Some unique HIPS features

NeoavaGuard HIPS has some unique features as compraed to other classical HIPS. I tried three malware samples.

1- Aliz worm
2- Sober worm

Both these worm spread themselves by sending their copies by e-mail. They get the e-mail addresses from windows address book and Sober worm als scans many files like text file on the PC and finds e-mail addresses.

3- GPcode trojan- A malware that encrpts many files on infected PC( like text files) causing data loss.

NG gave pop ups for all these actions though it was not fully successful to stop the damage( like it did not stopped the encrption of text files by malware) but it,s interesting to see such a functionality. I have not seen such filters in any other HIPS( atleast upto best of my knowledge). Am i right?

I have made thread on Comdod forums to add such filters in CFP. What are your thoughts?

Thanks

 

Some more screenshots here!

 

No other thoughts, than that NeoavaGuard didn't do a very good job and that these three threats are executables, which are easy to kill with better security softwares. Thanks for the tests, but NeoavaGuard was never on my list, BUT I need a Script Blocker with artificial intelligence.

 

I knew that already Eric!

This thread is for people with a taste different from urs. We don,t want to kill them, that,s so easy. Why want to remove their venom.

But thanks for the comments.

 

It just goes to show what a real tragedy it was when the developer of NG ceased maintaining it. In my opinion, he should resume working on it --- the *competition* is getting thinner every day, in both the number & the competency of classical HIPS.

I think that a re-vitalized NG would quickly become a big winner -- and a major prospect for buy-out by one of the AV outfits.

 

Do you admire the bad guys so much, that you investigate their droppings ?

 

aigle, have you tested how effective the partition protection of neova guard is? ever hear of "bypassdisk.exe"? i wonder if neova guard or any other hips would catch the program before it attempted to destroy the disk (if it was allowed to execute of course).

 

I wholeheartily agree. It completely escapes me why on earth these makers don't just continue to build on apps (HIPS) like these and make them even better then before. This is i hope a temporary trend and not something we're going to be seeing happen on a regular basis.

I admit i haven't even got around to trying this one but it's no less still useful and any one could easily overtake the field at some point in time.

And bellgamin, you're very sadly right, it's indeed a tragedy when very promising security applications without warning cease to proceed and gives serious rise to concerns. We need MORE innovations of this nature no matter how useful sandboxes & virtual systems, AS/AV's etc. are in keeping our PC's protected.

Allow me to compliment also on the screenshots, thanks a ton for taking the time to show them.

Regards EASTER

 

They can,t dare that on my system. That,s why no reboot to restore.

 

EASTER,

I don't want to sound flip, but I believe it has something to do with rent/food/living expenses. The market is saturated with offerings, which severely dilutes their economic potential.

Blue

 

Unfortunately I have no VM and no spare test PC.

As far as I know some body in the past tested NG against KillDisk and NG was able to protect against it. That,s partition table protection.

However I can,t say about bypassdisk. Can you PM me the sample by the way, if u have? Any more tests with this utility/ POC?

Thanks

 

Unfortunately, but then they also reserve the option of selling the source or sitting on it which these days can gather rust very fast.

So in retrospect, the end user or potential customer must take a seat and wait out for either something similar or entirely new.

 

link for try neoava guard


www.neoava.com -----> closed

 

It can be downloaded from here........
http://www.smokey-services.eu/forum/index.php
Just be aware it is not currently being developed,there is no support for it and it is beta.

 

Hello, Erik,

Are you referring to web-embedded Browser scripts, or attacks that use script files (vbs, etc)?

 

I have configured EQS to prevent all access to Windows Address Book and e-mail files. Only OE is permitted access to these. A simple check box in EQS, similar to NeovaGuard, enables or disables this feature. Scanning of text files for e-mail addresses is something I didn't consider though.

 

Last year I wanted to try NG and I only got BSOD's as soon as starting my computer.
It's a shame they don't develop it anymore, it seems it would have been a great HIPS

 

Any screenshots?

Thanks

 

It does gives occasional BSODs I know.

 

Shots of E-mail file protection rules and pop-up when anything tries to access these files.

 

How they get to my system isn't really important to me, I just don't want them to run on my system, except the scripts that were installed from the beginning of course, I don't want to cripple my system either.
Removing these scripts is not a problem, stop them from running is a problem.
I need something like AE, but for scripts. Authorized scripts are allowed to run, any other script is killed immediately.

 

HIPS mainly look at categories of actions/behaviors, without any significant consideration of the TYPES of apps that undertake such actions/behaviors. Such being the case, a HIPS will tend to alert to any suspect actions by ANY app (including but not limited to scripts, exe's, etc).

Accordingly, I do hope this thread stays primarily on its topic of discussing generic/unique HIPS capabilities instead of getting diverted to yet another discussion of "let's all find what Erik wants."

 

Just answering member's questions or do I have to become impolite too. NG is abandonware, why discussing it ?

 

But there is a big difference in the two types, and you prevent in different ways.

Since scripts is a different topic than that of this thread, go here and see my comments about AE and scripts, Post #84, and post your discussion there:

https://www.wilderssecurity.com/showthread.php?t=210179&page=4

--

 

The topic was started by Aigle. who asked certain questions based on NG capabilities. It is his topic and he based it on NG.

If you want to endlessly discuss "what Erik wants" I suggest you start your own thread and stop hi-jacking others.