Crystal Security - Discussion

[kupo]

Bug report:
Clicking Apply two times in checking the start up will make Kristal Advance Detector to have to instances.
Typo:
Tool tip shows "Kristal Security Advamce Detector".
Question: How can I restore denied application to be able to use the exe again?
Question2: Will Kristal Advance Detector prevent changes in the program files folder even if it has only standard user rights. (The way I'm using it know"
Question3: What does the set file group options for?

[kardokristal]

Quote:

Originally Posted by skudo12

Bug report:
Clicking Apply two times in checking the start up will make Kristal Advance Detector to have to instances.
Typo:
Tool tip shows "Kristal Security Advamce Detector".
Question: How can I restore denied application to be able to use the exe again?
Question2: Will Kristal Advance Detector prevent changes in the program files folder even if it has only standard user rights. (The way I'm using it know"
Question3: What does the set file group options for?

Hi skudo12,

Thank you for your report

I will fix this today.

1) To restore just add your file to whitelist. You can add directly to activity monitor by just clicking "+" button or under Blacklist/Whitelist.

2) I will try this today and i will report results

3) You can blacklist/whitelist your files with this option.

Some news about classification engines: Coming up to 6 engines.
If i will get answer from Emsisoft and ThreatExpert then up to 8 engines.

Best regards,
Kardo Kristal

[kupo]

Quote:

Originally Posted by kristalsecurity

...
1) To restore just add your file to whitelist. You can add directly to activity monitor by just clicking "+" button or under Blacklist/Whitelist...

Got a message that I don't have enough permissions, does that mean that I need admin rights when restoring a denied file?
Crash report: Sandboxie + Eraser 6, set eraser 6 as sandboxie default delete command. Download an exe, click close in the prompt, then close the sandboxed browser and let sandboxie delete. Kristal Advance Detector will then crash. Does not happen if RMDIR is used.

EDIT: Tested again, crash happens if I delete an exe with eraser 6.

[kardokristal]

Quote:

Originally Posted by skudo12

Got a message that I don't have enough permissions, does that mean that I need admin rights when restoring a denied file?
Crash report: Sandboxie + Eraser 6, set eraser 6 as sandboxie default delete command. Download an exe, click close in the prompt, then close the sandboxed browser and let sandboxie delete. Kristal Advance Detector will then crash. Does not happen if RMDIR is used.

EDIT: Tested again, crash happens if I delete an exe with eraser 6.

Hi skudo12,

Try to test this way:

First add file to Blacklist. Then try to execute it. If execution is denied then continue: Search blacklisted file name from Activity monitor list, click on the object name and set "Set file group" to Whitelist. If all is working then no errors and file should execute.

EDIT: I will try to fix crashes you mentioned with sandboxie and eraser 6.

Best regards,
Kardo Kristal

[kupo]

Bug report: Blocked file(deleted) from a prompt is not added to the activity error or is it suppose to work not to be recorded in the activity monitor.
Feature Request: A button to clear logs from activity monitor.
Question: When will the file classification be functional? What I'm getting is "analysing..".

[m00nbl00d]

Kardo, the .Net Framework error I was getting was due to lack of network permissions. Once I have given it such permission, the error doesn't occur any longer.

I encountered a localization bug in the tray bar icon. It says Kristal Security Advamce Detector. It should be Advance.

-edit-

In the main GUI, where it says: Advance Detector Level: HIGH and then Set Low, what would think of modifying it to be like: Protection Level: High or HIGH, then some space, and then instead of Set Low, maybe have (Set to: Low)

Protection Level: High (Set to: Low) (There would always be more emphasis in the one that is not set, perhaps?)

This way Protection Level would be in harmony with Protection Status. For me, it makes sense this way. The eyes also "eat". Let's see what other users think of it.

Also, in the current version GUI, where it says Advance Detector Level: HIGH, we see it hyper-linked... I clicked on it, but nothing happens. Is there a reason why it's hyper-linked? Clicking Set Low does change the level to Low...

-edit-

Where it says KSOnline: Connected, I think it would be more understandable what it means, to the user, if it had something like Connection Status: On/Off... or Database Connection: On/Off... something like that? (The latter option would make more sense, I think.)

[m00nbl00d]

-edit-

I clicked the green + in the main GUI, and I added a file... How does one remove files? I right-click, but no context menu appears; pressing Del also does nothing.

By the way, what do you think of allowing the user to open the Activity Monitor in a separate, bigger window as well? Maybe a small window icon by the side of Activity Monitor, so that when the user clicks on it, a bigger window appears, just with the Activity Monitor. The current GUI is a bit small... that's all.

[kupo]

Maybe you could also add about detection of other executable type of files, like .com, etc.

[kardokristal]

Hi all,

There is coming big update for Kristal Advance Detector and is soon available.

First big improvement is design. Yes, now with modern GUI and simple navigation:

Screenshot of Coming beta version: http://i.imgur.com/SS2HX.png

New features:

* A button to clear logs from activity monitor
* KSOnline Engine 1 - Nictatech database
* KSOnline Engine 2 - Malc0de database
* KSOnline Engine 3 - Minotaurus analysis (based on Clean-MX)
* Re-Analyse files option (button)

Fixed:

* Apply button (2 instances)

Changes:

* Improved design for better usage
* Advance detector level to Protection Level

Please let me know what you think of new design

Best regards,
Kardo Kristal

[kupo]

Looking forward in using it..

[m00nbl00d]

Quote:

Originally Posted by kristalsecurity

[...]
Please let me know what you think of new design

Best regards,
Kardo Kristal

I hope you won't feel hurt because of what I'll express, because... well, it's just my humble opinion.

Personally, I prefer the previous GUI. The previous GUI was making use of the operating system underlying UI (I apologize if this isn't the most technical term.). It blended with the O.S just fine. Granted that it was a tiny small, but nothing that couldn't be solved.

Knowing you before hand, and knowing what you're trying to achieve with this tool, I'd use it. But, if I encountered Kristal Advance Detector by chance and saw the new GUI, I wouldn't even download it. On the other hand, if I encountered with the previous GUI, then I would download it, because it blends with the O.S.

My honest opinion is that you shouldn't waste your time on this kind of GUIs, because you're just one guy. The time you waste doing it, it's time you won't be dedicating to the actual coding of your software.

If you had a design team, maybe you could offer alternate themes, for those people who fancy that kind of themes.

I know that a GUI shouldn't be the most important, and it isn't, which is why I'm saying you shouldn't waste your time trying to reivent the wheel. Take advantage of the O.S underlying UI.

My advise to you, as you probably already figured it out, is to focus on the coding (improvements, bug fixing and all that stuff). Leave the GUI as simple as possible - use the O.S underlying UI.

I personally like to have the feeling that I'm using a Windows native application. (Even if I know it isn't!) Then again, many like themes, many don't like them.

But, considering you're just one guy, maybe you should keep it simple. That's my honest opinion and the best I can give to you.

Please, don't throw me tomatoes.

[Tarnak]

Had another go at installing earlier today. After installing, .NET Framework v4.0, I got an exception error which I ignored...



After a reboot...all was OK!

[kardokristal]

Quote:

Originally Posted by m00nbl00d

I hope you won't feel hurt because of what I'll express, because... well, it's just my humble opinion.

Personally, I prefer the previous GUI. The previous GUI was making use of the operating system underlying UI (I apologize if this isn't the most technical term.). It blended with the O.S just fine. Granted that it was a tiny small, but nothing that couldn't be solved.

Knowing you before hand, and knowing what you're trying to achieve with this tool, I'd use it. But, if I encountered Kristal Advance Detector by chance and saw the new GUI, I wouldn't even download it. On the other hand, if I encountered with the previous GUI, then I would download it, because it blends with the O.S.

My honest opinion is that you shouldn't waste your time on this kind of GUIs, because you're just one guy. The time you waste doing it, it's time you won't be dedicating to the actual coding of your software.

If you had a design team, maybe you could offer alternate themes, for those people who fancy that kind of themes.

I know that a GUI shouldn't be the most important, and it isn't, which is why I'm saying you shouldn't waste your time trying to reivent the wheel. Take advantage of the O.S underlying UI.

My advise to you, as you probably already figured it out, is to focus on the coding (improvements, bug fixing and all that stuff). Leave the GUI as simple as possible - use the O.S underlying UI.

I personally like to have the feeling that I'm using a Windows native application. (Even if I know it isn't!) Then again, many like themes, many don't like them.

But, considering you're just one guy, maybe you should keep it simple. That's my honest opinion and the best I can give to you.

Please, don't throw me tomatoes.

Hi m00nbl00d,

Maybe you are right, because what i saw is that new GUI use a lot of
memory....about 19 megs. I´ll think i should use same design like in previous versions.

Important reason: memory usage.

Thank you about this opinion, this is very helpful and i don´t implement this new GUI. All 3 engines already working now in new BETA what is coming very soon, also is working Clear monitor and Main GUI is bigger for better usage.

Final Beta is thanks to your comment this:

1) Main GUI: http://i.imgur.com/wgsTq.png

2) Notification: http://i.imgur.com/vmQxx.png

Best regards,
Kardo Kristal

[m00nbl00d]

Quote:

Originally Posted by kristalsecurity

Hi m00nbl00d,

Maybe you are right, because what i saw is that new GUI use a lot of
memory....about 19 megs. I´ll think i should use same design like in previous versions.

Important reason: memory usage.

Ouch! 19MB. For many that's a small amount; for many others way too much, and most likely for people with low amounts of RAM.

Quote:

Thank you about this opinion, this is very helpful and i don´t implement this new GUI. All 3 engines already working now in new BETA what is coming very soon, also is working Clear monitor and Main GUI is bigger for better usage.

Final Beta is thanks to your comment this:

1) Main GUI: http://i.imgur.com/wgsTq.png

2) Notification: http://i.imgur.com/vmQxx.png

Best regards,
Kardo Kristal

I like the Notification window. I also like the Kristal Advance Detector UI. (When you got yourself a team of developers and who knows a dedicated design team, you could then waste some time on a new UI... who knows. But, for the time being, let it be... keep it simple.)

By the way, I see that Protection Level: HIGH (Set to Low) is hyperlinked. Is there a special reason why? What exactly happens if one presses it? Shouldn't the hyperlinked part be only Low/High, depending on the chosen protection level?


Thanks

[kardokristal]

Quote:

Originally Posted by m00nbl00d

Ouch! 19MB. For many that's a small amount; for many others way too much, and most likely for people with low amounts of RAM.



I like the Notification window. I also like the Kristal Advance Detector UI. (When you got yourself a team of developers and who knows a dedicated design team, you could then waste some time on a new UI... who knows. But, for the time being, let it be... keep it simple.)

By the way, I see that Protection Level: HIGH (Set to Low) is hyperlinked. Is there a special reason why? What exactly happens if one presses it? Shouldn't the hyperlinked part be only Low/High, depending on the chosen protection level?


Thanks

Hi,

Thank you.

When you click on hyperlinked protection level, then it will set protection level low (if already HIGH). Give some suggestions: hyperlinked only Set to low? or the whole line?

Regards,
Kardo Kristal

[m00nbl00d]

Quote:

Originally Posted by kristalsecurity

Hi,

Thank you.

When you click on hyperlinked protection level, then it will set protection level low (if already HIGH). Give some suggestions: hyperlinked only Set to low? or the whole line?

Regards,
Kardo Kristal

My opinion is that if you apply the hyperlink only to Low/High, then it will stand out, and there will be harmony.

I think that Protection Level: HIGH and Set to: Low should have some separation. That separation is done by the parenthesis. Then, there should also be a separation between Set to: and Low/High. That separation would be done by hyperlinking Low/High.

Anyway, you could wait and see what other users will say and get a better overview of what could be done with it. After all, my view is just my view... just one view.

Even if you don't get more feedback at the moment, about this aspect, and instead get some feedback at some point later, you can always work on it.

[kardokristal]

Quote:

Originally Posted by m00nbl00d

My opinion is that if you apply the hyperlink only to Low/High, then it will stand out, and there will be harmony.

I think that Protection Level: HIGH and Set to: Low should have some separation. That separation is done by the parenthesis. Then, there should also be a separation between Set to: and Low/High. That separation would be done by hyperlinking Low/High.

Anyway, you could wait and see what other users will say and get a better overview of what could be done with it. After all, my view is just my view... just one view.

Even if you don't get more feedback at the moment, about this aspect, and instead get some feedback at some point later, you can always work on it.

Hi,

Thank you

I have some very good news about memory usage.

New version will use 1 to 4 megs, but mostly 2 megs of ram.

Look yourself: http://i.imgur.com/GGo4X.png

Hope you like this memory improvement.

Best regards,
Kardo Kristal

[m00nbl00d]

Quote:

Originally Posted by kristalsecurity

Hi,

Thank you

I have some very good news about memory usage.

New version will use 1 to 4 megs, but mostly 2 megs of ram.

Look yourself: http://i.imgur.com/GGo4X.png

Hope you like this memory improvement.

Best regards,
Kardo Kristal

That's some nice improvement! Specially compared with the 19MB with the new GUI. I'm all in favor of code optimization and as less as possible used resources.

[kardokristal]

Hello everyone,

New version of Kristal Advance Detector Beta [2012 0.0.0.3] is now available for download.
This version include new features like 3 KSOnline engines for files classification,
enlargeable activity monitor, separate analyse for your custom chosen files etc.

For first i´d like to show you screenshots of new Beta version.

Screenshots:

1) Main GUI

http://i.imgur.com/Q2Axv.png

2) Enlargeable activity monitor

http://i.imgur.com/q9vMb.png

3) Notification

http://i.imgur.com/lrJVF.png

4) Separate file analyse notification (check custom files anytime by just adding custom file to activity monitor
then click on object name on Activity Monitor and finally click Analyse to check file by 3 different online databases)

http://i.imgur.com/fxBPF.png

Here you can see complete list of new features, improvements and fixes:

New features:

* 3 KSOnline Engines
* Clear Monitor availability
* Add or remove custom files from Activity Monitor
* Enlargeable activity monitor
* Check for updates availability

Improvements:

* significantly improved memory usage (about 1-5 megs of RAM) - Screenshot: http://i.imgur.com/MVg3g.png
* Bigger GUI for better usage

Fixed:

* Apply button (2 instances)

Download links for new beta version:

Installer: -http://dl.dropbox.com/u/47450407/Kristal%20Advance%20Detector%202012%20-%20Public/Kristal%20Advance%20Detector%20installer.exe-

Portable: -http://dl.dropbox.com/u/47450407/Kristal%20Advance%20Detector%202012%20-%20Public/Kristal%20Advance%20Detector%20BETA.zip-

I hope that you like and use this new beta version of Kristal Advance Detector and let me know how you like it

Best regards,
Kardo Kristal

[kupo]

Nice release , It's still very light and the nice changes.
BTW, I've found another bug, clicking analyze without adding any files will result to a crash.

[phalanaxus]

I got a question, what does safe/unknown mean? If the file is unknown to the engine how do you know it's safe?

[kardokristal]

Quote:

Originally Posted by phalanaxus

I got a question, what does safe/unknown mean? If the file is unknown to the engine how do you know it's safe?

Hi phalanaxus,

Thank you for your interest.

This actually mean that no malware detected.

Engine 2 and 3 include information about malware/malicious files.

Best regards,
Kardo Kristal

[kardokristal]

Quote:

Originally Posted by Tarnak

Had another go at installing earlier today. After installing, .NET Framework v4.0, I got an exception error which I ignored...

Attachment 231926

After a reboot...all was OK!

Attachment 231923

Attachment 231924

Attachment 231925

Hi Tarnak,

Thank you for your report

I figured out how to solve this bug.
This will be fixed in new version.

Best regards,
Kardo Kristal

[kardokristal]

Quote:

Originally Posted by skudo12

Nice release , It's still very light and the nice changes.
BTW, I've found another bug, clicking analyze without adding any files will result to a crash.

Hi skudo12,

Thank you for your report and kind words

This is known bug and will be fixed in version.

Also thank you for using Kristal Advance Detector.

Best regards,
Kardo Kristal

[phalanaxus]

Quote:

Originally Posted by kristalsecurity

Hi phalanaxus,

Thank you for your interest.

This actually mean that no malware detected.

Engine 2 and 3 include information about malware/malicious files.

Best regards,
Kardo Kristal

Let me rephrase my question then To me these are the possible situations for me.

Safe- You know the exact file and know it's safe
Unknown- You don't know of the file
Malware- You know the exact file and know it's harmful
Unknown/Likely malware - you don't have exact file, but by some other means like behavioral detection and heuristics you can say it looks like malware


Unkown/Likely Safe - you don't have exact file, but by some other means like behavioral detection and heuristics you can say it looks like goodware

However unknown/likely safe shouldn't have any place in any security program that relies on signature/hash databases only. Does your program use some kind of behavioral analysis/heuristics?