TrendMicro BrowserGuard 2010(2.0.1070 free)

New version, but still doesn't support 64bit or Firefox:

http://free.antivirus.com/browser-guard/

 

Does this block sites from loading or just warn about them?

 

Can someone test if the bolded part of the quote can be opted out?

 

no options, just a service running.

 

Actually two processes. I guess that I'm a safe surfer because I haven't seen it do anything yet. Anyone have a url where I could test what it's supposed to do?

 

You are totally right,

BGUI.exe the user interface (enable service and/or disable pop-up)
tmiegsrv.exe the service

 

Have you been to an URL which gave you a popup warning yet?

 

No other browser than IE, eh? Looks like some companies never learn...

 

I used this a few months back and hit on a url with the warning. Actually I had several tabs open and the bad url was in one of the tabs. The bad thing was that I was unable to back out of the url- I was just frozen there with the only options to either go for the TM scan or close the browser (and other tabs in the process). Not sure if this still acts the same way or not but I uninstalled.

 

Are you sure it was Browser Guard and not the Web Protection Addon? Browser Guard makes no mention of running House Call whilst Web Protection addon does.

 

Are you still waiting for a browser protection for Opera?

But I agree, just IE is not enough - it should support FF at least.

 

My bad, I just saw that. Yes it was the web protection add on I had previous.

 

I'm still looking for more info on this but can't find any. A visit to their forum yields nothing more than the advertisement for it. It's still installed but I haven't triggered an alert yet.

 

same here, only sign of activity was an updated once.

When you monitor cpu/disk activity it does seem to do something when processing webpages with javascript.

Edit heap spray sample to try for yourself http://skypher.com/SkyLined/heap_spray/small_heap_spray_generator.html and http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html (Aurora) and http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html (Hydraq)

 

In your opinion, is this type of attack somethng that is very rare? I noticed in one of the links that it's testing platform was XP SP 2 or earlier. How relevant is this kind of attack with Win 7?

 

Well,

In my discussion with Eirik of blue ridge (they have AppGuard) I thought it is not something to worry about with Win7. But they have just added protection against process memory modification, since they expect it to be used by malware in the future

So maybe you got more info, but you are problably as confused as before this post. I would say no for WIn7 and a maybe for XP, but do not hold me responsible for it. I also do not have a clue, sorry. Can't tell whether those two different vendors foresee the same trend or it is just creating tracktion in a mature market by adding some features ?

 

Kees, you're a mind reader,lol. My next question was going to be if you thought the memory protection addon to be implemented in the next release of AG was the same or similar.
Thanks

 

Seems to be updated, since Monday to 2.0.1072.
http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=264&regs=NABU&lang_loc=1

 

The advanced memory protections of Win7 are not perfect, and may not compensate for all of the mistakes that programmers make in 3rd party software applications. You've read reports of researchers penetrating these defenses. As for what's in the wild like this, I don't know. I cannot responsibly estimate.

There is, however, another bulls eye. The more Microsoft and Apple harden their 'system space', the more they make 'user space' where more and more combat with malware takes place. What's alarming about user-space combat is that code injection attacks from one process to another can take place without ever exploiting a vulnerability in any software process because legitimate API's can be used. I'll post a link to a small PDF that provides a little more info on MemoryGuard in the 'AppGuard News and Feedback' thread. (doesn't seem to be appropriate to do so in a thread with another vendors name in the title).

Cheers,

Eirik

 

Thx Eirik, so it is side by side infection (which is not covered by UAC/LUA) of processes running with LUA tokens

 

TrendMicro BrowserGuard 2010 updated to 2.0.0185:

Okay I did a search on this software and found this thread. It has been updated to 2.0.0185 but I read the readme txt file and found this. Did not realize it was a beta.

8. Known Issue
========================================================================
* Page content is not dump to SAL for processing. Static Heuristic does not work under this scenario.
* Relationship between parent and child window is not recorded.
* No mechanism for port changing if allocated for backend server.
* Detection logic between SAL and BG need n! times, and continue browsing time is same as scan/block time.
* Hook is not stable when load is stress.
* Detection logic between SAL and BG caused it. First, script node send to SAL 1 time, and whole html page with script node will send to SAL again.
* Incapability between TI3 BEP and BG2010
* Install window does not resizing
* Memory leak
* Google V8 exception
* Page content is not dump to SAL for processing. Dynamic emulation does not work under this scenario.
* Block page incompability between IE toolbar like Comcast and BG2010

 

2.0.1111 (beta4):
http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=264&lang_loc=1

Changes include 64bit support:

http://www.trendmicro.com/ftp/documentation/readme/BGSetup2.0.1111_readme.txt

 

Just got interested in this piece of software. There have been a few updates since the last post, but still IE only it seems

 

Detection enhancement on generic browser exploits
Comparable with Exploit Shield of F-secure (see http://www.ghacks.net/2009/08/23/f-...protects-against-0-day-web-browser-exploits/), protects against known exploit protection (in case you did not update browser to the latest patch) and new exploits using the same or simular intrusion technique.

Upgrade VSAPI for better shellcode detection
Intercepts scripts from withing Internet Explorer and sends them to VSAPI for shell-code scanning. VSAPI stands for Virus Scanning Application Interface. Code analysis for known intrusion techniques of old exploits and other general shell-code injection techniques (e.g. heap spray)

Enhanced script emulation for the Script Analyzer Lineup (SAL) engine
This is the actual javascript emulation engine, which is used to detect intrusion attempts by code emulation

Conclusion
When you add Trend Micro Browser Guard to Vista/Windows 7 and EMET-2 protection (GS, SafeSEH/SEHOP, DEP, ASLR, plus added shell code of EMET2 null-page and heap-spray settings) you have a great build-in protection against suspicious interprocess interaction. Mind you that when using IE8/IE9 in protected mode and Chrome, you have the extra protection of the low-rights sandbox (which is in effect more like containment, because it prevents and does not virtualise).

For people using a two browser setup (e.g. I have Iron Portable as my main browser, because Iron is not signed, it can never elevate when running safe-admin, my second e-banking browser is IE9 on which I have Trusteer and Browser Guard added, plus hardening of IE through registry/GPO), it is really a nice add-on since it only eats CPU cycles when running IE8/IE9

 

How is going for you? I never really had any luck with Trend Micro freebies. The last one I tried was the latest RUBotted version and it was a real mess - malfunctioning 100%, the icon would load to tray bar but the program itself would never start.

What's worse, is that Trend Micro offers no support for their freebies.