Product page: http://www.novirusthanks.org/products/yaguard/ In short, this program monitors for processes executions, DLLs and kernel-mode drivers and scans them in real-time with your custom (precompiled) Yara signatures (http://plusvic.github.io/yara/). It is in its very first version and it is mostly an experimental project. The program needs Admin rights to run for now. Some information about the installation (all is explained in the Readme.txt file): 1) You need to install (if not already installed) Microsoft Visual C++ 2010 Redistributable Package Download (x86): http://www.microsoft.com/en-us/download/details.aspx?id=5555 Download (x64): http://www.microsoft.com/en-us/download/details.aspx?id=14632 2) Check what bitness is your oeprating system and open accordingly the \X86\ (32-bit) or \X64\ (64-bit) folder 3) Copy the file nvtyaguard.sys in C:\WINDOWS\system32\drivers\ folder 4) Move the program folder to a folder that is accessible by everyone, such as C:\ or C:\Program Files\ 5) Double-click on the executable file YaGuard.exe 6) Now if all goes well, you should see the program interface 7) When an object is blocked it is logged in the text area present in the program interface Read the section "Test Demo Binaries" present in the Readme.txt file to test the program. **This program should be used by experienced users**
This is exciting, novirusthanks. Very creative as well. I am very excited to play with this later tonight. I see a huge amount of potential here.
@novirusthanks May I offer a cross sell suggestion/commercial application to add extra power to NVT PRO 1. NVT filters running processes, NVT gets an extra mode: maximum protection 2. When user launches a vulnarable process (e.g. a browser) and NVT is in maximum protection mode, NVT lauches YaGuard 3. User can do things which extra intrusion protection is good to have, because of impact (e.g. online banking via browser), when closing down browser or maximum protection mode, Yaguard process is stopped again. You could start with browser, but extend this in future to other internet facing or rich content/scripting applications (mail, pdf, media player). Initial version only adds a tray icon notification and offers a log afterwards. Regards Kees
Windows Security, I usually agree with you on most things, but why have extra modes/levels of protection which are really just preset profiles? Why not just make everything modular with tick boxes? That will allow the user to enable exactly which protection features they want to use. ERP went away from having all the different lock down modes, and everyone i'm aware of was pretty happy about the change. What do you think?
You got a point there: keep it simple is good practice. Just thought of a way on how to incorporate developer's work (Yaguard) into his main product (NVT).
Did you clean up the attic or garage and found your lost copy of Zen and the art of motorcycle maintenance?
Well, it is clear you understand the art of motorcycle repair, but not yet clear when Zen is going to hand over his bike for public release.
Do you have plan to host sth like Yara sig repository so that average ppl can get benefit from it? Otherwise it will be only beneficial for those who can analyze malware by themselves.
@Windows_Security Thanks for the suggestions, we are open to any suggestion/comment and soon we will discuss them. Not sure if will be a good idea to integrate this to ERP since users may not be very experienced with Yara, but we'll see. @142395 We do not have intention, at the moment, to offer a Yara rules repository. This project can be useful to companies that already have access to premium/free Yara rules and want to add a real-time protection on their systems easily with YaGuard. For example, if a 0-day malware is discovered and AVs have no rules yet and/or the AV is not present, a company can create a Yara rule and load it on YaGuard for real-time protection. This is also a prototype/skeleton that can be integrated in other programs. We are already working on a project that may incorporate this. Below there are some links about free Yara rules repositories, may be useful to other users: https://github.com/AlienVault-Labs/AlienVaultLabs/tree/master/malware_analysis http://yararules.com/rules/ http://yararules.com/ https://yaragenerator.com/ http://www.yara-generator.net/rules http://www.deependresearch.org/2012/08/yara-signature-exchange-google-group.html
Hi Andreas I've not done anything with this so far as it appears to be a bit of work, and I don't quite see what it brings in terms of protection. Pete
Thanks for explanation, I can understand your intention somewhat. Also thanks for links, tho I know Yara somewhat, I didn't know most of them. It seems some of them are free, so those who want to combine them with Yaragurad may get benefit, tho I don't know how and if you can auto-update rules.
The fact that you can block any executable object (library, process executable and driver) in real-time based on completely customized rules makes the potential much greater than preset rules for allowing/disallowing. It's much more versatile and flexible to the end-user. That's a concept that I can appreciate Of course it's for experienced users only and you have to know how to write Yara rules yourself, or you could download rules that others are creating etc. The author of Yara is an employee of VirusTotal, that's why it's also used on virustotal.com among several other security services and products. It's a pretty useful tool in any malware researcher's tool belt
Thanks for the feedbacks guys Tomorrow we should release a new version that supports DLL monitoring also on Windows XP and 2k3 OSs with some more enhancements. It'll also have an installer for automated installation, so more experienced users can quickly try it.
New version has been released: [13-04-2015] - v1.1.0.0 + Added support for DLL monitoring on XP and 2k3 OS + Improved the kernel-mode driver + The program can now be installed via the setup file + The VC++ 2010 Redistributables are automatically installed + Added some useful buttons in the program interface + Minor fixes and optimizations + Improved the Readme.txt Product page: http://www.novirusthanks.org/products/yaguard/ ** This program should be used by experienced users **