Advanced Process Analysis and Identification System

Well, the size is it's databases, they are multiple and very large...
As for the Registry, the application itself requires no registry entries...

 

Yes! (The installer does add a desktop link, and a start menu entry to the "All Programs" list in Windows...)

If you install on a USB Drive, you will have direct links to the USB device to run the application on the installation machine, but you will also be able to run the software everywhere by clicking on it's icon in the app directory...

It's designed for ease of use and portability. No attempts is made to hide it's activity or presence. I did consider building everything inside a single executable, however I could not figure out how to embed such enormous databases and I would have lost the features that allow me to find new malware. The Reports and the Technicians field notes. Those features could not be embedded due to their dynamic and temporal nature so you have the current design.

Windows XP is not supported - Sorry!
However it does work proper on many XP Setups, X64 and those systems with enough ram usually work ok but over all I would consider it as unstable on XP...

 

Indeed difficult decisions, I'd like to see all unethical jerks nailed by some good piece of software, but it is unfortunately not as simple as I'd like.

 

No joke, I've been working on A.P.A.I.S for years... And I'm only beginning to scratch the surface of the problem. I figured If I stick to my design objectives:

Painstakingly Analyze, and identify what remains after standard security software did their jobs!

I will be able to find what falls through the cracks of existing protections.

I had to rethink everything, how it's done and how effective it actually is as well as how useful these things are for me when I look for undetected malware on client systems...

A.P.A.I.S. actually does prove effective but it's a lot of work to manually pursue each, and every live or auto started process in the machine. It requires patience and attention to details. Those who do so diligently will flush out a lot...

Unfortunately the Magic bullet, the perfect software, the ultimate automated tool that misses nothing... Just doesn't exist... Everything good requires the brains and eyeballs of skilled technical professionals. That's what makes the best tools what they are... Not automation, but Brains and eyeballs coupled with attention to details.

My tool is designed exactly for that purpose. Engage the user/technician in the process and ultimately give him or her the control over decisions and appropriate actions...

I did use some automation, but the real power of this system begins when the automated part is over. That's when the hunt begins. I guess that's the real fun part...

 

Good to hear, but I would prefer an archive rather than deal with Start Menu shortcuts and the uninstall entry after installing in a USB device. Self-extracting is fine, but I would like anything extra to be optional.

I was playing around with it, but accidentally did this:

I didn't even know or checked it before clicking. Is it something that will permanently affect my system?

 

Well, you are the first asking for it to be in an archive. However such deployment system for tools of this type are unprofessional in my opinion and present a number of security risks among other things.

Also I will not allow the install of the product without the user having previously agreed to the installation EULA as this the only semi effective legal protection against multiple malevolent players in the industry...

No, When you terminate malware or any other file with A.P.A.I.S., it will copy it's executable to the isolation. It is just like any other tool of it's kind, the main difference is you may need a sample of the malware for further analysis so it doesn't get modified (only saved in a passive state) or you may accidentally have deleted the wrong file, and may need to restore it...

Just don't run the malware from the directory. Since A.P.A.I.S does not yet offer direct protection (No protective service gets installed) it doesn't monitor that directory for activity. It's just a passive area. So restoring your mistakes or re infecting the system is easy if you are not careful...

The Warning "Dangerous" means just that. Files in that directory are dangerous.

So when you empty the Isolation A.P.A.I.S will then delete all malware, from the directory. At this point you can no longer recover it from within the application. Thus the log entry.

Maybe in the future, if the economics, time, and skills permits, I'll develop it further into a full fledged protection. The current objectives however are broad spectrum analytic and identification. Besides there are already too many products already unsuccessfully attempting to provide such protection...

Note:
Nothing the software does can harm the system. Only the user can make bad decision like deleting Registry Entries (Auto start Analysis) or kill and delete live processes. This toolkit kills no malware automatically. All actions are user based and directed. If you are not a technician, then don't use it.
It is designed to assist technical professionals in their jobs. I make no attempts to cater to new computer users.

 

Okay, but I did offer an alternative. Currently the installer looks like a self-extracting archive that offers an EULA, but automatically adds shortcut entries in Start Menu and uninstall entry in Registry. I would like the last two items to be optional if possible, because they're unnecessary when installing in portable devices. It could get annoying when manually updating as well (unsure about capabilities of built-in updater).

 

I see, the point, makes sense.
I'll work on making these optional, not sure if my installer actually currently supports this. Looks like I have some reading to do...

As for the built in Updater, it's primary (currently) purpose is for the multiple signatures databases. It' doesn't yet update/upgrade the application itself. If you click on "Help" and then "Check Server for an Updated Version". It will tell you if you need to upgrade. But it will not automatically patch itself. Keep in mind this thing is an ongoing work in progress, and I'll keep working on it, improving it for years to come so keep watching.

The installer however does discriminate on the over writing of some key files during upgrades. Pay attention to overwriting your Local White list and Local Black List and several configuration files when in portable mode as it will blank them out and you will have to reconfigure the app.

I really appreciate your input. Very helpful thanks!

 

A.P.A.I.S. Database Updates

New Signatures Updates 29 July 2013

Global White List
Primary Malware database

 

Please provide a brief summary of how to 'setup for first use' the Free version of the Advanced Process Analysis and Identification System.

1. Does it need to be installed?

2. Can it be ran from a USB Flash Drive?

3. If I decide to purchase the full version, how is the license activated and how do I get updates?

Thanks in Advance.

 

Well, you download the latest A.P.A.I.S. version, then run the installer....
Download it from here: http://hermes-computers.ca/downloads.php
Run the application, Update the database...
You are ready to go!

To analyze a file or a live process. (Free Version)
To ID a Single file "Static" on disk click on (A.F) button to select. A.P.A.I.S. will then analyze and attempt to identify the file.

To analyze a live Processes "Active in system memory" You click on the (Process) button, then the Live Process Explorer will pop up, and scan the live system and display live processes...

Next you need to select the process to analyze and identify from the listed items pick one then (click) on "Analyze and identify this executable process"

A.P.A.I.S. automation will then proceed to analyze and attempt to identify the process. It will search through multiple databases, and provide some guidance....

Yes, it works from USB drive, but you must either install it to USB drive or copy it's root directory to it to use it from the USB Drive.

If you chose to register, an activation code needs to be entered into the application.

It will be emailed to you when I generate the key which you need to enter in. Yes each key is manually created so it may be a few hours or even up to a day before you get it so be patient...

To enter the registration key, Select "Settings" from the top menus, then "Activate Your License".

If the key is identified as valid, you will see, the type of registration, activated (User Status) on the lower right panel.

This will unlock all features available to your registration type.
It will also provide you with a much more advanced Live System scanner and unlock the "Technicians toolkit".

After Activation you must run the "Update Signatures" as it will provide you with the Full Secondary, and Tertiary databases...

Let me know, what you think, what you like, dislike whatever.

It's really cool, the first time you fully analyze the system. You gain a pretty good perspective on it, and you can really dig into each and every process on your system... (Registered)

Keep in mind this thing is designed to only work on 1 file or process at a time. But it does provide you with a broad range of inspection protocols, from basic to advanced file name analysis to Insecure and Vulnerability status just for starters, it pretty much covers everything you need to know within a single UI.

With just few clicks and no typing, yet you can easily search a broad range of identification vectors, and quickly make up your mind on any files.

As for Updates to the program, keep a close eye on the download area of my web site. I update pretty often. I would recommend you download and install the latest version every time I release one. This thing is under active development so new features and bug fix are common and I try and keep it coming steady.

I really worked my buns on this so I hope you enjoy it!

Guy

 

A.P.A.I.S. Database Updates

New Signatures Updates 30 July 2013

Global White List

• A bunch of Nice clean applications now added...

Primary Malware database

• Some Malware = Trojans and a Worm

 

Thank you.

 

Advanced Process Analysis and Identification System Database Updates

New Signatures Updates 31 July 2013

Windows Component List

• Lots of missing entries added...

Global White List

• Multiple De listings... Some Corrections (Double Entries From Windows component list and Global White List Removed)

Primary Malware database

• New Trojans a few new Rogues, and a Rootkit

 

Advanced Process Analysis and Identification System Technician's Edition
http://hermes-computers.ca/apais_1.php

New Signatures Updates 02 August 2013

Global White List

• New Good Clean Applications listed!

Primary Malware database

• Trojans... lots of fresh Trojan's...

Secondary Malware database

• 2,824,828 Signatures...

Tertiary Malware database

• 2,748,144 Signatures...

Note: New Books on Malware Identification and Cleanup! + one on Cyber War!
http://exploitability.blogspot.nl/2013/08/lectures-dete-malwares-cyber-war.html

Readup!
It's in French...
But Hey who cant read french?

Guy

 

thank you for the update
free ebooks ?

 

Not entirely sure, You can ask Paul... (Malwares - Identification, analyse et éradication)
You know how to tweet? https://twitter.com/r00tbsd

Guy

 

Any plans for a full trial version as well as the limited freeware?I like the concept of this software ,but im finding it personally hard to decide whether it would be worth purchasing,without seeing first hand all the features enabled.Also just a minor point but is there anyway the help >user manual can be opened in default browsers rather than IE?
Thanks

 

I am working on several videos, both on the Free, and the Registered version they should cover the details fairly well.
The Free version does not expire, and is pretty powerful as it is. (The upcoming release is even better) So a trial is redundant...
Besides $29.00 for 3 computers? Your not risking loosing your mortgage over this purchase...

The user manual is a bit slow and needs a lot of work. It's a bit difficult since I am actively developing the program and I keep changing or adding new things so I cant keep up with it to keep it entirely up to date on each release. I am even considering removing it from the application, and putting it online. Maybe even entirely doing away with it in favor of explanation videos. Not sure yet.

 

can you give image of the software?

 

Here is a few pic of Version 1.0.0.3448 (Soon to be released)
Here I attempt to show some of the basic report display (not same as "Analysis Reports" and "Technician's Field Notes" which are "Registered" Features.
It is a very powerful tool, and will get more powerful If I get support, I will keep it available to the public, and will keep developing it's more advanced features.

You can also click on the image on the right on the main A.P.A.I.S. page, it will change every time. https://hermes-computers.ca/apais_1.php

 

Here is a few snapshots of the "Registered" version

 

i did Mission Critical Live System Internet Analysis:

[img=http://s15.postimg.org/cowvi1kdz/trojan.jpg]

how i find the file mark in black ?

when i click in new window is tell me the location is: %SYSDIR%\install


i did in bitdefender hitmanpro and malwarebytes search and it dont find nothing,
i did also search in antirookit gmar

 

The quick answer to your question is CLSID are in the registry. However your displayed results is not in relation to CLSID's (They are displaying other unrelated results) The result window you are looking at is the result of you ticking the "Perform a Basic File Name Analysis" tick box.

This is a list of possible match based on File name" So "Svchost.exe", you need to compare the output to the listed display. If matched then it's a positive for this item. (in this case the full path is not matched = Negative match)

Also keep in mind the string you are looking for is not a signature check-sum (MD5/SHa1/Sha256) https://en.wikipedia.org/wiki/Checksum but a CLSID. (http://msdn.microsoft.com/en-us/library/windows/desktop/ms691424(v=vs.85).aspx)

To do an extensive CLSID or File Name check you need to use the A.F.N.A. Module (Advanced File Name Analysis) to search for possible hit's so you can gather up multiple results. (first tab, check-mark the CLSID tick box, or go to Generic Search Engines and select as many as you wish and perform a parallel search.)

The logical for the file, is listed in the GUI, the listed path on the Internet search is unrelated as it's part of previous results aggregated from other systems at some other point in time. (it's an Internet Search) If they happen to match it's for you to interpret the data.

Another thing, when it comes to direct executable where you have an active signature (MD5) it makes sense to forget searching for the CLSID or the file name, so you should keep your attention on the MD5 check-sum, and verify it with Virus total it's almost instant and highly accurate. It's also the best way to easily identify new malware released within a few hours or days. as fresh malware signatures can take me some time to identify and add to the data-sets.

When the checksum verification turns up nothing and you still suspect it's malware then it makes sense to pursue further identification avenues like "Basic File Name Analysis" and "A.F.N.A." identification and Searches, or Reverse behavior analysis etc...

You can VT Search here:


The Basic File name analysis and the Advanced File Name Analyses (A.F.N.A.) modules are designed to root out undesirable programs, and malware, not part of our multiple checksums databases. It allows you to ferret out what is known about an obscure executable...

Note: This tool is designed to provide IT professionals with an effective understanding of live systems analysis with a broad based perspective on each file under analysis. Interpretation of relatively cryptic results can be complex so do your research carefully...

 

Advanced Process Analysis and Identification System Technician's Edition
http://hermes-computers.ca/apais_1.php

New Signatures Updates 13 August 2013

Global White List
Primary Malware database