a-squared 1.6 IDS?

Discussion in 'other anti-trojan software' started by Forgi, Mar 4, 2005.

Thread Status:
Not open for further replies.
  1. Forgi

    Forgi Guest

  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    The question I would be interested in knowing is are these features implemented as API hooks (usermode) or Kernel Level hooks

    Hopefully it is the latter, a few tests and use of some of SG^2 's tools to show what kernel mode hooks are in place would probably reveal the basics, that is assuming that the author doesn't just tell us ...

    I'll keep a watch on this, yet another interesting sounding program
    Good for the end users if this is another serious entry into the protection market, more choice and overall hopefully more market penetration so more people have better protection :)
     
  3. Andreas Haak

    Andreas Haak Guest

    Why shouldn't I? Its user mode.

    A² is an addition to your current security tools. Therefore it has to be compatible to firewalls (ever tried installing 2 firewalls? if so you know what can happen if 2 packet filter drivers are installed), anti-virus scanners (ever tried to install 2 file system filter drivers?) and other hook based software (ever tried installing 2 kernel api hooks on the kernel api?). We have a driver based hook system available but cause its not compatible to some major security tools and doesn't support Windows 9x its not public yet.
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Andreas,
    Thanks, its nice to get the information so quickly and easily

    When you have the kernel mode version ready it would be nice to be able to select what level the different areas hook into, that way if incompatibilites are encountered (in any one area) the user would have a choice of dropping back to user mode and not having to just not use the program
     
  5. Andreas Haak

    Andreas Haak Guest

    Well implementing everything in kernel mode isn't possible. But we can offer a "mixed mode" under NT based systems. All GUI stuff (including message queue hooks) for example is - as far as i remember right - implemented in user mode so you can't hook it in kernel mode.

    About your suggestion:
    To be honest we already planned that for users of NT based operating systems and we will offer an option for that within the control center sooner or later :).
     
  6. --ntl--

    --ntl-- Guest

    "did anyone test the new IDS features of a² so far? Maybe ntl?"

    Seltsam asked me to test it. I did after he helped me to handle the terrible registration procedure ;-)

    It is unlikely that we will ever write a Scheinsicherheit report on A2. Reason: http://illusivesecurity.il.funpic.de/viewtopic.php?t=49

    I was able to find a trojan which the a2 IDS cannot properly handle. I won't tell the name because there is a 100 EUR bet that an a2 user called Jack1 won't be able to find such trojan ( http://forum.emsisoft.com/viewtopic.php?t=2702 ) ...

    (Only) to a certain extent, the technology used by a2 is similar to the trojan detection capabilities of DCS Port Explorer. If a2 works stable and does not cause too many false alerts I may have to close my site because (i) DLL trojans can be easily stopped with the help of DCS Process Guard and (ii) (almost) any other trojan will be generically detected by a2. :)
     
  7. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    So if I understand this correctly

    a2 has an active memory scanner (like boclean and Ewido)
    detects types of trojans generically
    has a big database
    offers good support
    uses some kind of limited processguard with portexplorer
    has a nice tool in it (hijackfree)
    and uses not much resources (practically the same as boclean)
    the scan is done in 7 minutes


    hmmm, got to see how it works together with the rest, I tried it once but I'll give it a go now (it seems there has been some changes :D )
     
  8. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    I'm with you INFINITY, it sounded just too good to resist, especially with my recent problems with BOClean and ProcessGuard. a-squared Personal seems to work just fine with NOD32, Prevx and ProcessGuard, so I've done the decent thing and become a registered user :D
     
  9. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    I've been running a2 for a long time, and it's a must have.

    Howard, on the flip side, try running a2 and BoClean together :D It's a beautiful thing - I'd put Boclean in the enclusion list and that ends any "fighting" in it's tracks. Also, let A2 catch Boclean trying to Update silently, then exclude that as well :D ;)
     
  10. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Really nice idea toadbee :) but the unhappy interaction I am seeing between BOClean and ProcessGuard appears to be resistant to all suggestions and BOClean simply hammers away at the CPU :( Until there is a fix, I will run BOClean just at startup :cool: and a² can look after me the rest of the time :D :D
     
  11. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    I like A2 also, never any problems updating, fast and doesn't hog my computer! Like the HiJackFree they added too!

    Been using it almost since they first came out! :D

    Cheers!
    Marja:cool:
     
  12. phaedrus

    phaedrus Registered Member

    Joined:
    Aug 18, 2002
    Posts:
    95
    I like it :) The IDS is very reassuring. Its popped up a few times (eg. when my dial up auto-redialed, to ask if it was ok), and its good to know the A² Guard and IDS are working in the background.

    Trev.
    ____________________
    Useful Links:
    Anti-virus:
    NOD32 Anti-virus ... Avast Anti-virus (Free) ... AVG Anti-virus (Free) ... Housecall (Online Scan)
    Firewall:
    LooknStop Firewall ... Sygate Personal Firewall (Free)
    Anti-trojan:
    TDS-3 ... Trojan Hunter ... A² (Personal & Free) ... BOClean
    Anti-Spyware:
    AdAware SE ... Spybot S&D 1.3 ... HijackThis! ... SpywareBlaster ... DialerWatcher
    Misc:
    System Safety Monitor ... Proxomitron ... Firefox ... SysMetrix ... Rainlender
     
  13. cjtc

    cjtc Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    22
    Location:
    Swindon, UK
    I'm sorry to say that a-squared lasted less than an hour on my PC before I uninstalled it.

    Why?

    Immediately after installation, a-squared IDS informed my that my browser, Firefox, was showing backdoors-like behaviour and did I want to run it? Yes, of course I did. It was duly added to the a-squared allow list.

    However, Firefox would then take 20 seconds to open and a further 10 to show my home page, news.bbc.co.uk.

    Disabled IDS and Firefox opened in under a second and the home page load was just about instantaneous.

    Very unimpressed, I reverted to my previous solution of TDS-3 + ProcessGuard.

    If anyone can shed light on this, I may be tempted to give a-squared another try.
     
  14. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I uninstalled it too :)

    Inf
     
  15. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    Bummer there cjtc :(
    If you didn't report this problem at a2's forum - It might help them, and yourself to do so.

    I run firefox on two machines Xp and win2000 - and have no loading problems on either. So I'm guessing you have a conflict of some variety going on there. And yes firefox does exhibit some backdoor like behavior ;)
     
  16. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    a2 personal is running fine on my pc, with win xpsp2, kerio 2.15, trojanhunter, and etrust ez av.. like some others have said, imo, a2 personal is a "must-have"..

    a2 personal also works perfectly fine with BOClean running instead of trojanhunter "guard".. i have been running a2 personal for a few days now.. it has warned me about suspicious activity by 3 or 4 things on my pc, besides catching the eicar.com test file, twice..

    http://forum.emsisoft.com/viewtopic.php?t=2800
     
    Last edited: Mar 19, 2005
  17. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    redwolfe_98,
    These apps will all evolve over time, what is good today will be overtaken by the next best thing tomorrow...

    IMO all these tools are quite primitive and will be overtaken by the next generation of virtualisation tools sometime in the next few years. The groundwork is there already now its just a matter of waiting to see what happens

    PG has some holes that can be (at least partially) worked around with careful configuration, sooner or later they will get addressed. PG is at least a bit immature in its GUI and usability & managability, I can't see this changing in the near future, but at least it has solid foundations

    As has been said, a-squared's IDS is in the process of growing up as well, I'm waiting to see how it matures in the next release or two before I start judging too much either way

    I'm watching with interest to see how all of these products change/mature, as the market slowly gets more crowded the pressure will be on
     
Thread Status:
Not open for further replies.