A-squared

Hmmmm..., firefox has just started being flagged again by IDS. I receive two different alerts when launching firefox:

1) Found possible backdoor behaviour

2) Found a possible LAN bypass backdoor or spyware

I also sometimes receive an alert when launching Offline Explorer Pro

1) Found possible backdoor behaviour


My question has to be "Why are they sometimes detected, and other times not ?"

This looks like a bug to me, and quite a serious one since it would appear that you cannot always rely on IDS to detect certain possibly malicious behaviour.

 

That's probably too sweeping a statement. IDS systems generally map to a series of programs formerly known as behaviourial blockers or heuristics.

Anything from regdefend (monitors registry changes) or Processguard (attempts by processes to start, install hooks , terminate programs ) which monitors specific behaviour and reports to the user would probably fall under IDS.

Granted the IDS system in A2 squared is probably more complicated.

IDS systems are an important complement to signature based systems. IDS programs are "proactive", because they generally don't rely on signatures to detect malware.

I would add that contrary to the misinformation some people are spreading around this forum, proactive does not mean detecting programs "as early as possible in the execution stream", since that would restrict proactive programs to merely exe monitoring.

 

No such problem on my machine, or those of my clients. The only *bug* I see here is rushing to judgment based in insufficient research.

 

I did actually mention this before but received no reply from Andreas. Admittedly I cannot be 100% sure since I don't know exactly what IDS is looking for/at, and so the developers of a2 would be best placed to see if there is a problem. However, the fact that some apps are only flagged sometimes, even when they have not changed, does seem to indicate a problem. It's not a case of the "...proactive IDS detecting it ASAP in the execution stream", but the fact that it's not detecting it at all on occasions!

Good for you. However, just because you don't observe this behaviour does not mean there is not a problem!

I would hope someone from a-squared would be in contact for more information if they cannot reproduce it.

 

That was a dig at a certain poster, not you..

perhaps firefox is doing somethings on different occasions. Maybe an update? Or perhaps something an extension does that doesnt trigger all the time?

 

That would be my guess, too.

 

I just updated a2 with the new cumulative update and noticed a spelling mistake on the progress window. It says "Cummulative" (there should only be one letter 'm')

 

I didn't see a search function on the a-squared forum, so I will ask here. Anyone notice that Divx crashes with the a-squared guard enabled?

 

What version of DivX do you refer too? I use the free version myself and never had a problem. Do you use 1.6 or the 1.7 public beta? Did you try to put the application to your exclusion list and put its status to "Trust this application" respectivly?

 

Well I just formatted my HD a few days ago and I must have installed an old version of Divx that the a² guard didn't like. Anywho, I updated Divx and haven't recieved an error with the newer verison installed. So everything is back to normal... Thanks for the fast responce Andreas.