Emsisoft's new Mamutu pre-beta

Thanks, Lusher, I didn't know that.

Until I read Lusher's comment I was getting the idea that a king had died, and fcukdat had ascended to the throne.

I am glad to see Emsisoft is entering the HIPS arena & shall likely give mamu2 a spin.

 

The pre-beta installed with no problems here.
Resource usage is 18,104k.
The GUI is designed well,easily navigated.
Thanks for posting the link shaddi.

 

Hi shaddi

A quick test on WINXP SP2 Real System (Not VM)

A) Appearance:
The GUI is nice, but I think a more eye catching color is required.
Icon is washed out and not crisp, also the difference between active and disabled protection is not noticeable enough.

B) System Resources Utilization
I didn't notice any system delay, Mamutu has only 2 process :A2service.exe about 6200K, and mamutu.exe about 5600K

C) I tested Mamutu against the followings:

TEST 1 -A commercial Trojan "Bifrose version" which do the followings:
*create a server file in windows/system32
*Add autorun entry in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
*Inject code into iexplorer.exe
*Run the hijacked iexplorer.exe
*Use hijacked iexplorer to connect to internet.

TEST 2 -A Themida Protected version of the same above Trojan.

TEST 3 -An innocent exe file in which I impeded Ardamax Commercial KeyLogger which do the followings:
* Create a hidden folder in windows/system32 which contains it's process + logs
* Hide it's plog.exe process from task manager
* Create autorun entry in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
* Use plog.exe to capture key strokes

TEST 4 - Copycat.exe Leaktest File

TEST 5 - Scoundrelsimulator.exe

TEST 6 - DFK-threat-simulator

TEST 7 - Martin Undetectable KeyLogger



Default Setting test (intelligent false alerts reduction is active) "MINIMUM SECURITY"

Test 1 : Mamutu Failed 100%, all Trojan's activities were allowed including reg. autorun !

Test 2 : Mamutu catch the reg. autorun entry only, and failed in stopping all other activities !
I think it succeeded in catching the reg. autorun this time because the encrypted Trojan takes a longer time to do it's activities, so Mamutu has enough time to catch the reg. autorun adding.

Test 3 : Mamutu Failed 100%, all Ardamax activities were allowed including reg. autorun !

Test 4 : Mamutu Failed, and injecting code in iexplorer.exe was allowed without any alert .

Test 5 : Mamutu Failed 100%, and Scoundrelsimulator was able to:
*Change IE homepage
*Disable Internet Options
*Disable Registry Editor
*Add startup in Registry
*Add startup in startup folder

Test 6 : Mamutu Failed 100%, and DFK was able to do all it's dirty jobs including planting a rootkit and all others which are very well known so no need to nominate them.

Test 7: Mamutu Failed.

Note: Mamutu detected AVGAS while it was updating it's database and fired the alert "Connecting Internet Invisibly", While its a good sign to detect this, but on the other hand I think there is no need to detect such activity of legitimate app in this "Minimum Security" setting which failed completely against real threats, and may be a white list of known common security apps will do the job, or even to suspend this kind of detection for the resident visible windows applications which have visible tray icons. "just my opinion"

Conclusion: This default setting with "Active intelligent false alerts reduction" is worthless and by no means should be the default settings.




Disabled intelligent False Alerts Reduction test "MEDIUM SECURITY"

TEST 1 : Mamutu Succeeded, Hide Installation Alert was received, When DENIED all Trojan activities were stopped, When Allowed Trojan create it's server file but failed to start iexplorer.exe process and another alert of Autorun Key Creation was received.

TEST 2 : Mamutu Succeeded, Hide Installation Alert was received, When DENIED all Trojan activities were stopped, When Allowed Trojan create it's server file but failed to start iexplorer.exe process and another alert of Autorun Key Creation was received.

TEST 3 : Mamutu Succeeded, Hide Installation Alert was received, When DENIED all KeyLogger activities were stopped, When Allowed Ardamax create it's hidden folder, but plog.exe "the main process of the keylogger" was not allowed even to be created also no autorun entry registered.

TEST 4 : Mamutu Succeeded, Code Injection Behavior Alert was received, but iexplorer.exe which was the targeted process for copycat has been hanged and a end iexplorer.exe process from task manager was necessary to close IE.

TEST 5 : Mamutu Failed 80%, it only succeeded in preventing registry autorun addon, but failed in all other 3 registry change tests and startup folder addon test.

TEST 6 : Mamutu Failed 80%, Rootkit was allowed, KeyLogger was allowed, Spyware Simulator was allowed and it's automatic startup by adding ""Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run" registry key was also allowed, but Mamutu has succeeded in stopping swfactive.exe trojan firing the alert "Backdoor Behavior" and also has stopped vanquish.exe from injecting it's code into other processes firing the alert "Code Injection Behavior"

Test7 : Mamutu Failed.

Conclusion: I think Mamutu doesn't monitor service or driver installation in this setting.




Disabled intelligent False Alerts Reduction & Activate Paranoid Mode test "MAXIMUM SECURITY"

TEST 1 : Mamutu Succeeded, Same results as above "MEDIUM SECURITY"

TEST 2 : Mamutu Succeeded, Same results as above "MEDIUM SECURITY"

TEST 3 : Mamutu Succeeded, Same results as above "MEDIUM SECURITY"

TEST 4 : Mamutu Succeeded, Same results as above "MEDIUM SECURITY"

TEST 5 : Mamutu Failed 80%, Same results as above "MEDIUM SECURITY"

TEST 6 : Mamutu Succeeded 80%, swactive.exe Trojan was stopped, win23l.exe Keylogger was stopped firing the alert "Code Injection Behavior", RootKit was stopped firing the alert "Service Installation" against vanquish.exe, also IE was successfully stopped from downloading extra malware firing the alert "Trojan Downloader Behavior", but Spyware Simulator was allowed and it's automatic startup by adding ""Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run" registry key was also allowed.

Test7 : Mamutu Failed.




Personal Final Conclusion:

Mamutu is lite on resources.
Mamutu GUI is nice but not eye catcher, and by the way A2Squared is a real eye catcher.
Mamutu is powerful security addon when used with "Maximum Security", However there are more powerful Behavior Blockers available.
Mamutu is a joke or a complete worthless security app when used with it's default settings.
Mamutu needs a lot to do in securing registry, since it monitors only a very few startup locations.
Mamutu doesn't monitor where the files are created.
I think "MAXIMUM SECURITY" setting should be the default setting.

By all ways Mamutu is a very welcome application in the field of Behavior Blocking, and I think this alpha release is a very good start in making a robust and nice behavior blocking application.

Thanks Emsisoft for giving us this test drive opportunity, and all the best for your very welcome MAMUTU.

Metting

 

hi where do beta testers send info? feedback so we get free liscence thanks Also above poster what other applications do same thing ?

 

If i'm to understand right this will be a Portable or otherwise in 98 terms, a standalone app, right? If so, it should prove to go over very well once MANY misses are addressed and code improved on.

I also pass along my own thanks for offering us Wilder's members first shot if you will at the alpha, but i stand in full support of fcutdat's apprehension. Maybe he expresses it more aggressively than most, but plz keep in mind, MOST if not ALL security vendors and especially Emisoft would as common practice already run it in alpha form thru it's in-house and outsourced (Free) testers "FIRST" before making such an announcement.

I don't take either side for or against, only you have to admit that based on past similar distributions from the likes of Lavasoft a few others, any alpha pushed out the door to the public so early is bound to stir up serious concerns, and especially for the more experienced users (which Wilder's abound with), which as a matter of course can't help but to make for thought to just what the motive really is, if any.

I harbor only one disappointment in this practice, and that is setting a hard coded time limit on an alpha?

Anyway, let's see what develops.

Peace. Out.

 

Emsisoft forum soon,according to this quote from shaddi's last post-
"The only reason why it is not on the page and in public beta yet is, cause we are finishing the product page. Expect this to be done within the next days, possibly even tomorrow".

 

Mamutu caught Trojan Simulator.
That's with paranoid mode setting.

I agree with Metting's assessment of the tray icon.
It needs to show the difference between active and disabled better.

 

Hi, as a happy user of A-squared anti-malware, I will be watching this thread with interest. This new product looks like the IDS feature already incorporated with A2 AM. Thanks for the pics sukarof .

I consider the IDS as a huge strength for A2, but wonder about it's separate viability. It would be nice to know more about what Mamutu is. I also don't like the name so much although it's different. Thanks for considering Wilders as a test group.

innerpeace

 

Hi all,

First: I am just an A2 Malware user, not related to A2.

My thoughts about the alfa status.

It seems to me the IDS module of A2 Malware. The IDS module of A2 Malware is still somehow connected to the real-time blacklist. For example it considers keyloggers as risk-ware. Protection against risk-ware is an option of the on-demand blacklist part of the software in stead of the IDS.
When you re-assemble the module structure of a program, in principle you have to test all the posisble logic paths again (Google for TMAP the worlds leading testing method). That costs a lot of effort when it is 'only' a subset of existing software. So what you do in practise, run your existing test cases against the new re-assembled program and when it passes, you will directly put in a life shadow environment for a functional acceptance test. We the members of Wilders are considered this life shadow environment. PCTools did the same with ThreatFire when it altered a proven program (CyberHawk Pro) by adding a blcklist module (more or less the same process only the other way around (Mamuto is A2 Malware without the black list). When you stick to the testing theory you should name it an alfa. When you are pragmatic you can also name it a Beta. It is just 'grundlichkeit' over pragmatism, so have some tolerance to this status.

Testing A2's IDS = mamuto
Metting great job, thanks for the test. They are consistent with my tests. My tests were also the reason to run A2 IDS with Intelligent False Positive Reduction OFF and the Paronoid mode ON. As I said in the above, the IDS only protects the run locations. As said Vista has some file and registry virtualisation in UAC mode, so this 'hurts' XP users more than Vista users (enabling UAC)

That is why I use WinPooch with the posted filterset see https://www.wilderssecurity.com/showthread.php?t=186829 .People using A2/Mamuto in XP can use the attached winpooch filter (optimised for A2/mamuto), open with notepad, save as Ansi file with extention .WPF The startup folder addon is not guarded, because XP calls this folder differently depending on the installed language. You can easily add this in WinPooch, just click on the asterix, select + (for add), select File::Write for reason, select Path with Wildcard for parameter 1, enter the directory to watch e.g. C:\Documents and Settings\All Users\Menu Start\Programs\Startup\* (Programs and Startup is language specific), Select for response 'ask' + 'reject' and verbosity 'log'. Repeat this for the user startup directory.

Your test showed that keylogger protection is indeed not incorporated in the Mamuto program. So it is still part of the blacklist realtime protection module (called the 'protect against riskware' when checking started programs' option).

I have had a lengthy discussion (PM-ed not in the public A2-forum) with the guys from A2 on the above topics. They claim that the IDS still protects against most real threats (because the sequence of events triggers the IDS then), while most test programs only test against a single anomoly. Because A2 is running on my wife's PC I am not willing to test this with real malware. Other argument is that A2 with IFPR OFF and Paranoid ON is still a user friendly program.

The real good thing about A2 compared to others, is the availability of a lot of language files and the clear pop-up messages. A2 is also one of the first to start in XP startup process and delays the system less than for instance ThreatFire (startup time of webbrowser tested).

Regards Kees

 

Thansk for the tests Metting

It may seem bad, but I guess that is due to alpha stage of the software.
I´ve been running it for a day and so far it is very stable. I´ve had no issues at all. We´ll see what happens when they "enable" or fix the protection. I have the paranoid mode and it has not bothered me at all when using windows (XP) normally, just one warning when I uninstalled a program with "Your uninstaller". But I just white listed it. That is a good sign, if they manage to make it intelligent enough to not give warnings when not needed (without having to train the software) this might be a keeper (if I ever decide to go back to admin mode that is )

 

been running for a day and no complaints. Very lite and does work well, as I found out.

 

it seems that with it set to the paranoid setting, web pages in IE7 seem to have a tougher time loading.

 

I didn't test A2 against real threats, but I'm very comfortable to say that this claim is not true in the case of Mamutu or A2 IDS alone without black list.

I tested Mamutu against 3 Real threats; test1, 2, 3, all of them do lot of anomalies (see descriptions in my test post) also test6 DFK is by all means a real threat and it doesn't test against a single anomaly it tests against at least 10 anomalies. Unfortunately Mamutu or A2 IDS has failed against all those real threats in it's default setting, and didn't succeed 100% against them in it's paranoid maximum security mode.

Cheers

 

I also do not understand why people are being this negative, I think most people on this forum are smart enough to not test alpha/beta apps on their "real" machine, so what´s the problem?

And now about the product, I think it´s ridiculous that you need to have an account before you can start using this app, this really needs to be changed. Currently I´m having internet connections problem on my VM so I couldn´t even test it. But anyway, how does Mamutu (silly name btw) compare to other powerful HIPS like ProSecurity, SSM and Neoava Guard?

And it would be nice to know what settings like "watch for possible worm/trojan/dialer/keylogger like activity" exactly cover, now it´s a bit vague. To be more clear, I wonder what actions will trigger any of these alerts. But I guess Emsisoft wanted to keep it as simple as possible.

 

No issues yet

 

It is still in beta, isnt that what others shove down your throat. Give Mamutu a chance. If it is detecting well now, but missing a few, then when it actually is released, it should be even better. I like it and think everyone should be open minded and give it a chance. Time will tell, wont it.

 

Metting,

After I did my tests, I was satisfied with their answer (claiming that the default settings would protect against most real malware), but you are right the tests you did contain multiple anomolies.

I asked them whether they would provide more registry protection in the future, they replied that A2's IDS (Mamuto) would provide more registry protection in the future. Until then I use WinPooch besides A2's IDS (I tested it against DFL ThreatSimulator 2 and the WinPooch filter posted tackles it).

A2's support desk, told me that they classified keyloggers as riskware, which the real time protection of A2 Malware protects against. So A2 Malware will protect (on black list basis), but Mamuto won't. They also told me that would re-consider that. That is why I thought that Mamuto would provide protection against it.

The combo Mamuto (A2 IDS) + WinPooch really works good. What I still like about it is the clear messages which are provided when an anomoly occurs.
I am wondering how they are going to market it, because ThreatFire free offers also a broad protection (keyloggers included, rootkits as scan).

Regards

 

All I know is, it is getting along fine with my apps and I really like this one.

 

Hi, folks: Hi, Thomas @ Emsisoft:
I do admire your courage to have a testing-invitation note landed on doorstep of this security forum filled with more than handful gurus. I am not an expert, therefore I can only ask you one quick question from an average Joe's perpectives. I am currently using two excellent behavior blockers: PrimaryResponse SafeConnect and Threatfire. They are matured programs which have gone thru what you are about to embark. My simple question is this: can you provide me three reasons why I should try out your pre-beta or even post beta program while I am very much content with what I have now(in terms of those two apps mentioned). Thanks.

 

After trialing Mammoth, I don't really see where it's reputation of clear, concise alerts come from. All it has is a short description of what happened, similar to ThreatFire, and a mostly-useless list of DLLs loaded by the offending process. I'd still rank the Kaspersky PDM as the most transparent behavior blocker, with TF/Mammoth coming third after PRSC/AntiBot's second.

 

Hi Perman,
I don't think Thomas will give you 3 reasons or should, although I don't want to pre guess his actions. We know it is a pre-beta and cannot replace what you are already content with, he has just offered Mamutu up for preview so if you are inclined test it and let us know what you think.

 

Hi.Meriadoc:
Thanks for your points. It does make sense, however, I somehow feel it is very illogical if Thomas has chosen silence evading any potential customer's simple request which he and his marketing people will eventually have to face. If one has something so proud to show and tell and can not list just three reasons to explain why. Don't you sense that a bit odd ? I am confident that Thomas will be more than happy to answer my simple request. Unless----. Have a nice one, folks.

 

Well I know one member has being constantly saying that, but I'm not sure if that alone counts as a reputation. Like you, I have never found anything particularly special about A2 IDS prompts.

 

Compare it to Cyberhawk.
whatever.exe looks mighty suspicious doc. block?