Facts and screenshoots about ANTS 3.0 private

(private = comercial version)

Ok ... - lets start ).


First of all ANTS isn't a normal scanner. It uses a powerful driver and hook system to monitor and observe all files in REALTIME.

Its compareable to a firewall. You can define special system areas of your process, network, file or registry system and you define a special action what should happen if a process wants to access (read, write, create, delete ...) this area (ask, block, log and so on).

I tried a very small configuration. The ANTS "system firewalls" warn if a process wants to access the windows or system directory, the windows startfiles or the registry start keys. The "rule editor" looks something like this:

http://www.ants-online.de/ants3/syswall1.jpg
(registry)

http://www.ants-online.de/ants3/syswall2.jpg
(filesystem)

http://www.ants-online.de/ants3/syswall3.jpg
(internet blocking - yes, ants 3.0 can act as a "normal" application based firewall, too ;o) )

http://www.ants-online.de/ants3/syswall4.jpg
(secured processes)

The last point called "Geschützte Prozesse" (secured processes) is quite interesting for users of a third party security application and for applications which have access to the internet.

All processes listed in "Geschützte Prozesse" can't be killed or modified. You can't inject a dll or something like this. So most of firewall tunneling trojans can't get active if your internet applications are secured in such a way.

Its also quite interesting for anti-virus software that is often killed by several malware, cause secured processes can't be killed via TerminateProcess.

Ok,
what happened if a trojan runs on such a secured environment. Here a test with NetBus 1.7:

Firstly all files will be scanned BEFORE they run. So NetBus will be found:

http://www.ants-online.de/ants3/netb1.jpg

We let start him. Now NetBus tries to infect your system:

http://www.ants-online.de/ants3/netb2.jpg
(copy to windows folder)

http://www.ants-online.de/ants3/netb3.jpg
(add a autorun key)

http://www.ants-online.de/ants3/netb4.jpg
(create the keyhooker)

http://www.ants-online.de/ants3/netb5.jpg
(finally it tries to act as a server)

As you see all actions the trojans performed are listed and you can terminate the infection at any time ).

I did a few tests with some other trojans. Here for example the infection themes of BioNet 4.0:

http://www.ants-online.de/ants3/bio1.jpg
(copy to system directory)

http://www.ants-online.de/ants3/bio2.jpg
http://www.ants-online.de/ants3/bio3.jpg
(add to run keys in registry)

http://www.ants-online.de/ants3/bio4.jpg
(offline keylogging file is created)

http://www.ants-online.de/ants3/bio5.jpg
(act as a internet server)

ANTS 3.0 uses an IDS which search for this infection schemes and recognizes unknown trojans using a neural network ).

All this checking is done in REALTIME. So if you get a warning, the action ISN'T performed already. You can still block or permit it or kill the host process.

Thats the power of only ONE feature of ANTS 3.0 ). If you are interested i will post a few more screenshoots and facts about ANTS 3.0 - especially the lite version ).

Adieu, Andreas

 

Andreas,

This looks very impressive!

I think only KAV (AVP) has started to implement behaviour blocking in their product and it is still in very early testing.
Are you using kernel level drivers for the real-time monitoring?
Will ANTS 3 also work on Win98 or only Win2000/XP ?

I guess the ANTS 3 beta version is German only?
If you have an English version, I'd be interested in participating in beta testing - if it is possible.

 

ANTS 3.0 will be available for windows 95, 98, me, 2k and XP. The 2k and XP version is ready and was used in this little test.

I use a mix of simple "API hooking" and kernel level drivers ).

There are only german beta versions - i think its more profitable to spend all time to researching and not to translating in this phase ). But as is said, the later betas and release candidates will be available as english versions, too.

Adieu, Andreas

 

First post.
I've been looking forward to Ants3.0 ever since....
because I was/am convinced that it is/willbe the best AT app available. However, I am also an Outpost FW beta tester and I can tell you that if Ants acts like a FW then there will probably be a conflict with OP because OP doesn't get along w/other FWs if they are installed on the same system, even if they aren't active

 

      after seeing that ants can be used as an application firewall........was wondering what if any effect this would have on the stacks when a person is using a seperate firewall?

                    thanks for your time in responding..(ants is a great tool)


                            regards

                            snowman

 

I've tested Outpost Pro with the current beta of the ANTS System Firewall - no complications ). It works perfectly.

Adieu, Andreas

 

              Paul and DR


             thanks much for the replies........appreciated.



                                snowman