Introducing EdgeGuard Solo Beta (zero-day malware defense)

[Eirik]

Hi All,

My name is Eirik. I product manage endpoint security at Blue Ridge Networks. Blue Ridge has been delivering security solutions to the government and enterprise sectors for over a decade. We have made our anti-malware security software called EdgeGuard Solo (Beta) available as a free download. By distributing and supporting it as freeware, we hope your feedback will help us become a better anti-malware solution provider.

EdgeGuard Solo is intended to supplement existing signature-based security software. We designed it with two premises in mind. First, sophistication or complexity can be counterproductive to ordinary PC users. So, EdgeGuard Solo does not ask end-users ‘what now’ questions or provide them a lot of technical suspicious activity information. Second, any software will eventually be compromised. EdgeGuard Solo is meant to be the last line of defense. It prevents guarded applications and the executables they spawn from altering key resources in the PC.

EdgeGuard Solo does not interfere with the internal workings of an application. So, while it prevents web browsers from being used to install rootkits, for example, web browser specific session attacks (XSS, session cookie stealing, etc.) are outside the scope of this tool.

Given the knowledge and experience of Wilder Security forum participants, I suspect we will identify one or more additional safeguarding features that we can add without complicating the user experience.

Thus far EdgeGuard Solo evaluations within a VMware virtual machine have surfaced no problems. Other security software such as HIPS products may conflict with it. Please let us know of any such conflicts. The EdgeGuard Solo support page provides user-instructions and lists known issues. Registration is optional and only used to notify users of free updates.

EdgeGuard Solo is a beta product. There are many more features and enhancements to come. For example, we are working to have it provide better feedback to users. I hope to harness your insights to improve it.

I am looking forward to your feedback and questions.

Thank you for your time,

Eirik

Eirik Iverson
Product Management, Endpoint Security
Blue Ridge Networks

[sukarof]

Hi

Sounds interesting, but I assume it is for 32bit only?

[Eirik]

Quote:

Originally Posted by sukarof

Hi

Sounds interesting, but I assume it is for 32bit only?

Correct

[jmonge]

thanks for the info and link.what kind of security is EdgeGuard?hips,sandbox,?
thanks in advance.

[Meriadoc]

Eirik I will gladly take a look, thanks.

-no problem in a vm I take it

[Eirik]

Quote:

Originally Posted by jmonge

thanks for the info and link.what kind of security is EdgeGuard?hips,sandbox,?
thanks in advance.

Neither, its difficult to categorize. As you get more familiar with it, I believe you'll see what I mean.

[CogitoErgoSum]

Hello Eirik,

EdgeGuard Solo sounds like it is an application sandbox. Am I correct in my assumption? If not, what is it? Thanks in advance.


Peace & Gratitude,

CogitoErgoSum

[pandlouk]

Hello Eirik,

and welcome at the fora.

Very interesting application. I gave it a quickrun on a VM and I confess that I like it.

I was wondering for some time now, why none of the major security providers has not made an easy hardening program for home users... Security admins and advanced users know how to do it using group policies, but the vast majority do not even know that they exist.

It seems that EdgeGuard Solo is the answer and can be an excellent addition to SuRun.

Now to the point:
1. I think that you should add a feature to change the color of the systray icon or add a notification popup when it is disabled.
2. A feature to import export rules would be nice. I would hate to manually add everything in the protection list to more than one pc.
3. What areas and which registry keys does it protect?
4. Could you add a feature to let the user to manualy add some folders to the protection? For example the folder where he stores his important documents, etc...
5. Is it going to remain freeware for home users after the beta stage?

thanks,
Panagiotis

edit: I forgot to mention another feature. It would be nice to add an entry at the explorer content menu. Something like "run protected"...

[jmonge]

Quote:

Originally Posted by Eirik

Neither, its difficult to categorize. As you get more familiar with it, I believe you'll see what I mean.

thanks

[HURST]

Might take a look at it. I'm getting bored of my SBIE+Returnil protection.
+1 on pandlouk's questions...

[jmonge]

this is very simple but i dont see any help file,i dont get any pop ups,
nothing at all.no event log too.

[Solo_Support]

Quote:

Originally Posted by CogitoErgoSum

Hello Eirik,

EdgeGuard Solo sounds like it is an application sandbox. Am I correct in my assumption? If not, what is it? Thanks in advance.


Peace & Gratitude,

CogitoErgoSum

EdgeGuard Solo prevents write-access to system resources (System directories other than user directories, HKLM Registry hives and some user keys like Run RunOnce). The Sandboxing re-directs write calls to cloned resources.

Thanks for your questions,

EdgeGuard Solo prevents application write-access to system resources (System directories other than user directories, HKLM Registry hives and some user keys like Run RunOnce) whereas Sandboxing re-directs write calls to cloned resources.

EdgeGuard Solo assumes any application at a given time has unknown vulnerabilities that could pose high risks.

EdgeGuard Solo creates a "shield" around an application selected in the Guard list (and the applications created by the Guarded application) so that if the application attempts to write to say system32 or HKLM\ EdgeGuard Solo blocks the write. We would also caution though, It is not possible to replicate the functionality of EdgeGuard Solo by simply applying an ACL/DACL approach, which would get exceedingly complex quickly and interfere with normal application operations.

We are eager to hear your perspectives and experiences.

[PROROOTECT]

Hello Eirik, Hello everybody,

EdgeGuard Solo v1.02.0007, in Windows Task Manager :

BrnTokenGuardTrayApp.exe: Use Memory 2824Kb; Page Errors 711; VM Memory 704Kb; Handles 22; Threads 1.
EgaSecSvc.exe: Use Memory 3360 Kb; Page Errors 1673; VM Memory 2056Kb; Handles 59; Threads 4.

Kx-Ray (v1.0.0.54 XP : http://forum.ytkpro.com/viewtopic.php?p=27369 ) show on Black ( = rootkit behavior ; bad, bad ...):
SSDT: Module BrnFilelock.sys with API NtCreateKey, BrnFilelock.sys with API NtCreateSection, BrnFilelock.sys with API NtOpenKey;
Message Hooks: 2, from BrnTokenGuardTrayApp.exe;
Ring0 API Hook: process ntkrnlpa.exe with API IoWriteOperationCount and Hook Type: Relative JMP.

Yes, it is not very clean, this behavior ...
And: I would like On Demand software (= NOT real time protection; Thank you Pete! -- My EDIT October 14, 200...
I remove EdgeGuard Solo ... Would you excuse me, Eirik?...

I clean with CCleaner and RegSeeker.

[Peter2150]

Hello Eirik

First welcome to Wilders. I did some testing with the beta in a VM machine.

I want to be sure I did the right thing in terms of usage as my results were disappointing. When I first installed it and tried adding IE, I also got the error mentioned above, so I tried again uninstalling all my other security software in the vm machine. What I then did was install Edgeguard.

I assumed if I added a piece of malware to the list it should not have been able to touch the system. I also assume if IE was protected, and I used file>open in IE to fire up a piece of malware the system should be protected.

I then tested with three different pieces of malware. The first two are protected by other software that drops the rights of the system, the third isn't. All three are prevented from damaging the system with Sandboxie. In none of the cases did EdgeGuard Solo protect the system.

Did I do something wrong?

Pete

[jmonge]

i tried it with the zemana test and fail all test i performed

[CogitoErgoSum]

Quote:

Originally Posted by Solo_Support

EdgeGuard Solo prevents write-access to system resources (System directories other than user directories, HKLM Registry hives and some user keys like Run RunOnce). The Sandboxing re-directs write calls to cloned resources.

Thanks for your questions,

EdgeGuard Solo prevents application write-access to system resources (System directories other than user directories, HKLM Registry hives and some user keys like Run RunOnce) whereas Sandboxing re-directs write calls to cloned resources.

EdgeGuard Solo assumes any application at a given time has unknown vulnerabilities that could pose high risks.

EdgeGuard Solo creates a "shield" around an application selected in the Guard list (and the applications created by the Guarded application) so that if the application attempts to write to say system32 or HKLM\ EdgeGuard Solo blocks the write. We would also caution though, It is not possible to replicate the functionality of EdgeGuard Solo by simply applying an ACL/DACL approach, which would get exceedingly complex quickly and interfere with normal application operations.

We are eager to hear your perspectives and experiences.

Thanks for the explanation.


Peace & Gratitude,

CogitoErgoSum

[Solo_Support]

Quote:

Originally Posted by pandlouk

Now to the point:
1. I think that you should add a feature to change the color of the systray icon or add a notification popup when it is disabled.
2. A feature to import export rules would be nice. I would hate to manually add everything in the protection list to more than one pc.
3. What areas and which registry keys does it protect?
4. Could you add a feature to let the user to manualy add some folders to the protection? For example the folder where he stores his important documents, etc...
5. Is it going to remain freeware for home users after the beta stage?

thanks,
Panagiotis

edit: I forgot to mention another feature. It would be nice to add an entry at the explorer content menu. Something like "run protected"...

1) We’ll integrate this feedback into our development efforts.

2) You can do this now actually. If you wanted to deploy EdgeGuard Solo across many PCs with the same list of applications to guard, all you have to do is replace EdgeGuardSoloAppList.txt file, located in the user’s profile directory, %UserProfile% with the one you prefer to be used.

3)HKCU Run and RunOnce
Entire HKLM is write-protected for the Guarded application. This includes Run and RunOnce
We are doing research to expland especially HKCU area in a meaningful way. We do not wish to create exceptions specific to applications. We are watching for high risk keys.

We’d appreciate your input in this area.

4) Currently only the user’s directories are open. All system directories are off limit to Guarded application. If I understand correctly, you recommend adding a directory within the user’s area that could also be off-limits. Thanks for this input. We will consider this for our product.

5) EdgeGuard Solo = freeware, before and after beta

[jmonge]

i also terminated edgeguard services using the task manager
i also tried againts drivesentry couldnt be terminated

[truthseeker]

Quote:

Originally Posted by Peter2150

...

Did I do something wrong?

Pete

I look forward to the answer from Eirik on this one.

[Eirik]

Quote:

Originally Posted by jmonge

this is very simple but i dont see any help file,i dont get any pop ups,
nothing at all.no event log too.

We are adding alerts and history to the next release. We will add client-based help too but this may be later. Meanwhile, our EdgeGuard Solo support web page may be of assistance:

Eirik

[jmonge]

Quote:

Originally Posted by Eirik

We are adding alerts and history to the next release. We will add client-based help too but this may be later. Meanwhile, our EdgeGuard Solo support web page may be of assistance:

Eirik

thanks for the info

[Eirik]

Quote:

Originally Posted by jmonge

i also terminated edgeguard services using the task manager
i also tried againts drivesentry couldnt be terminated

We did not activate its self-protection in this release.

[pandlouk]

Quote:

Originally Posted by jmonge

i also terminated edgeguard services using the task manager
i also tried againts drivesentry couldnt be terminated

Terminating a process or a service from task manager is not a security threat. As long as the driver is not unloaded and the applications in the list remain in protection mode the only thing that you will miss are the pop-ups.

Quote:

Originally Posted by Eirik

We did not activate its self-protection in this release.

If you do please give us the ability to have it disabled. All those products with the futile self-protection make us reboot the pcs more often than we should.

ps. The only program category that needs self-protection is the antivirus active engine, the drivers and the kernel . On everything else is totally useless, but....

[jmonge]

Quote:

Originally Posted by Eirik

We did not activate its self-protection in this release.

ok i see.

[Solo_Support]

Quote:

Originally Posted by Peter2150

Hello Eirik

First welcome to Wilders. I did some testing with the beta in a VM machine.

I want to be sure I did the right thing in terms of usage as my results were disappointing. When I first installed it and tried adding IE, I also got the error mentioned above, so I tried again uninstalling all my other security software in the vm machine. What I then did was install Edgeguard.

I assumed if I added a piece of malware to the list it should not have been able to touch the system. I also assume if IE was protected, and I used file>open in IE to fire up a piece of malware the system should be protected.

I then tested with three different pieces of malware. The first two are protected by other software that drops the rights of the system, the third isn't. All three are prevented from damaging the system with Sandboxie. In none of the cases did EdgeGuard Solo protect the system.

Did I do something wrong?

Pete

Thanks Pete for the feedback. Currently, if the application resides in the user's directory, the EdgeGuard Solo does not enable the protection for such application. This is a known issue in this release and will be fixed. I am sorry if it was not mentioned before in the original postings. I wonder if this is the issue you have faced in your testing.

If you could provide us the malware, we would love to replicate the issue you have reported.

Regards

EdgeGuard Solo Support