Playing with Cyber Hawk

Hello everyone!

Sorry for taking so long to get back to you all about the recent issues brought up over the weekend, but in general we're only able to monitor this forum during regular business hours. We got on it first thing this morning and have been working on clarifying the issues raised.

I quote Aigle's questions above to Kurt because they do a great job summarizing all the main questions I believe I saw posed in the thread. One that's missing is the question on Starware Toolbar, and I'll again defer to Kurt on that since he's the best at analyzing specific threats. But now on to all the answers so we can get this all cleared up!

First of all, thanks to all for bringing the serious deficiencies in our Privacy Policy to our attention. You are all correct that we missed quite a large piece of what's involved. This was not at all deliberate. I hope we're able to communicate to you all that we really are trying to put out the best behavior-based software available and we take our user concerns seriously. We have always acted quickly in response to user concerns and we track all suggestions for further improvement. The current Privacy Policy omissions are nothing so exciting as to be sinister in nature; they were simply overlooked.

You'll see that we've already posted a new article in our knowledge base (http://www.novatix.com/support) and we will be updating the Privacy Policy on our website later today. Here is a copy of our latest knowledge base article:

Why does Cyberhawk "phone home" occassionally?

If you have elected to participate in Cyberhawk’s Secure Community and you have the Community Protection option set to “On”, Cyberhawk will occasionally attempt to connect with the Novatix server, or “phone home.” This is done for a variety of reasons to ensure the program is as up-to-date as possible. So that you fully understand what is happening when this occurs, here is a listing of what Cyberhawk looks for when it checks in with the Novatix server, when it checks in and any information that may be sent back to Novatix:​

• Updates to the Cyberhawk whitelist or blacklist. If updates are available they are pushed down automatically in the background. Information sent to the server includes the version of the whitelist and blacklist on your PC so that the server can tell Cyberhawk if a newer version is available. This is checked once every 4 hours. (Cyberhawk’s whitelist and blacklist do not affect overall protective capability—they are included simply to simplify some user interactions with Cyberhawk. Cyberhawk will always first and foremost check behaviors when determining if something is malicious.)

• Updates to the main Cyberhawk program, i.e. if you have v. 1.1.x, Cyberhawk will let you know that there is a newer v. 1.2.x available for download. Information sent to Novatix includes the current Cyberhawk version installed. This is checked once every 4 hours.

• Count updates for the Cyberhawk Protection statistics shown in the Cyberhawk user interface under the Security Status tab and in the periodic Security Status report. Statistics gathered from the entire community are shown under Cyberhawk Secure Community Protection. Your PC’s local counts of these statistics are also sent to Novatix to be included in the overall community statistics. If you have elected not to participate in Community Protection, then you are shown a cached version of the stats from the last time Cyberhawk connected with the Novatix server. This is checked once every 4 hours, or upon opening the Cyberhawk GUI or Status dialog.

• Event data is sent up when a program triggers one of Cyberhawk’s three alert dialogs. The data is sent after the dialog is closed and includes the following: the response to the alert, a copy of the triggering file and associated information such as its path, size, and information from the file's version block, if available: The file version number, the product name, the manufacturer name, and the file description. We also send up the OS version and the Cyberhawk version numbers. Early versions of Cyberhawk also collected any relevant IP addresses to map geographical outbreaks of new threats, but we have since decided that this information is currently not useful to us. We are no longer collecting any IP addresses and any previously collected IP addresses will be deleted.

• On first time run, we collect information about any browser plugins on the machine to aid in decreasing false positives in the future. Information collected on a plugin includes its path, size, and information from the file's version block, if available: the file version number, the product name, the manufacturer name, and the file description. These actual files themselves are not sent back to Novatix.

​

I hope this clears up what is transmitted and when. All information is used SOLELY for the purposes of researching new malware threats and for providing better protection for all users. There is absolutely no personally identiable information transmitted at any time.

Now on to the specific questions quoted above:

1- Why it is necessary to turn on community participation to get updates?
Community Protection is currently tied to automatic updates because it is in Novatix's best interest to have as many participants in the Secure Community as possible. The more participants, the more chance we'll see a new emergent threat and we'll then be able to analyze it for heretofore unknown behaviors. When we run across these types of new threats we're then able to build new rules into Cyberhawk to protect against similar such behavior. Yes, it may not seem quite fair, but because it may be seen as an inconvenience, we're hoping that most users will participate in the Secure Community.

Even if you elect not to participate, you can always simply manually check for updates whenever you like. Also, the later Pro version may allow you to opt out of community protection yet still receive auto-updates. Even so, if you do not choose to participate you are still getting a very high level of protection. Always remember the Cyberhawk is always looking at behaviors and will always protect you--that doesn't change whether you're participating in the community or not. There may be incremental updates that you miss out on (but can always get by manually checking updates), but you'll have the lion's share of protection when you first install Cyberhawk.

If you review the types of data that could conceivably be transmitted while participating (see above), you'll see that there is absolutely no personally identifiable data involved.

2- What is this filter driver installed by CH? It means all my passwords and secret data in passed through this driver. How I can be sure it is not leaked?
One of the methods that Cyberhawk uses to identify keyloggers is to watch how other programs respond to keystrokes. In order to do this analysis, we need to know when a key was pressed. Cyberhawk does not remember which keys were pressed. It is not at all necessary for our analysis to know which key was pressed, only that one was. And we certainly do not store or transmit any information about your keyboard use. In order to provide intelligent detection of keyloggers that does not result in a tremendous false positive rate, we have found that this is a very good approach. And again, none of your actual keystrokes are being monitored and nothing is stored or transmitted.

3- Why is that if I turn off updates and community participation, even then CH tries to phone home.
This is actually a recently discovered bug. Cyberhawk is not supposed to behave this way at all. When you turn off Community Protection, Cyberhawk should not attempt any outside communications. You will see this addressed in a future update.

4- Even if I turn off Updates and community participation, on next reboot they are turned on again. Is it something that I should expect? Why the decision is not in my hands.
Same thing here--this is definitely a bug. We do not intend to force you to participate in Community Protection. We want to give you a way to opt out and I apologize that it is not working properly at this time. This will also be addressed in a future update.

One last question not included in Aigle's list above is that of disabling the Cyberhawk service. There is the option to suspend Cyberhawk through the tray icon, but we understand that there may be cases where you wish to fully disable the service as well. As part of our protection against malware which may wish to disable your security services, we currently do not allow you to disable the service unless you are in Safe Mode. In a future version we hope to allow a password protected disabling option which would still allow you the flexibility to disable the service but would make it difficult for the bad guys to do the same. I'm sure we'd also hear complaints if it were too easy to disable Cyberhawk, so we need to strike a balance where you're still protected but you still have the control you require over services running.

I hope I've covered everything. I'm sure you'll let me know if there's something I missed. But please do let us know if you have further concerns--we want to make sure everything we're doing is clearly understood.

Kind regards,

Becky Dubrow

(edited to correct small typos)

 

Hello Becky,

Thanks a lot for the detailed explanations that were really needed for us to understand what is really happening behind the scene.

As I wrote before on the nasty interaction with Perfect Disk service, it is really needed to de-activate Cyberhawk and it is not any practical having to restart the system twice (the first in Safe Mode) to achieve that. Other reasons might also me valid for us to disable Cyberhawk as, for instance, allowing some other security software installation.

An option from inside the application itself would do as the setup exe also performs similar operations while updating versions...

Roger

 

Hi Roger--

We did make a note of the conflict with Perfect Disk so we can address that in a future update.

I'm sure we'll figure out a good way to allow users to disable the service from within the app itself.

Thanks for the suggestion,

Becky

 

Hi Becky, thanks for all ur explanations.
Keep up the good work. I feel a bit satisfied, I am not expert about privacy issues but just a concerned user.

Thanks.

 

Thanks, Aigle. We certainly understand that privacy issues are of the utmost concern to all of us these days, so we want to make sure our users are comfortable with our policies. Or if you find yourself not comfortable with a certain piece, then we want you to be able to opt out of that piece and still continue to use Cyberhawk. We do believe in full disclosure though and will continually strive to ensure everyone has the latest information.

Becky

 

Hi,folks: Hi folks at CyberHawk, many thanks for your intime explanation. I am not a cybertech, just an average joe, using computer extensively everyday. My concern is rooted from a user's perspective. Your lengthy press release seems adequate, however, you have let a big hole widely open. Allow me to point it out. In your release, you have mentioned, for freeware users, they can elect to turn off community participation, and the penalty is NO auto-update, although manual update is still available. In the meantime, for pro version(to be released very soon?) users, even they choose to opt out community participation, STILL get an auto-update. Why is this all about. This reminds of Prevex home vs Prevx Pro scheme (both have been buried under 6 feet deep down). Can I say again there is NO free lunch in cyberspace. And you are typically using freeware users for rabbit-eye testing. Excuse my blunt reply. Best Regards,

 

Hi Perman, every software developer do need money, it,s very simple. Will u work free for others, if so how long?

 

Hi folks: Aigle, you are absolutely right on the money. Everyone needs to make money to survive (including myself). But using freeware in a questionalbe fashion to perfect its cash cow(pro version) is a moral issue. Do'nt you agree?

 

I take it as an advertisement and I don,t expect them to announce "hey we are launching a free product, use it and when it goes gold it will have a paid proversion and a stripped down free version".
To be honest it,s part of modern bussiness( that is based upon no ethics). I personally will never do this. If I am the one, I will like to announce it clearly from the very beginning that -- this product is under development, u can use it on ur own behalf and when it will be fully developed it will have a paid versions and a free limited version.-- And I am sure if such a product is good, people will still use it and will help to improve it though in this case it might take some extra time but at least u are truely honest in that case. BTW I don,t see such a clear bussiness model anyware.
I think they could have launched another few betas and then launched free and pro versions together, that might have made a better image for their business practice. What,s ur opinion?
I don,t mean to attack anyone here, all these are just my personal views..

 

in the next version becky said that manual update is going to be available for those who do not wish to contribute to the community support , for what ever reasons they may have. i dont see this as an issue at all. i remember when prevx was first out and the community issue was a concern then and many posters were freaked by the security possibilites, this was more scare reation and tactics rather than facts and i doubt whether there are now any concerns concerning prevx .
i dont have a problem supporting community reporting with cyberhawk as its kind of like donating to a company that is able to provide a good security product , this time its donating towards making cyberhawk a better product and up to date in real time with current issues that we all may face in cyber space. im comfortable with the way Cyberhawk support also listen to these concerns and are willing to make changes to their product to constantly improve it.

 

In general, for any free software, I have a bit similar thoughts and I feel as I am atleast paying something for using a free product. I hope I will try to make a community participation as well. Privacy issues are sometimes really hard to decide.

 

Thanks for the post, Duke.
We examined the toolbar in our lab and it, for the most part, the latest version appears to be pretty well behaved. The components it installs are selected as options at install time, and it is easily uninstalled (you might notice that some other anti-spy companies suggest that this toolbar is a keylogger. From what I have seen, this description is somewhat misleading -- the toolbar includes a keyboard hook. But this keyboard hook is the same hook that the toolbars from the major search engine companies. The hook seems to be limited to legitimate activities within IE and I would not call it a keylogger.)
However, I observed what may be some objectionable behavior -- text input entered at the google search engine web page is collected and sent off of the machine by the toolbar components. Then, the toolbar receives a response from its servers and displays embedded ads at the bottom of the IE browser window based on those keywords.
Keep in mind that this toolbar is easily uninstalled, and this input-collection/communication-off-of-the-machine type of behavior does not continue after the toolbar is uninstalled.

An upcoming feature may include detection of this behavior -- unexpected input collection and communication off of the machine. You will see more improvement here...

In our lab, the Starware components do not effect Firefox -- they are IE specific. These sorts of IE components are not used by Firefox unless extensions have been installed, I believe.
I also do not think one would say that web sites are "using IE through Firefox". The components for javascript, etc, are installed by firefox (you won't see mshtml.dll loaded into the Firefox 2.0 address space, because it has its own javascript module).



Thanks again,
Kurt Baumgartner
Chief Threat Analyst -- Novatix

 

Thank you Ch Support, it is appreciated.

 

Hi, all

Please keep on playing with CyberHawk. The effort this company is making to tackle the issue brought up by this community, could well make it one of the best tested security programs ever.

So as a community lets make a deal:

We will keep on testing CyberHawk free version for free and CyberHawk corp will stay responsive and provide the light version for free.

One member called this rabbit eye testing, but to me it is painless. Most of us use an additional security layer (like sandboxing or antother HIPS).

At home my wife needs an easy to use security setup, while my son always had a more tight defense (white list HIPS plus sandbox). Their different PC behavior was the rational after the difference in their security set up.

With CyberHawk and a user friendly Sandbox like DefenseWall (paid or BufferZone free with a stronger/more expensive PC) I think the user friendly setup is "breathing the tight setup in the neck" when it comes to defense strength race.

Thx all

 

Having read through this thread about CH I thought I would have a look at it. On trying to install it, it asks for the latest version of IE - why. That is one program I do not want running on my machine.

 

Totally unacceptable IMO. I would never install software that transmits whole files from my computer.

 

I am not expert in privacy matter at all. But still I think they might need to revise a lot here if they want good community participation.

 

Hi, folks: Whether you like or not, I call this practice a police investigator's work. when you trigger one of their three....., then you are subjected to submitting a FULL report, including those intimate moments. It is abs---. CH is their flagship product; bread and butter, after converting from SEND PHOTO, imaging venture. They must make it a success. I do wish they can learn from this issue and make themselves a better one.

 

Business model discussions aside, I just wanted to reiterate that we are not compromising the protective capability between the free and paid versions of Cyberhawk. Each version will continue to have the same high level of protection, which by the time the Pro version is released will be even more improved from what you are currently receiving for free.

And even if you choose not to participate in Community Protection you are still protected by Cyberhawk. Our model is not at all like Prevx's where you have to be online in order to check a database of files submitted by their community. With Cyberhawk you are protected whether you're online or not, and whether you're participating in Community Protection or not.

Having users participate in the Cyberhawk Community is primarily beneficial to Novatix to help us in seeing and understanding new threats and helping to reduce false positives, and then secondarily beneficial to all users in that Novatix can continue to improve its products and overall protection. But NOT participating in the community does not compromise your protection (beyond the slight inconvenience of having to update manually for minor incremental updates). Cyberhawk will still continue to analyze behaviors and based on what it sees it will alert you to any irregularities. Your protection is not compromised if you do not participate in the Community.

And to address Perman's question about including the option to turn off Community Protection yet still receive auto-updates in the paid version, it's again all about choice. To some users it will be worth the small price to pay for the Pro version to get access to the additional features and options. For some of these users the convenience of having auto-updates alone may be worth the price. For the others who prefer not to pay, we're still providing you a way to get updates and full protection and not have to participate in the Community--we're not shutting you out. It's up to you to decide which will work better for your personal situation.

We also understand that we'll never be able to please all of the people, all of the time. We try our best to accommodate as many users as possible, but designing the perfect software for everyone is a little tricky.

We actually feel we're providing an incredibly high level of intelligent protection for free. Of course we'd prefer that you participate in the Community to help us out, but we know that some folks might prefer not to. That's the whole reason that from the beginning it was always entirely optional whether to participate or not. (and we're aware of the current problems that prevent keeping the Community setting turned off--again, we'll make sure that's addressed in our next update.)

Hope this helps.

Becky Dubrow

 

Hi Perman--
Again, this is true ONLY if you have the Community Protection option set to On. If No, then this is NOT required.

Becky

 

Hi djg05--

IE 5.5 or later is only required to be installed on your system because Cyberhawk makes use of one of the bundled components. You certainly do not need to use it as your default browser. Cyberhawk uses the web browser control piece bundled in IE's components in our main application or when displaying the product Orientation.

This is not unusual--many other applications make use of this control.

Becky Dubrow

 

Hi,folks: thanks, Becky for clearing this up. As I said earlier, I, perhaps most of users do love your product, and believe it will be one of the excellent apps one day. And this journey will not be a smooth -sailing. Keep up your hard and good work and most importantly, open mind approach. As soon as your Pro version becomes available, I will take a good look at it. Have a nice day.

 

Thanks, Perman.

Keep those questions and concerns coming! We want to make sure you're comfortable using Cyberhawk.

Becky

 

Aigle - here is some information on the misses that you listed. Some of these samples' behaviors blur the line between malicious/destructive and dishonest actions on a system. A few of the misses, however, will be addressed in upcoming releases of our product.
A number of these samples have a very low prevelance. If you find some copies of more prevalent malware (especially trojans and worms), I think that you'll find more prevents in the list. But we want Cyberhawk to be completely effective, so please continue with your usage and posts!

WinFixer -- what might be called another implementation of fraudware (or ransomware), the latest version of this software's behavior does not appear to be inherently destructive or immediately malicious. It may operate in much the same way as scam emails, which a purely behavioral based product cannot prevent.

Browsezilla -- we'll look further into why there may be files copied to sensitive locations, but we have not reproduced this activity in the lab.
The background network traffic that the browser produces is not immediately malicious to the user (but it seems to be very dishonest). Just as with an RSS feed, background network behavior is not necessarily malicious. There may be some characteristics in the volume of the traffic that this browser produces, but just observing this type of traffic doesn't raise any red flags to me. We'll have to get creative in dealing with its type of behavior.

NewdotNet -- the Cyberhawk blacklist kicks in on this installer in the lab and prevents the install. (Aigle - Several Service Provider Interfaces (SPI) would appear in the network stack and a BHO would appear on your system if the install were successful and the Cyberhawk prevention ineffective.)

SpySheriff -- you might call this software fraudware or ransomware. Cyberhawk stops its nasty actions during the installation routine, as you noticed. When this software is installed more commonly via the VML or WMF driveby exploits, Cyberhawk stops the buffer overflow exploit and this fraudware is never installed.
While a signature based product may recognize individual components of fraudware right away, the product's scanner component that you found does not behave in an immediately destructive or malicious manner on the system. Cyberhawk does not flag this component because on its own, this individual piece is not performing malicious activity.

Thanks for the note. We have been reviewing the methods that the simulator uses to run a few tests and will be improving the product.

In the lab, this thing is totally inconsistent. But, in another post in this thread, I mentioned that most likely, Cyberhawk can be more aggressive in identifying this type of behavior on a system.

I will have to further review the components that made it onto the system. In our lab, the install's behaviors were prevented properly.

Thanks for the note! While we already stop other variations on methods of bringing down the firewall or automatic system updates on a windows system, we will be improving on a few behaviors (like the ones in this sample) in an upcoming release. Hang on to your sample!


Thanks again for your interest in Cyberhawk.
Kurt

 

Hi Kurt, Thanks for ur feeedback.
I will like to mention one more fact that I have found sometimes inconsistant behaviour from CH, stopping/ alerting some events at a time and not doing this at another time( though it,s occassional). I am not sure if are aware of any such bug in CH. MAy be I have found this inconsistency as ususally at that time I am using multiple malware samples that might have caused some conflicts causing this. As I said it,s not so common though.
Regarding browsezilla, I was just speaking of running its installer, that copies multiple files. Once it is installed, I agree that it may not be doing anything malicious enough to trigger CH( but u are better person to judge).