Mamutu 1.5.0.18 released [NEW]

Version 1.5 changes:

To avoid too many alerts on good programs, version 1.5 introduced the new community based alert reduction feature. Once an alert is triggered, you can see how other users decided about the alerted program. Mamutu is able to create allow rules for programs that have been allowed by eg. more than 90% of the community users.

The self protection has been improved. Mamutu is able to defend itself better from beeing shut down by Malware. On a manual program exit, you will see a captcha that requires that you enter a security code to confirm the shutdown. Mamutu protects other applications from being remote controlled and shut down too.

/**/
What is Mamutu?

# Monitors live all active programs for dangerous behavior (Behavior Blocking).

# Recognizes new and unknown Trojans, Worms and Viruses (Zero-Day attacks), without daily updates.

# Small but very powerful. Saves resources and does not slow the PC down.


Mamutu recognizes and reports the following types of behavior:

# Backdoor related behavior
# Spyware related behavior
# HiJacker related behavior
# Worm related behavior
# Dialer related behavior
# Keylogger related behavior
# Trojan Downloader related behavior
# Injection of code into other programs
# Manipulation of programs (patching)
# Invisible installations of software
# Invisible Rootkit processes
# Installation of services and drivers
# Creation of Autostart entries
# Manipulation of the Hosts file
# Changes of the browser settings
# Installation of debuggers on the system
# Simulated mouse and keyboard activity [version 1.5]

 

This is the biggest sign of a lousy security software.

Mamutu's FPs were absolutely atrocious, but instead of working on a better recognition algorithm and/or whitelist to solve the problem, they throw the problem to the users instead. WHY on earth should I care which users voted what on program X? Who are they anyway, qualified experts?

To quote ErikAlbert: "That's not security, that's gambling."

 

I agree this software is relative useless, rootkit owned it in seconds and then it became very quiet.
But if I find the time I will try this new "gambling" version.

 

SystemJunkie, Which rootkit owned it, how did you test.

Solcroft, which wave of FP's did you encounter, when it are that many, it should be easy to mention 5.

Let me make clear it is not that I am commenting on you, but the problem is that I do not want to check some previous posts of the person making the statement. This to get an idea of what this person is saying is total nonsense or that the fourm member has made in the past some sharp observations. In the last case he or she's current statement will problably also contain some truth/value.

When I hear this sort of comments, I can not help to think that it is all about preferences. Comodo V2 did tell you when a source code was changed, but did not do anything against it. Also the algoritme was CRC in itself a weak form. Nobody attacked comodo on this. Comodo was the champ on this forum.

Only some bad comments were made on the CRC check. When you are considering security in normal life perspective, you will see that most financial institutes use CRC as a trip wire to detect fraud, programming errors. CRC is not intended as a 'from outside protection' but as a from within (integrety and completeness). So it was not that stupid of the designers to use CRC to check whether already approved programs (meaning inside the protected zone) were untouched .

Wilders members are in favour of TF and against Mamuto. Also the FP problem, becomes a myth. People are telling this without having own observations on this. The few FP's I noticed were more or less the same as TF. Only PRSC is the ap with lowest FP's. But then everybody complaints on the scope of protection by PRSC. SO TF stays the darling of this forum.

Another example, SafeSpace personal is a wonderfull ap, stil gets its portion of bashing by Sandboxie fans. Off course we know sandboxie as a security program with a good reputation, but SafeSpace works out of the box, while Sandboxie needs some adapting. It is great that people like Sandboxie, stay happy with, no need to justify your choice by bringing down a competing ap.


Members like ZopZop, Aigle, Lucas1985, Stem, Blue, Pete always provide some background info. I really appreciate this. So I would ask others to backup their opinions with observations/tests also. THX

 

IE6, WMP, 7-zip, and ThreatFire are four I can remember off the top of my head. I can't remember if I can attribute services.exe to it as well, or another rather jumpy behavior blocker I've also tested months ago. Of the four concrete ones I do remember, two of them are VERY common Windows programs.

Kees, I was the one who started the "myth", IIRC. The very first thing it did after I installed it was to report IE6 as a backdoor trojan, and things only went downhill from there.

You might also want to consider that there might be a reason that that "myth" exists, especially since Mamutu is still a young program and has no past reputation, good or bad, to be carried over from its earlier versions.

Of course, that might be because you insist on running TF on level 4 and suffer from extra FPs without any real improvement in protection.

As far as my personal observations go, that complaint would be quite accurate - relative to TF, that is; I'm not trying to imply that PRSC is a weak program. You also seem peeved by the fact that people prefer TF, which admittedly sounds quite strange to me.

 

could not agree more. it's fairly common knowledge that most people respond to pop-ups incorrectly, so this approach is akin to the 'blind leading the blind'.


Mike

 

Look screen below, latest Mamuta becomes disrupted.
http://i29.tinypic.com/fzcimq.png

 

Solcroft,

As stated my post it is not an attack on you, so hold your horses. When you did not get the message, I will repeat it: I am complaining about the fact that people are just make statements without backing them up.

My experience of false Positives of Mamuto and TF is different. IE7 WMP and 7-ZIP are programs also on my wife's PC and after installing Mamuto I tried all programs. I can not recall that Mamuto marked them, same applies to TF, see post: https://www.wilderssecurity.com/showpost.php?p=1183116&postcount=52

Now before you start reacting in detail on this response. Different users means different usage, so it could well be that you encounter a lot of FP with your PC usage. That is the reason that I would like some contextual information (mention test/situation).

I am also not peeved by the fact that TF is favoured, see https://www.wilderssecurity.com/showthread.php?t=183020 or https://www.wilderssecurity.com/showpost.php?p=1180282&postcount=7

Regards Kees

 

Okay seeing that Mamuto becomes disrupted, but how did CSRSS.exe become malware, is it a MSN or media file releated CSRSS malware version?

 

Excuse my ignorance, I might misundertand the discussion here, but doesnt that picture just show that crss.exe and drwtsn.exe is trying to eliminate Mamutu.exe and Comodo intercepts that attempt before eventual Mamutu selfprotection did? What triggered crss.exe and drwatson (which are legit processes in windows, not mailicious rootkits) to try to kill Mamutu process? Are you saying that mamutu doesnt protect itself?

 

Just because it's named csrss.exe doesn't mean it's the legitimate copy that came with Windows. In fact, a lot of trojans are named svchost.exe and explorer.exe. It's just a filename, and trying to masquerade as system processes poses quite a few advantages.

One possible interpretation of what happened was that the trojan tried to kill Mamutu, which crashed, at which point DrWatson stepped in to kill the crashed process(es).

 

Yes thats true solcroft, but we will never know until we know where that csrss.exe is located on his drive. Since he uses two HIPS type software I assume he didnt let the rootkit hijack the legit csrss.exe process in memory in both software. Unless Mamutu does not protect running processes of course.

 

There is only one csrss.exe (from windows) and that seems to be owned by <unknown>. Some hypervisor could have control over it. The DrWatson Game is a favorite of those hackers, they or better said the Malware Type III escalate or bo any chosen executable and drwatson pops up and the chosen app is killed no matter if you choose block or allow in comodo. (my assumption blue pill+new undetectable stealth.mbr or vbootkit mod)
They do this game with black ice, mamutu, force field,... just to name a few.

 

... Then again, you might not be the person best known for making objective (or even logical) observations...

 

Sukarof

Thx for the explanation.

 

Both have a really weak self protection and therefore they are most probably the first victims if an real attack starts.
So both fell out of my favour.
I don't really know how they should offer any additional protection, like many users to think.

Cheers

 

Well, wanted to test it, but can´t do it (no network inside VM), can it please be made so that you won´t have to login to be able to use this tool?

I would like to know when these alerts will be triggered? I mean, it sounds a bit vague. Normally a HIPS will tell you exactly what an app is trying to do, like for example, making outbound connections, or loading global hooks.

OK, can someone test this against a couple of rootkits?

Is this protection against file infectors?

I would like to get some more info about this.

 

Do you have any example of a real attack that successfully disables TF?

 

We can't publish all details how the triggers work, but the alert windows of Mamutu will tell you much more, why a program was alerted. The Spyware alert e.g. comes when a program invisibly sends or receives data from the internet. The detected behavior type is always described in detail on every alert box. Mamutu will never say "This IS Spyware", it will always say "This program acts LIKE Spyware". Well, if it detects spyware like behavior in a good program, that can not be counted as a false alert. It just means that the behavior is very similar to spyware behavior.

I'm not sure what you understand on file infectors, but I guess it's exactly what you mean.

Debuggers are sometimes used to prevent security programs from being started at system startup. Mamutu catches the required system changes that would allow someone to register such a debugger.

Simulated mouse- and keyboard-activity is used by Malware to reproduce manual user actions, e.g. right click the Mamutu tray icon and select "Exit program". Mamutu can not be terminated with such actions.

 

I think that´s important clarification for many outthere.

I guess he is talking about things like virut and parite.

 

As this thread is about Mamutu, this is slightly off-topic, well...
I posted weeks ago here with a link and the post was deleted because of this link, therefore I have to explain the details.
A guy called Scrapie from german security forum Rokop Security wrote a small vb app called ByeByeThreatFire to demonstrate how easily ThreatFire is to disable.
Else he is able to bypass and/or blind ThreatFire because of it's "design weakness", like he wrote.

Cheers

 

Thanks a lot for the feedback. I suppose you can not publish everything because malware will try to circumvent it or something? But you already told me what triggers the "acts like spyware" alert, so you might as well tell me the other stuff? But if I understand it correctly, just like ThreatFire, Mamutu tries to be more "smart" to reduce alerts, and thus has certain rules that will only be triggered under certain conditions, am I correct?

Well, personally I don´t care about "false positives" at all. I believe I have enough knowledge to decide if certain behavior is possibly malicious or not.

Well yes, looks like we are talking about the same thing. Would be a nice feature since most HIPS do not protect against this.

OK nice, but I also saw this in action in HIPS like EQSecure and ProSecurity, and I got alerts when clicking on the taskbar myself, so it was not exactly "fake". I wonder if this method can be made so that it will only be triggered when you (the user) really did not send any mouse/keyboard input yourself.

Very interesting, a simple .vbs file that can disable protection? Perhaps an idea to not run any unknown script/executable files, or are there any other ways to disable TF and other HIPS?

 

@ Emsisoft (Christian Mairoll)

Can you please remove the need to have an account? Come on, security tools don´t need this kind of nonsense.

 

Exactly. Mamutu does not only alert things like "Program xy connects to the internet". It combines several parameters until it give an alert window.

We'll test against that ones. But if they simply try to inject code into other processes, they'll be detected for sure.

Please try it. We didn't get any user complaints so far about wrongly alerted user actions.

Sorry, that's not possible. The server side licensing storage is a very effective way to avoid illegal use of the program. Every client side solution can be cracked too easily.

Btw. please don't test the program on a virtual machine. Lots of Malwares don't act harmful when they detect that they're running on a virtual environment. The next problem is: When you don't have web access on your VM, worms and trojans may not start at all and Mamutu can't detect any harmful actions (because there are none, just an empty process).