Question about Mamutu

What exactly is being monitored specifically?

For something like creation of autostart entries that's really "Adding an entry to the registry" or to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\

And for manipulation of the hosts file it would be "Writing to the hosts file in \etc\hosts" or something.

I am just wondering what API calls are being intercepted when that's the case or what else is being monitored specifically.

ex: I don't know what "Spyware behavior" entails - I'd like an indepth explanation.

in short, what specific actions compose each of these behaviors?

 

No one's got a link?

 

Nope. At least, I don't.
Their knowledge base articles are pretty much 'starter level' info pages.
I've never found any more specific info than what's posted above (their forum doesn't provide more in-depth info either).
I'd contact dev Fabian Wosar (fw at emsisoft.com) for deeper info on Mamutu, not sure what they are willing to provide though.

 

I don't really think they would provide the rule sets or heuristics they use, that could compromise the product i guess and as a business that is bad

 

Something like Mamutu could easily be reverse engineered in terms of behavioral blocking attributed to kernel calls - whitehats/ security companies do this all of the time to malware or AVs even. Heuristics rules can often be reverse engineered as well (just test different things that might break rules) though scoring based on those rules is much more complex.

You can't tell the entire program but if you know "This call infects the computer" and "This program stops infections" it's easy to say "It's probably that call."

I'll try contacting a dev, thanks. IDK why they won't even give a simple explanation - I don't necessarily need something as low as the API but it would be nice to know what "spyware behavior" actually entails.

 

Yeah, I tried finding some more detailed info on them as well, but couldn't find it. I do know that behaviors from that list are more a combination of action/behaviors, for example, for the Keylogger behavior warning to appear, an executable needs not only to log keystrokes, but also connect to the internet.

 

Briefly, "spyware behavior" entails the behavior of an component, not the specific sequence of bytes in that
components binary representation.

An example of "spyware behavior" would be an component, and/or unknown component, monitoring user behavior and/or
interacting with another component, such as an Web Browser, monitoring that components behavior and/or the users
interactions with that component, then/or petitioning calls to the Windows Application Programming Interface (API) that
can potentially leak information about that behavior, such as petitioning calls to save the data to an file and/or
transmit that information to an Remote Host.


EDIT: clarity


HKEY1952

 

I see. Thank you.

There are quite a few of them that are fairly vague but I suppose I can just do some research.

 

You are welcome Hungry Man


HKEY1952

 

There are academic papers out there regarding listing high level malware behaviors, but unfortunately for those papers I've looked at there is apparently no publicly available program or code.

 

I'd like to see them if you have them. The code is less important - if I can see what the behaviors are specifically I can figure out the code.

 

There is definitely one free paper available on this but I don't remember its name; I don't recall if it is specific enough to be useful to you. Maybe check the references in paper "Behavior abstraction in Malware analysis" or do this Google search "high level" malware behavior filetypedf or maybe malware behavior filetypedf.

 

Will do thanks.

 

You're welcome .

There is also one free paper (at least) that lists the behaviors found most commonly in malware.

 

http://www.usenix.org/event/leet09/tech/full_papers/bayer/bayer.pdf

Reading this at the moment.

I'm interested in anything even slightly relevant =p I had no idea I could search by file type eitehr lol

 

There's at least one more, because that isn't the one that I remembered.

 

It's "Tracer: Enforcing Mandatory Access Control in Commodity OS with the Support of Light-Weight Intrusion Detection and Tracing."

 

Oh yes that. I've read that.

 

Anyone have a whitepaper on mamutu maybe?

I'm also interested in any tests witih Mamutu vs Malware. Videos, papers, whatever.

 

For videos i guess some amateur Youtube videos would work

 

I'll take them =p

 

I've used Mamutu for almost 2 years because it was recommended here and because of the reputation of the company behind it, Emsisoft. I've looked for more information about the program and for testing, without much luck. If you find anything Hungry Man I'd be interested in reading about it.

 

I'll send you a PM if I find anything of interest.

I used Mamutu as well and liked it. I'm curious as to how effective a pure behavior blocker can be.