The next challenge - warning messages with risk assessment

[Kees1958]

Aigle's wish for more informative warning messages, triggered this post.

I have seen some good initiatives like NovaGuard, Primary Response Safe Connect, Buster's Sandbox analyser, Online Armour, SpyShelter, ThreatFire, PrevX and HitmanPro, each with smart ideas to assess risk and impact, but never seen an application which made it simple for the security enthousiast to determine whether to allow or deny actions of a 'new' program.

When I may cherry pick the goodies of some security applications, I would like to know:

a) whether the program is signed and/or from a trusted vendor (e.g. Online Armor), and what the origin is of the program like Internet, USB (PrevX heuristics adjustments)

b) whether the program showed some intrusion characteristics (e.g. Buster's Sandbox Analyser explained in terms Primary Safe Response used to have) like
- collects data (keyboard, print screen etc)
- connects to internet
- changes process flow (debugging, dll-injection, process manipulaton)
- messes with the Windows rights/policies/autority system
- changes system configuration (registry keys/loading driver/starting service/registring a dll)
- survives reboot (driver/service installation, autorun registry manipulation)


c) Smart forensics (HMP, PrevX) explain whether this sequence of events matched the typical behaviour of say a key-logger, trojan, rootkit, etc. and like NovaGuard these intrusions had accumulated a malware-risk score (before development stopped, NovaGuard had the option to add specific 'malware' points to intrusion categories listed at b).

Is this so hard (PrevX and TF allready track file, registry and process changes) to realise or is the potential market that small (only me )

Regards Kees

[Newby]

A. Sounds like a wish list of behavioral monitor with intrusion interception.

B. I would buy it when life time fee < 30 Euro

C. Probably to hard for to little potential customers

[andyman35]

Quote:

Originally Posted by Newby

C. Probably to hard for to little potential customers

It's a great idea for security enthusiasts,however we're relatively few in number so I doubt there's much commercial value in this.After all most users just want a simple "yay or nay" from a security product.

[Amit]

Quote:

Originally Posted by andyman35

most users just want a simple "yay or nay" from a security product.

I'm one of those users .......

[MrBrian]

Quote:

Originally Posted by Kees1958

b) whether the program showed some intrusion characteristics (e.g. Buster's Sandbox Analyser explained in terms Primary Safe Response used to have) like
- collects data (keyboard, print screen etc)
- connects to internet
- changes process flow (debugging, dll-injection, process manipulaton)
- messes with the Windows rights/policies/autority system
- changes system configuration (registry keys/loading driver/starting service/registring a dll)
- survives reboot (driver/service installation, autorun registry manipulation)

I've also been looking for solutions that list high-level behavior of programs. What solutions do we currently have? I know of Buster's Sandbox Analyser.

Testing in a vm seems from my experience to be by far the best way to check unknowns, including the trialing of legitimate software. MS should allow their license, no matter which O/S version, to be used not only on the host machine, but also in a guest vm. Perhaps there should even be included the option to install their vm during the installation of the O/S? Just a thought

Quote:

Originally Posted by andyman35

After all most users just want a simple "yay or nay" from a security product.

You're probably right. Actuially on that note, most users would probably not even utilize a vm, if available, for checking unknowns.