Some unique HIPS features

[aigle]

NeoavaGuard HIPS has some unique features as compraed to other classical HIPS. I tried three malware samples.

1- Aliz worm
2- Sober worm

Both these worm spread themselves by sending their copies by e-mail. They get the e-mail addresses from windows address book and Sober worm als scans many files like text file on the PC and finds e-mail addresses.

3- GPcode trojan- A malware that encrpts many files on infected PC( like text files) causing data loss.

NG gave pop ups for all these actions though it was not fully successful to stop the damage( like it did not stopped the encrption of text files by malware) but it,s interesting to see such a functionality. I have not seen such filters in any other HIPS( atleast upto best of my knowledge). Am i right?

I have made thread on Comdod forums to add such filters in CFP. What are your thoughts?

Thanks

[aigle]

Some more screenshots here!

[ErikAlbert]

No other thoughts, than that NeoavaGuard didn't do a very good job and that these three threats are executables, which are easy to kill with better security softwares. Thanks for the tests, but NeoavaGuard was never on my list, BUT I need a Script Blocker with artificial intelligence.

[aigle]

I knew that already Eric!

This thread is for people with a taste different from urs. We don,t want to kill them, that,s so easy. Why want to remove their venom.

But thanks for the comments.

[bellgamin]

It just goes to show what a real tragedy it was when the developer of NG ceased maintaining it. In my opinion, he should resume working on it --- the *competition* is getting thinner every day, in both the number & the competency of classical HIPS.

I think that a re-vitalized NG would quickly become a big winner -- and a major prospect for buy-out by one of the AV outfits.

[ErikAlbert]

Quote:

Originally Posted by aigle

I knew that already Eric!

This thread is for people with a taste different from urs. We don,t want to kill them, that,s so easy. Why want to remove their venom.

But thanks for the comments.

Do you admire the bad guys so much, that you investigate their droppings ?

[zopzop]

aigle, have you tested how effective the partition protection of neova guard is? ever hear of "bypassdisk.exe"? i wonder if neova guard or any other hips would catch the program before it attempted to destroy the disk (if it was allowed to execute of course).

[EASTER]

Quote:

Originally Posted by bellgamin

It just goes to show what a real tragedy it was when the developer of NG ceased maintaining it. In my opinion, he should resume working on it --- the *competition* is getting thinner every day, in both the number & the competency of classical HIPS.

A re-vitalized NG would quickly become a big winner, I think.

I wholeheartily agree. It completely escapes me why on earth these makers don't just continue to build on apps (HIPS) like these and make them even better then before. This is i hope a temporary trend and not something we're going to be seeing happen on a regular basis.

I admit i haven't even got around to trying this one but it's no less still useful and any one could easily overtake the field at some point in time.

And bellgamin, you're very sadly right, it's indeed a tragedy when very promising security applications without warning cease to proceed and gives serious rise to concerns. We need MORE innovations of this nature no matter how useful sandboxes & virtual systems, AS/AV's etc. are in keeping our PC's protected.

Allow me to compliment also on the screenshots, thanks a ton for taking the time to show them.

Regards EASTER

[aigle]

Quote:

Originally Posted by ErikAlbert

Do you admire the bad guys so much, that you investigate their droppings ?

They can,t dare that on my system. That,s why no reboot to restore.

[BlueZannetti]

Quote:

Originally Posted by EASTER

It completely escapes me why on earth these makers don't just continue to build on apps (HIPS) like these and make them even better then before.

EASTER,

I don't want to sound flip, but I believe it has something to do with rent/food/living expenses. The market is saturated with offerings, which severely dilutes their economic potential.

Blue

[aigle]

Quote:

Originally Posted by zopzop

aigle, have you tested how effective the partition protection of neova guard is? ever hear of "bypassdisk.exe"? i wonder if neova guard or any other hips would catch the program before it attempted to destroy the disk (if it was allowed to execute of course).

Unfortunately I have no VM and no spare test PC.

As far as I know some body in the past tested NG against KillDisk and NG was able to protect against it. That,s partition table protection.

However I can,t say about bypassdisk. Can you PM me the sample by the way, if u have? Any more tests with this utility/ POC?

Thanks

[EASTER]

Quote:

Originally Posted by BlueZannetti

EASTER,

I don't want to sound flip, but I believe it has something to do with rent/food/living expenses. The market is saturated with offerings, which severely dilutes their economic potential.

Blue

Unfortunately, but then they also reserve the option of selling the source or sitting on it which these days can gather rust very fast.

So in retrospect, the end user or potential customer must take a seat and wait out for either something similar or entirely new.

[Nizarawi]

link for try neoava guard


www.neoava.com -----> closed

[LoneWolf]

Quote:

Originally Posted by Nizarawi

link for try neoava guard


www.neoava.com -----> closed

It can be downloaded from here........
http://www.smokey-services.eu/forum/index.php
Just be aware it is not currently being developed,there is no support for it and it is beta.

[Rmus]

Quote:

Originally Posted by ErikAlbert

BUT I need a Script Blocker with artificial intelligence.

Hello, Erik,

Are you referring to web-embedded Browser scripts, or attacks that use script files (vbs, etc)?

[hammerman]

Quote:

Originally Posted by aigle

NeoavaGuard HIPS has some unique features as compraed to other classical HIPS. I tried three malware samples.

1- Aliz worm
2- Sober worm

Both these worm spread themselves by sending their copies by e-mail. They get the e-mail addresses from windows address book and Sober worm als scans many files like text file on the PC and finds e-mail addresses.

I have configured EQS to prevent all access to Windows Address Book and e-mail files. Only OE is permitted access to these. A simple check box in EQS, similar to NeovaGuard, enables or disables this feature. Scanning of text files for e-mail addresses is something I didn't consider though.

[HURST]

Quote:

Just be aware it is not currently being developed,there is no support for it and it is beta.

Last year I wanted to try NG and I only got BSOD's as soon as starting my computer.
It's a shame they don't develop it anymore, it seems it would have been a great HIPS

[aigle]

Quote:

Originally Posted by hammerman

I have configured EQS to prevent all access to Windows Address Book and e-mail files. Only OE is permitted access to these. A simple check box in EQS, similar to NeovaGuard, enables or disables this feature. Scanning of text files for e-mail addresses is something I didn't consider though.

Any screenshots?

Thanks

[aigle]

Quote:

Originally Posted by HURST

Last year I wanted to try NG and I only got BSOD's as soon as starting my computer.
It's a shame they don't develop it anymore, it seems it would have been a great HIPS

It does gives occasional BSODs I know.

[hammerman]

Quote:

Originally Posted by aigle

Any screenshots?

Thanks

Shots of E-mail file protection rules and pop-up when anything tries to access these files.

[ErikAlbert]

Quote:

Originally Posted by Rmus

Hello, Erik,

Are you referring to web-embedded Browser scripts, or attacks that use script files (vbs, etc)?

How they get to my system isn't really important to me, I just don't want them to run on my system, except the scripts that were installed from the beginning of course, I don't want to cripple my system either.
Removing these scripts is not a problem, stop them from running is a problem.
I need something like AE, but for scripts. Authorized scripts are allowed to run, any other script is killed immediately.

[bellgamin]

Quote:

Originally Posted by ErikAlbert

I need something like AE, but for scripts.

HIPS mainly look at categories of actions/behaviors, without any significant consideration of the TYPES of apps that undertake such actions/behaviors. Such being the case, a HIPS will tend to alert to any suspect actions by ANY app (including but not limited to scripts, exe's, etc).

Accordingly, I do hope this thread stays primarily on its topic of discussing generic/unique HIPS capabilities instead of getting diverted to yet another discussion of "let's all find what Erik wants."

[ErikAlbert]

Quote:

Originally Posted by bellgamin

Accordingly, I do hope this thread stays primarily on its topic of discussing generic/unique HIPS capabilities instead of getting diverted to yet another discussion of "let's all find what Erik wants."

Just answering member's questions or do I have to become impolite too. NG is abandonware, why discussing it ?

[Rmus]

Quote:

Originally Posted by ErikAlbert

How they get to my system isn't really important to me, I just don't want them to run on my system, except the scripts that were installed from the beginning of course,

But there is a big difference in the two types, and you prevent in different ways.

Quote:

I need something like AE, but for scripts. Authorized scripts are allowed to run, any other script is killed immediately.

Since scripts is a different topic than that of this thread, go here and see my comments about AE and scripts, Post #84, and post your discussion there:

http://www.wilderssecurity.com/showt...=210179&page=4

--

[bellgamin]

Quote:

Originally Posted by ErikAlbert

NG is abandonware, why discussing it ?

The topic was started by Aigle. who asked certain questions based on NG capabilities. It is his topic and he based it on NG.

If you want to endlessly discuss "what Erik wants" I suggest you start your own thread and stop hi-jacking others.