AntiMalware by Trustware

Does this mean you have to specify "Trusted" files/programs to be protected along with "Untrusted" programs to be restricted? How can you restrict the likes of Internet Explorer from accessing and changing real system files (e.g. fonts, cache, Microsoft's Java VM) or registry keys without breaking it?

If you are creating "shadow" files or registry keys to accommodate all attempted changes, how long do these last? (e.g. could user-requested changes vanish on reboot like with DeepFreeze and similar software). What happens if an untrusted program uses a Windows component to do its dirty work? (possible examples include cmd.exe, rundll32.exe, net.exe). What if a user decides a download is actually trustworthy (e.g. an anti-virus scanner) - do they have to reinstall it as a trusted program? Finally, how about multiple untrusted programs - do they each see different files/registry key values or do they all see the same "Untrusted, temporary" values?

What happens if that trojan tries to install a driver or create a keyboard hook? Or for that matter tries to access Physical Memory to overwrite the Service Descriptor Tables? (which could disable any other security software - including the likes of Process Guard, though this can now block physical memory access).

If anyone running BuferZone wishes to investigate, visiting the Win2K/XP SDT Restore page and trying that utility would be a good initial test (I'm running rather too many other betas to consider testing it myself at the moment).

 

Hi,

First let me introduce myself: I'm Eyal Dotan, the author & CTO of AntiMalware. I'm glad to answer as I regularly read this forum, but rarely post.
Like Eldad said, what AntiMalware's BufferZone does is virtualize untrusted processes "Write" access to FileSystem & Registry.

You don't have to decide what files to Trust. What you need to decide is basically what's your scope of protection.
Example: in the full Home versions we Untrust by default Internet browsers & P2P & Messeging programs. In Corporate versions, we additionally Untrust any Unknown new program that arrives after our installation (unless authorized by the admin console).
Paranoid, the difference with standard HIPS solutions is that we *don't* restrict access to protected files. We just emulate Write operations on them.

The idea came from the fact that protecting certain registry keys / files with ACCESS_ALLOWED / ACCESS_DENIED becomes at some point a compromise between security and usability: either you protect all the risky files/keys (and God... there's a lot) and then many programs won't function properly (or alert too much); or you protect less system resources and then more programs will work correctly, but some smart hackers will find their way through.
For example: if you protect the HKLM\..\RUN key, you will prevent simple intrusion programs. But smart ways of getting through may be for example to create a malicious DLL and register it as a Shell Extension, which will then run at every startup.
This is why virtualization is stronger: because it is flexible (for legitimate programs), it provides a very full protection (because we don't have to limit our protection to certain files / keys).

Our BufferZone registry & file system is persistent. It doesn't disappear after reboot. Not until the user decides to. This is why you can actually install software in it, and use it. Currently our virtualization isn't perfect yet, but more and more programs will function in it with time.

Nice question. BufferZone works with inheritance. Meaning that if IEXPLORE is in BufferZone, everything it downloads or executes will run in BufferZone too.

Wow, lots of questions! We really need a FAQ
Programs that you installed in BufferZone and then decide to Trust can technically be moved out of BufferZone, but we recommend to simply reinstall them as Trusted.
And yes, all Untrusted program are in the same BufferZone and see the same "Untrusted" registry & files.

BufferZone is very flexible, but some operations are forbidden. Like the ones you mentionned.
And we'll be happy to hear from smart guys around this forum if anyone can find other dangerous operations we haven't taken into consideration.

Eyal

PS: the Home version is Beta.

 

Thanks kareldjag and Painkiller.

 

Just thought you guys would be interested to know - I ran some more tests on AM. I downloaded the following tests, which ran in the buffer zone of AM <borrowed some test idea's from Kareldjag's site>

3 x Finjan data theft tests = all passed
http://www.finjan.com/SecurityLab/SecurityTestingCenter/

Ghost security http://www.ghostsecurity.com/index.php?page=freeware
Reg test 1 = failed (AM does say it allows writing to a virtual registry)
Reg test 2 = passed (no autostarts are allowed by untrusted programs)
ProcX termination test = passed (can terminate the GUI but not the Service)

DiamondCS Hooktest http://diamondcs.com.au/processguard/index.php?page=attack-keystroke-loggers
Passed

Zapass <dll injection> test http://www.whirlywiryweb.com/article.asp?id=/trojanimplant
Pass

Another test I did at a CWS website, with IE set to medium security, prevented all driveby downloads <I know the site was 'working' - I tested that first too>

 

When you mean Pass what do you mean ? ... It was able to breach the AM,

Cause i have tested all you said and didn’t get the same results.

3 x Finjan data theft tests = Blocked ... like a charm

Ghost security http://www.ghostsecurity.com/index.php?page=freeware
Reg test 1 = failed
Reg test 2 = failed

See AM alllows it to write to the reg but it's a virtual one so the program think he passed

Zapass <dll injection> Blocked and even it crashed when running in BZ cause it couldn’t Implant the DLL

So want to explain more the tests you did, like env and how you do the tests man ...

btw: put this tests on BufferZone community , I’m sure they will have a better explanation for you ...

Painkiller

 

Hi Painkiller

I see that 'pass' may have been vague. What I meant was, passed - like a test <exam> at school...a pass means you did well. In other words, AM passed the tests (by blocking those attempted datatheft, hook etc).

 

Ha ok ... so we are clear ...


COOOOOLLLLL

Painkiller
btw: keep up the good work ..

 

I´m also interested in this technology, but does it work the same as Greenborder, or are there any differences? The ability to run potenially malicious software without getting compromised sounds cool.

https://www.wilderssecurity.com/showthread.php?t=90852&highlight=greenborder

 

Yes it works like this but with any program not just internet based which is the way Green border sounds. I have not yet tried Green boarder but with anti-malware you can easily change a program from running in the trusted zone to trusted with a right click mouse selection. With Green border it says it deleted the files associated with the program but at this time anti-malware does not.

Thanks,

Chris

 

Being rather inexperienced I would like to know if I have to clean temp files in both the buffer and the real zone ?

Mucker

 

I have two computers in the house. One for my grandaughter to play on. I tried Antimalware on that computer. There is a kids web site called Noggon that she loves. It would not open. The computer just hung. That is on DSL, 1.8 GH Dell 8200

 

I installed AM Home, and it seems to have a MAJOR conflict with Prevx Home...is anybody facing this issue?
Any workarounds for this?

 

Hi Abhi, AntiMalware does not work with Prevx (of any kind). It has a major conflict with the prevx driver. Unfortunately, because the Prevx driver works even when you turn Prevx off, you can really only have one or the other on your computer system.

Mucker, if you download a file through IE to say c:\downloads <it is untrusted>....when you delete the file from c:\downloads, the file is also deleted from the c:\virtual folder where a virtual copy of it was made.

There is also an option to 'Clean Buffer Zone' which wipes all settings from the bufferzone (but doesn't wipe virtual files that have a corresponding file somewhere on your computer)....personally i would like them to make the 'Clean Buffer Zone' button something that will allow us to clean individual programs from the bufferzone (although I know you can 'release file/folder from bufferzone')

 

Vikorr,
Thanks for the reply, It helps me to understand better. Vikorr. I have Prevx1 Beta installed and Bufferzone is working OK except I can't get Yahoo to boot up--Firefox and K-mellon both work fine though. Thanks again.

Mucker

 

If you haven't already can you please report any/all the problems you have to support?

Thanks,

Chris

 

Heya Mucker, thanks for the info on Prevx1. That was the driver that caused AM to crash on my computer...and when I used to have Prevx Pro, AM wouldn't work on my computer then too...so maybe it's just luck of the draw in relation to Prevx

In relation to Yahoo, mine boots up fine, but I found it won't autostart if you make Yahoo untrusted. One sec, I'll find the answer to the question I posted to their forums:

And

Hope it helps

 

Chris, I posted in bufferzone forum and e-mailed support, thanks


Vikorr.

Idon't use Yim, I meant my yahoo browser, I don't really use it so it doesn't matter to me, but possibly to someone else may be important. this is a very interesting program, and I would like to understand it much more completely.

Thank,
Mucker

 

Doh, heh, sorry, thought's that's what you meant. Didn't know Yahoo had a browser

Some more info from the reply to the post of mine <just for interests sake on how AM works>

 

Vikorr.

Thanks for the reply and the info.

Mucker

 

Do you think I should go ahead and uninstall prevx home? Is AM better than prevx in protection from trojans, spywares, viruses etc.? What do you suggest?
Vikorr , I look forward to your comments too!!

 

From the tests I ran on it, and the replies I recieved from the BufferZone support people in their forums, I would say that yes, AntiMalware is better protection for your computer than Prevx. Certainly AntiMalware doesn't throw up popups that require you to answer a question that you could get wrong, like Prevx home does <not saying that Prevx is bad, just that AM is more userfriendly, and I would say it offers more protection than Prevx>

Also, just remember that when installing certain programs (not all), they should be installed as trusted, because the bufferzone basically stops the use of drivers, and prevents autostarting.

In relation to drivers re installing -drivers are often used by other security software <+ some others>, but if any malware uses a driver - they are really bad...so preventing drivers from working in the bufferzone is a good thing.

 

Great info, Vikorr. Thanks a ton!

I have been trialling Sandboxie and its also pretty user friendly and claims to offer extended security through virtualization.
How does AM compare to sandboxie? I feel they use the same philosophy.

 

The only problem with sandboxie is that my laptop's touchpad scroller stops working when I open Firefox using sandboxie.
If I open firefox without sandboxie the scroller works fine!

 

I've never tried sandboxie, but from posts of others, it seems the following are the differences : <someone correct me if anything about Sandboxie is inaccurate>

Sandboxie :
It appears you have to manually start SB (not sure about this)

Is a virtual environment : anything run inside sandboxie (eg IE) stays inside IE, and disappears when SB is shut down.

You have to specify which applictions SB monitors (eg, IE, Outlook, P2P, IM's, installs)

Can't install anything permanent from within Sandboxie

AntiMalware :
AM is an autostarting program.

AM is a virtual environment. Anything run inside AM (eg IE) stays inside AM, but does you never have to shutdown AM (unless you are installing a trusted program)

AM monitors all area's that may be a vector for infection (eg IE, Outlook, P2P, IM's, installs)

AM has some restrictions on what untrusted program can do - eg set hooks (used in keylogging), inject dll's (used to bypass security), and a number of other things.

Able to install simple programs through AM (but not ones requiring drivers)

Basically AM is more automated than sandboxie.

 

whew!

Almost keeping up here!
Be gentle.

Couple of questions:

-@ Vikorr Could you elaborate on:

-WHere does this app stand wrt FFox

-If I understand (?) this app allows installation of Malware/untrusted apps in the virtual HD but disallows permission to run. How are these malwares removed?

-is a permanent log or record kept of these sessions monitored by AM and how are these stored +/- deleted?

-I saw a comment that "trusted installs are allowed to operate/install to the real HD, or does AM just keep them in the virtual space?

(head spinning now must go for fresh air)

Regards.