulator - pass
Hacker Defender - fail
Advanced Process Termination 4.0 - (Multi-Kill) The client process was killed on the kill 5º, and on service process the APT was stopped on the kill 5º... When I disabled the kill 5º, CH was killed on kill 8º.

About the Martins Undetectable Keylogger, CH takes to long to detect it...
Should CH block this type of threat before execute?

For keyloggers, CH could also have a better descriptions saying that the program are listen the keyboard...