Always remember @hsdev critics critisize and developers do. Good luck with the beta I knew @Rasheed187 you wouldn`t last long without mentioning your precious HIPS at some stage. Regards Eck
Actually, I was just trying to explain why I don't need Riot Isolator on my own PC, but since it's portable, it's a handy tool to have on a USB drive. Speaking of SS, I would love to switch to a more robust HIPS that's just as lightweight, but there aren't any, so at the moment I wouldn't consider myself a fanboy, sadly enough.
Yeah I know what you mean about "robust HIPS" I`d gladly be a fanboy if DefenceWall would become viable for 64 bit. Meanwhile I`ll stick with Comodo. Regards Eck
We are back with an amazing update! This is the latest changelog: +RAM Eraser +Email alert notification +USB read only mode +Relevant information added #Fixed line width with longer strings (web panel) #CDs are no longer blocked by the USB protection #Smaller UI improvements #Strict detection crypto bug fixed #Taskbar menu performance bug fixed #Minor bug fixes
@Rasheed187 The anti-PE feature is made for PE injections. But the strict the detection mode detects similar behavior as well. For example virtual file systems for packed files with Enigma Protector. The anti-dll detection is possible. But many tools load libraries on runtime which means there needs to be a way to detect if that is legit or not. We are trying to improve our security algorithm all the time.
Gee, you guys are not very receptive - the gui is fine with me. And, the idea seems good - my only problem right now is that after messing with Malwarebytes3 for so long and being so frustrated, I a hesitant to jump back in to something that I might have to go thru annoyances like that again. Thanks, hsdev for posting - may give it a try after I relax a few days.
Good luck in progressing with Riot Isolator. I appreciate your efforts and wish you well in proceeding. Thanks for sharing.
@Rasheed187 As far as I know one major difference is that you cannot inject managed DLLs into processes, while you can inject every portable executable into a process(beside of any protection). There may be exceptions, but this rule is quite common in this scene. The same to the use of this different injections: DLL injections are mostly used to edit the target process such as online game to run hacks. On the other hand PE injections are mostly used to hide the executable inside of a process to bypass detection systems. The DLL acts like a normal instance is created with the flag DLL_PROCESS_ATTACH while the PE file launches its "process" starting in a process and not a seperate process and it does usually. If you have any more specific question, please let me know. @JohnBurns If you have any special ideas or suggestions, you can write me about this. Thanks for your nice words! #An important minor update was released to fix overlay problems in the UI.
Thanks for the info, I guess I will have to do more reading about PE injection, because I can't fully visualize it. I do know that that DLL and code injection is one of the most dangerous methods that are used by malware. You never really read about PE injection, it's not often mentioned.
@Rasheed187 RunPE is a very wide spread way of crypters which should make the virus/ malware undetected. Even non-programmers can buy/ get all they need without any special skills. This includes RAT's, key loggers and more.
I have tried installing it twice and both times Cylance quarantines two files. And so to install it I have to waive the files and that is just too much work.
Oh wait a minute, so it's actually a method to evade detection? Yes I read about it, are you're saying Riot will try to detect this?
@Rasheed187 Exactly! It is getting harder and harder to detect the behavior of a virus, so Riot Isolator detects the injection and closes this processes. This is signature-less detection and catches even new and unknown RunPE tools such as crypted trojans.
@boredog We know about 3 current false positives for the setup and the installed main executable of Riot Isolator. False positives at the moment for: Invincea, Qihoo-360, Webroot We are in touch with the anti virus companies, so contacted the 2.nd and 3.rd vendor to fix this. The false positive of the 1.st vendor can only be solved if we buy a official code signing certificate. This costs money we do not have.
Here are the quarantined files. just to let you know. it still installs and so not sure if these temp files are needed anyway? At first Cylance also showed an abnormal file but then disappeared and was too quick for me to see what it was.
The setup is a packed program which temporary saves data to make the virtual file system work. It is Enigma Virtual Box (http://www.enigmaprotector.com).
I'm not trying to be negative, but aren't most AV's already capable of detecting this, and what about the false positive rate?
Once installed, can you suggest a few simple tests to check it works, please? In fact I've chosen the option not to install on the HD. Thanks.
@Rasheed187 I am sure most AV's will have similar protection features, but they do not seem to be effective enough to stop them. Nearly every crypter is using RunPE to hide its executable. Only some major brands are known for its effective protection such as Norton, Avira and Kaspersky. Our rating system is based on the analysis of different kind of PE injections commonly used. With our detection we did not even have one false positive; tested on different computers with a different setup. @fblais It is planned to add a full test tool pack, which allows you to test all security features. We will add this download in the future.
@hsdev Is Ghostpress integrated with Riot Isolator ? Ghostpress will be discontinued or will be getting new updates ?
@fblais We are testing our security tools with selfmade debug programs and with public malware. Is there any feature you want to test, or just all? @Rafales Ghostpress wont be discontinued. It has some more advanced protection features which are not planned to add in Riot Isolator. For example the key press delay protection. Riot Isolator contains a light version of Riot Isolator for maximum speed and low ressource use. Edit: Ghostpress is getting updated really soon with two new languages and a fixed update system due the last domain move.
