Any AS preventing "writing into memory" ?

[Perman]

Hi,

Just curious to know: any AS is good at prevention of malwares' writing into memory, not prevention of execution(AVG AS' guard, Boclean can protect this).

I have prevx 2 as realtimer, does it cover this area ?

Thanks.

[Perman]

Hi, folks:

Help me to get these things onto a right track.

Suppose a malware hiding in a downloaded program landed in w/ IE7:
(1) with DeePfreeze' s frozen mode, nothing will be left after reboot, so it is ok here.

(2) with DF's thawed mode, and DefenseWall on guard, anything d/l w/ IE7 will be contained in that untrusted area, upon reboot, it will be gone. So, it is ok here too.

(3) if I decide to install that program, the malware in question will subsequently write into memory w/o my full knowledge, here comes my question: is there any AS can be there to stop it ?

Any suggestion is mostly welcomed.

[solcroft]

There is no such thing as "write into memory", at least not in the way you described. Where'd you get that idea from?

[Perman]

Hi, Solcroft:

I ran a test according to this http://www.wilderssecurity.com/showthread.php?t=193085

Then the report says I do not have an AS to prevent malware's writing into memory. Just wonder.

[ghiser1]

There are a number of ways to "write into memory".

Two of the most obvious are:

1. Open /device/physicalmemory and write to an arbitrary address.
2. Open a handle to a process and call VirtualWrite to modify the memory of an existing process.

Prevx1 and Prevx 2.0 prevent all write access to /device/physicalmemory as part of its self-protection as this technique can be used to remove kernel hooks. Prevx 2.0 also prevents write access to its own processes - it monitors accesses to other processes (describing them as process hijack attempts) and blocks when the process is determined to be malware.

[solcroft]

Quote:

Originally Posted by ghiser1

There are a number of ways to "write into memory".

Two of the most obvious are:

1. Open /device/physicalmemory and write to an arbitrary address.
2. Open a handle to a process and call VirtualWrite to modify the memory of an existing process.

Prevx1 and Prevx 2.0 prevent all write access to /device/physicalmemory as part of its self-protection as this technique can be used to remove kernel hooks. Prevx 2.0 also prevents write access to its own processes - it monitors accesses to other processes (describing them as process hijack attempts) and blocks when the process is determined to be malware.

Hi ghiser,

Since you're here, I thought I might as well take the opportunity to ask: how does Prevx determine when a process is malware? Assuming a process requests access to physical memory, as you describe; what other checks does Prevx perform in order to recognize the process as malicious, if any?

[ghiser1]

Quote:

Originally Posted by solcroft

Hi ghiser,

Since you're here, I thought I might as well take the opportunity to ask: how does Prevx determine when a process is malware? Assuming a process requests access to physical memory, as you describe; what other checks does Prevx perform in order to recognize the process as malicious, if any?

There is no simply answer to that I'm afraid. It's all decided by the AI engine sitting in the Prevx 2.0 CWC. It depends on a lot of factors like speed of propagation, source of original file, what created it, where, when, its identification signatures, sandboxing analysis etc. There are a whole raft of possibilities; the fact that the process may attempt to write to physical memory is only one of them. It may also depend on the behaviour of the file across multiple PCs, varied bahaviour of geographic regions or temporal relationships.

[solcroft]

Thanks for the reply.