Crystal Anti-Exploit Protection 2012 Beta

[sg09]

Quote:

CrystalAEP operates by running within every instance of a protected program (for example the web browser), performing checks at key points within the program's life-time in an attempt to ensure that it is not under attack. Crystal also alters the behaviour of protected programs to render them more difficult targets for malicious software seeking to be installed on a user's system - if the vulnerable program malware is targeting is in an unknown and constantly changing state many traditional methods for exploiting flaws within the software are made significantly more difficult.

The software is designed first and foremost to protect against so called "drive-by download" exploits, in which an unsuspecting user visits a website which attempts to trigger a software vulnerability within an application the user has legitimately installed to force the silent installation of malicious software. While CrystalAEP is effective in blocking attacks which originate without user interaction, Crystal is not able to prevent users from being tricked into consciously downloading and installing malicious software and therefore is best used in tandem with an anti-virus program by less experienced computer users.

http://www.crystalaep.com/about.html

The software indeed seems interesting.

[CloneRanger]

Another new App Good find sg09

If it didn't require .NET i would have tried it. Hopefully some of you will & let us know how it fares

[jmonge]

i want to try it

[Dark Shadow]

I gather this is like EMET

[ichito]

Hmmm...looks like something similar to EMET with "white list filtering" feature. But I'm surprised how logo of Crystal is similar to logo Kristal by Kardo Kristal in our forum...maybe is it only fortuity?
Below some screenshots
main window

alert window

basic options

advanced options

I don't know how to enable "Enabled Features" in main screen...

[kupo]

Interesting indeed. Maybe I will try it once it's out of beta. Would it work with EMET or do I need to uninstall EMET first?

[sg09]

It offers a good help documentation PDF file. I wonder if its unethical to upload it for those who haven't tried it yet. That help PDF explains each module in quite detail.

Quote:

Originally Posted by ichito

But I'm surprised how logo of Crystal is similar to logo Kristal by Kardo Kristal in our forum...maybe is it only fortuity?

This type of logo is quite common these days.
http://i.imgur.com/a6dVX.jpg
Guess whose logo is this!!

[Kees1958]

From the looks of the advanced options windows

1. EMET/Buffer Overflow guard like functionality
2. Monitors (allow/block) process creation (same process name spawning is often legitemate but is also used to hijack process credentials)
3. Blocks code execution from obvious drive by drop zones (temp, download, netshare,etc)
4. Whitelist/blacklist function for protected programs to allow execution of specified dll's (e.g. only allow your browser to run flash and pdf)
5. Active-X and Content filtering for IE. Content filtering involves data formats which could have code in it like images and streaming media. The author has planned some more options (but I think he might a bit over ambitious in his goals).

All in all really interesting application

@Ichito what is the cpu usage?

Thx

[ichito]

Quote:

Originally Posted by Kees1958

@Ichito what is the cpu usage?

Thanks Kees for your mention...below there is screenshots with resource usage

The same processes are added to autostart (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
I think that can be important the info from PDF Guide:

Quote:

Which operating systems and products does Crystal support?
Crystal is designed to support Windows XP, Vista and 7, both 32-bit and 64-bit versions. Crystal AEP does not
protect 64-bit applications and will, on 64-bit Windows, protect only 32-bit processes.
(...)
Which web browsers does Crystal provide content filtering protection to?
Crystal only provides content filtering protection to Internet Explorer 6 – 9 (IE9 is the latest version at the
time of writing). Crystal provides anti-exploit protection to all web browsers, however the content filtering
protection method can only be applied to Internet Explorer at present.

If you do not use Internet Explorer it is still worthwhile using Crystal as content filtering is at present a
secondary feature of the product and is not relied on heavily to block malicious software.

[Kees1958]

THX, Ichito & SG09

Really interesting application, I have asked the designer/programmer to join Wilders to attract more beta testers.

[Ranget]

Going to test it ON xp
and will report back

[jdd58]

None of the protected apps will open for me. I'm guessing it is a conflict with EMET. Will try a clean image later.

Which program covers more areas, EMET or Crystal.

[Kees1958]

See post 8, one through four are allready implemented according the documentation, so Crystal

[KelvinW4]

I tried it but nothing that is protected would open they all crash

[jdd58]

A clean image didn't stop the application crashes so EMET is not the problem. I get a BEX error when IE or Windows Media Player tries to run. Running on Vista 64 bit. No 32 bit PCs to test on.

[KelvinW4]

Im used that without EMET and I'm 32 bit

[Peter4020]

Hi all, I'm the developer of Crystal AEP. Thanks to all of your for your interest and for taking the time out to test the software!

I am sorry to hear that it crashes on some of your systems, I'd be interested to know if it crashes always and for all applications you've tried it with, or whether that just happens with certain applications? Does it crash when configured to run at Minimum or Moderate security levels?

Crystal is fairly invasive in that it attempts to intercept various OS functionality and subjects the application state to a fairly comprehensive set of security checks at runtime to try to determine whether the application is under attack. I have tried to make the process as transparent as possible to applications which Crystal hooks, but I am sure I will have missed a few tricks here and there, and I hope to work the incompatibilities out of the software one at a time!

The software has been tested mostly on Windows XP and Windows 7, with only minimal testing on Vista, so it's very useful for me to know that it misbehaves on a fairly standard installation of that OS, and I will definitely investigate that as soon as I have a chance.

If you have any questions about the software please do fire away and I will reply to them as soon as I can! Suggestions are also always welcome and, although I probably won't be making any major changes for at least a short while as I am fairly busy with work, I will definitely put them on a list which I will work through whenever time permits.

[jdd58]

Hello,

All apps that I've tried crash every time, even when the protection slider is at minimum.

If I uncheck the box under the expert options "Enable Anti Malicious Code Execution Behaviours" then the programs will run. Screenshot attached, hope it's readable.

Thanks for your time and for coming to this forum.

[Kees1958]

Quote:

Originally Posted by Peter4020

Hi all, I'm the developer of Crystal AEP. Thanks to all of your for your interest and for taking the time out to test the software!

If you have any questions about the software please do fire away and I will reply to them as soon as I can! Suggestions are also always welcome and, although I probably won't be making any major changes for at least a short while as I am fairly busy with work, I will definitely put them on a list which I will work through whenever time permits.

Peter thanks for joining Wilders. I really like the idea behind your program. My first suggestion would be to develop a clean version 1.0. So this would have the consequences of skipping content filtering for a while (and move the modules out of the first release). Secondly I would add a debugger or log facility to leverage the testing on different machines and configurations (and make it easier to back track problems).

Regards Kees

[Peter4020]

@jdd58: Thanks to you and all the rest for testing the software and for your feedback! Which version of Windows is it that you run? I found that Crystal misbehaved on some machines when I made the software Low Integrity mode compatible and have since made some code changes to try and increase reliability.

Those changes are actually present as of a couple of hours ago in the latest installer on the Crystal website, although I have not pushed out an update as I hope to address one or two additional minor details before I push it out, and want to minimize the number of updates I subject users to! If you would be so kind I'd be very interested to know whether the latest version on the site fixes your woes or whether I still have diagnostic work to do yet!

@Kees1958: Thanks for inviting me, I'm glad the software is of interest to you! I have tested it extensively against exploits both public (Metasploit) and private, and believe the software goes a long way to helping address the zero-day problem. Of course it's not impenetrable and I'd never suggest otherwise, a Crystal aware attacker would definitely find a way to circumvent the software if they were committed, but until it reaches critical mass I expect it will continue to be very effective.

Those are great suggestions and I will definitely work on building a utility for crash reporting and analysis as soon as I get a moment. I should have done that before release, I will definitely try to add it to the update which follows the next. What do you think of the idea of perhaps moving content filtering off of the main UI and into the expert options? It seems fairly robust, I just have not written many filter modules yet.

Many thanks again to all of you!

[Tomwa]

@Peter

Do you know when/if you will make a version capable of protecting 64-bit processes?

[jdd58]

Peter thanks for the quick response. I am trying this on 64 bit Vista.

Security software: MSE, nProtect MBR Guard, EMET.

The latest installer fixes the problem with IE. Chrome does open also, but I am presented with a dialog box to allow wow_helper.exe. I allow, but it is terminated as a malicious process. This continues in an endless loop.

Screenshot attached. BTW it is also working with EMET enabled.

[Peter4020]

@jdd58: Thanks for all the info and for taking the time to test the updated version. It's great news that it actually works for IE at least now. That problem with Chrome is something I have seen before but haven't had an opportunity to track down, however on my system it only happens when running Crystal at maximum security level and then inconsistently.

Now I know it's affecting you (and presumably other users out there too!) I will make that issue a priority and hopefully once it's addressed it will remedy any other problems you may be having too! Other than Chrome and IE, may I ask whether Crystal works for other protected programs (on the default list, or even things you may have added yourself?).

It's also great to know it appears to work with EMET on your platform. I'll investigate more thoroughly on Vista x64 because I actually haven't tested that platform, and WoW64 may well work slightly differently (at least I have never seen the wow_helper.exe application on Windows 7!).


@Tomwa: If Crystal 32-bit ends up being fairly popular and useful (and people find it to be effective) then I will almost certainly port it to x64 (and perhaps even OS X).

At present there are surprisingly few reliable exploits out there for 64-bit applications and I would have a bit of work ahead of me to understand the equivalent attack possibilities for these processes. It's something I need to do though!

Thanks all!

[Tomwa]

@Peter

I've downloaded and install Crystal however I noticed a few things about the install process:

1. If a file is unable to be created/altered it just throws up a message and quits. This is generally bad practice as it could leave a broken install incapable of being removed on the system (If the uninstaller didn't copy correctly for example). This is the case caused by my KIS 2013, since the program was restricted it couldn't create a file in my Program Files (Protected by Kaspersky) and it simply gave up and the install failed. What should happen is it should offer the usual options of Ignore, Retry, and Abort. This way I could alter the Kaspersky settings and simply click retry. Abort should of course rollback the changes caused by install. This is a minor annoyance but it can help prevent issues so do with it what you will.

2. Why so many flashing command windows? It's like dance of the epileptic command prompt.

Is there any way to submit crash logs, etc.?

[jdd58]

Quote:

Originally Posted by Peter4020

Other than Chrome and IE, may I ask whether Crystal works for other protected programs (on the default list, or even things you may have added yourself?)

Other than Chrome the programs on the default list that were on my PC worked fine. The added ones did also.

I am trying Crystal AEP on a Windows 7 laptop today. I installed a portable version of Comodo Dragon and added it to the protected list. I get the same malicious code prompts (ROP) intermittently that I did every time with Chrome on Vista.

The other thing I noticed is that the Crystal AEP process uses constant CPU when a protected app is running. About 2% with IE and 10% with Comodo Dragon. Once the GUI is closed in the tray is gives a message that protection is still enabled, so is it advisable to keep it closed to avoid the constant CPU? The remaining proctracker.exe process uses no CPU.