Advanced Process Analysis and Identification System

Discussion in 'other anti-malware software' started by Hermescomputers, Apr 24, 2013.

Thread Status:
Not open for further replies.
  1. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Just released a new version of my Advanced Process Analysis and Identification System

    A.P.A.I.S. is a live system analysis tool designed to take a single process, and inspect it thoroughly to provide field technicians full spectrum identification, and analysis capability.

    http://hermes-computers.ca/downloads.php
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Pretty neat tool. But why do you use a text file that is 150+ mb large? Seems snappy enough on my machine but wow, a text file that large is wierd. Is that what you get from the malware database? How do you use that file? Read it as you need? Or do you load it into an array? I seriously shudder at the thought of a text file that large if you have to do any string parsing lol.

    I thought about doing something like this in the past, to use to "monitor" the system for testing purposes not really to fix anything. Just out of curiosity, how many lines of code did it end up with, if you don't mind me asking :) Looks like an AutoIt GUI to me, based off the child windows. Good job!

    Sul.
     
  3. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,199
    Location:
    Los Angeles, California
    This looks cool, 'm going to try it some time tomorrow.
     
  4. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hello Sully and KelvinW4

    Well, yes... File(s) are Huge the database is enormous, You only get 1 of the 2 large files in the Unregistered version... It currently consists of 1 mid size (Primary) and 2 large database files (secondary and tertiary) containing well over 3 millions malware signatures a pop. (which by the way is just a drop in the bucket).

    The use of text files is by design, as It's made to cater to field analysts or computer consultants, and system administrators who need to edit these things in real time whenever the need arises... Runs wonderfully off a thumbs drive. Just make sure the box can handle the load. The higher the ram the better it runs...

    However it's designed to operate quickly given the size. This thing is made to be field run from the ground up, and it works very well, I have used it for a long time as part of a much larger toolkit. And yes it's built on Autoit 3 with well over 10,000 lines of code (Primary executable)...

    I use it extensively to identify and cleanup malware on client PC's, it very easy to cleanup most malware with it. It is a semi manual process by design as it assists me in quickly identify secondary infections when forced to visually scan the Auto-run keys then pursue the analysis further if warranted...

    Unfortunately for newbies its not a fully automated system... I made no attempts to make it idiot proof thus the term "Technician's Edition".

    Been working on this thing for many years and I designed it entirely for my own needs however I hope you guys find it useful and fun!

    Thanks!
     
    Last edited: Apr 25, 2013
  5. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    New Release - Version: 1.0.0.3151
    Fixes all reported issues - Thanks Kelvin! :)

    The error?
    Developer bug and unknown id reports... (This affects only Unregistered users)
    Well, I'm not using my own server, and some "Developer" report triggered some geo location specific alarm with the Service Provider and bounced the action...
    Apparently some over sea, user caused it to block all connect attempt.

    Sorry, all dev reports are now dev only... (this was a left over from Beta trials.)

    You can get the new version here
    http://hermes-computers.ca/downloads.php

    Just install over the old one so you dont loose your reports.
     
  6. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,199
    Location:
    Los Angeles, California
    Thanks for the update, seems to be a pretty cool tool to use! :)

    EDIT: Still getting the same error:blink: , now I can't even run the program!
     
    Last edited: Apr 26, 2013
  7. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Does the Unregistered users version have any restriction, like home users only?

    TIA
     
  8. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hola Pedro

    Nope ...
    You can use it for business, play or learn.

    Now while the software is free the Registration bit is simply to help me finance the time, research, and resources required to keep this thing on a healthy evolutionary path... It is designed for Technicians (Me) but is available to everyone regardless of purpose.

    Restrictions provide no help towards those objectives...
     
    Last edited: Apr 30, 2013
  9. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Kelvin,

    O.M.G... Hey Thanks a bunch for your keen sense of Observation :thumb:
    I have corrected all spelling errors ;)

    So I dubbed this one the Kelvin Release: Version: 1.0.0.3163
    http://hermes-computers.ca/downloads.php

    Also look for an update to the Primary Malware database later on today...

    Thanks Again Kelvin!

    Cheers!

    Guy
     
  10. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,199
    Location:
    Los Angeles, California
    No problem I think I may have seen some coding line errors, if I happen to see them I will report back:thumb:
     
  11. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Minor Update Notice:
    New Primary Database update... Click that button! :)

    Guy
     
  12. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Good Afternoon,

    Advanced Process Analysis and identification System
    Version Version 1.0.0.3201 is available for download

    You can get it here: http://hermes-computers.ca/downloads.php

    This is a required update for all previous version.
    Many new features, and a great many bug fixes...

    Note:
    This upgraded installer now correctly detects user created lists and configuration files and will not overwrite them.
    Please pay attention to the prompts asking you if you wish for those files to be skipped or for the installer to over write them.

    All the best!

    Guy
     
  13. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
  14. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
  15. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    A new A.P.A.I.S. Version 1.0.0.3372 just released!

    - improved Auditory Narration on [Internet Analysis] Several new auditory reports
    - Improved Textual Reporting (GUI) on unknown / Unlisted report
    - Added Internet Performance Diagnostics to [Technicians Toolkit]
    - You now have the option to configure a default sender and a default recipient for your reports in Settings/smtp transmitter.
    - You can now select to submit data to us on "Unknown" processes or files you analysed
    - Fixed a lot of little annoyances on shared Reports modules
    - You can now use the report engine to easily submit bug reports [Under File] (Requires SMTP Engine to be configured)
    - Added Request New Feature [Under File] (Requires SMTP Engine to be configured)
    - Added Report False Positives [Under File] (Requires SMTP Engine to be configured)
    - Optimized code base
    - Improvement to the voice narration system continues
    - [Internet Analysis] Module now has individual voice narration specific to task
    - Improved the [Live System Scan] engine Reporting source and destination
    - It is now even easier to analyse the output of the Live System Scan report via Analysis Reports menus features.

    Please do remember to properly configure the smtp report transmitter in [Settings] prior to sharing your reports.
    This includes reports sent to one's own self for later analysis for those not using A.P.A.I.S. as a portable toolkit...

    Here is the download link: http://hermes-computers.ca/downloads.php

    Enjoy
     
  16. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    A new A.P.A.I.S. Version 1.0.0.3391 just released!

    - This is an Update Module Focused Release
    - Resolved an issue where web site detection failure would kill the update - now the opportunity to re-acquire is working proper.
    - Corrected some report labels in action report pointing to wrong update label (The correct update was performed)
    - Re designed the update module to report actions with color codes on file name labels to improve visual diagnostics

    The color codes are as follows:
    Orange = check update status - Pink = Update Server detection Fail - Red = Update available - Green = Update Success
    on rare occurrence Where the File date label turns red = File is either missing or corrupt at end of update simply re run update.
    - continuing to improve Live process inspection A.I. and Primary Risk analysis engine


    Here is the download link: http://hermes-computers.ca/downloads.php

    Enjoy
     
  17. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    A.P.A.I.S. Database Updates

    New Signatures Updates 23 July 2013
    • Global White List
    • Primary Malware database

    What's been added?
    Lots a new identified Sypware, many Trojan's and a few Worm...


    What's your opinion?

    We would really like to know what our users think and want. so here is a few important questions?

    Many products, list Adware the same as malware, like Trojans, Viruses and Worms, even though they neither spied, stole, destroyed or otherwise did anything illegal or that could be construed as criminal. This can heavily financially penalize the companies behind the products and those who unthinkingly facilitate adware.

    Often the only reason they are listed is because of the method of promotion, either via spam or by being embedded in legitimate products, to be installed as secondary applications by users who refuse to support developers by any other means. Like many on this board they want everything for free but hate the adware offers by small developers attempting to subsidize themselves where users fail to purchase or otherwise economically support their products.

    What do you think?

    1. Should Adware be considered the same as malware in tools like A.P.A.I.S.?
    2. Do you prefer to ignore Adware altogether unless proven to behave maliciously?
    3. What do you consider constitutes malicious Adware behavior?
     
    Last edited: Jul 23, 2013
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    - Perhaps not the same classification but definitely detected
    - No, I don't like adware :D
    - Not sure, as I keep it off my PC's :p But one annoying attributes of them is changing homepages, search engines, and other more hidden things like Firefox's about:config "Keyword.URL" entry. Definitely is adware that keeps some background service or process which changes back the homepage etc. again if you change it, or even some which install again if you uninstall them.
     
  19. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    actually it would be nice to have a small stand alone portable adware scanner since most of the major AV companies don't bother to report them any more. anything that collects user data (like machine IDs, lists of installed programs) and sends it up to the internet (especially during install) is considered adware to me.


    as far as:

    this is a cop out. we now have developers using adware in their programs and don't even let users know that they are stealing data off their computers. if you want to charge for a program do it, but don't put adware on there and pretend you (developers) know nothing about it and then complain "users who refuse to support developers by any other means" blah blah blah....

    btw, i'm not a technician but your program would be more interesting to me if it were portable or at least "no-install" fwiw.
     
    Last edited: Jul 23, 2013
  20. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Well, technically this is not Adware. However I agree with you that any information on a user's pc is the user's own, and ethical products should be mindful of this, and respect users privacy.

    There are many workaround for data gathering when it's required. An important one is simply to ask the cooperation of your users and design features to facilitate this process. Perhaps many just don't care or didn't think far enough ahead to see this need.

    Well, it is portable, you can install direct to a USB Drive. I don't see what more you could need for portability? The entire system is built from the ground up to be portable. In fact that's how I use it daily at client sites.

    Whether you are a home users or field technician's or a systems administrator you can either run it from a mapped server drive or direct from USB.

    You cant really use it from CD's because you cant update the databases or use the documentation features like the Technician's field notes and the process analysis reports.

    This software is engineered to track emerging malware early by allowing you to document your systems, it's active processes, and push the analysis further than normally would be feasible using standard tools...

    The Report modules and the Technicians Field Notes modules are specially useful in portable mode as they allow you to see changes in live processes and file signatures across systems, and over time, and use this data to identify discrepancies, and ultimately trace previously undiscovered malware...
     
    Last edited: Jul 24, 2013
  21. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    The problem with classification is in it's arbitrary nature which is heavily influenced by the biases, and personal perspectives of individual analysts during classification. One of the issue I see is that everything the consensus dislikes is pretty much labeled: Adware

    The issue you describe here is related to ethical behavior, and the primary reason behind the "Adware" Classification in most products. Products that engage in this type of behavior should be crushed like the Internet Cockroach that they are.

    However the argument on their side seems to be that the users agreed to such behavior by installing the software in the first place. That it was clearly stated that the software would be installed. But this is more often than not the case. Also my experience on this is while true that many of these software are optional or the user warned of it's installation that the "secondary" software (adware) rarely has a EULA.

    This however raises another question. There are perhaps legitimate forms of Adware, and Illegitimate ones. For example, if you agreed to install the software, and it had a EULA and this agreement was not obtained via any type of legally twisted and otherwise obfuscated marketing tactics. What right does antimalware products have to declare it as Adware, and blacklist it as such?

    This presents me with a difficult decision making process. I wish to be fair and yet nail the dumb asses trying to exploit users ignorance and or stupidity in a merciless and otherwise unethical way.
     
    Last edited: Jul 24, 2013
  22. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    this is cool. i just saw the installer after downloading about 80 MB and i thought eh too bad.

    if it doesn't add much to the registry then a site like Portable Freeware might like to list it.

    btw i would pay about $20 (lifetime license) for a small portable adware scanner if you're thinking about building one (maybe others would too?). something that just scans the downloaded setup files and identifies the adware and version.
     
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    So the installer just extracts everything (including settings) to a directory and add nothing more than shortcuts and uninstall entry anywhere else?
     
  24. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Does Advanced Process Analysis and Identification System work on Windows XP?
     
  25. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    as far as i could tell, the installer didn't give the option to not install Start Menu entries :(

    there were quite a few registry entries acc to RegShot but im not really experienced enough in using that app to know if they were all from APAIS installer. Most portable freeware users like an app they call "stealth" which leaves no traces at all on the machine if you're using the program from an external USB flash drive. i just use portable apps from 2nd and 3rd, 4th partitions on my main HDD and i re-install clean WinXP image quite often so im not as choosy but i would think most technicians would really appreciate true stealth program if possible.

    btw, seems to work on WinXP
     
Loading...
Thread Status:
Not open for further replies.