Advanced Process Analysis and Identification System

Advanced Process Analysis and Identification System Technician's Edition
http://hermes-computers.ca/apais_1.php

New Version Release: 1.0.0.3523
http://hermes-computers.ca/downloads.php

Highlights

• Lots of Improvements
• Some new features
• A few fixes

change-log:

* NEW/IMPROVED:
- improved code security
- Improved Voice Narration
- Improved Internet Analysis Module
- Improved "Technician's Field Notes" modules (Registered)
- Improved Tactical Third Party Checksum Interrogation
- Added Persistent Checksum Tracker - You can now easily identify and compare file checksum changes temporally (Registered)
- Added Sha1 signature check via Virustotal.com
- Improved Report data and structure/layout
- Minor Improvement of accuracy of Live Process Behavior Analysis
- Slight improvements to sequential logic
- It's now a lot easier to identify checksum impersonation attempts

* FIXED:
- fixed restart fail after signatures updates
- Fixed automatically "Open Report" after local Process Report created (Registered)

 

Thanks for the update notice I haven't checked the new version yet, but I noticed with build .3391 that it doesn't support DEP and ASLR. An app like this is probably not going to be targeted by exploits but I thought I'd mention it anyway.

I also have a suggestion for the menu with options like Voice narration and Advanced risk analysis, it would be nice if it showed a checkmark next to On/Off so you can see what the current setting is.

 

Advanced Process Analysis and Identification System Technician's Edition
http://hermes-computers.ca/apais_1.php

New Version Release: V.1.0.0.3595 (06 September 2013)
http://hermes-computers.ca/downloads.php

* NEW:

• - Secondary Action Report Bar added to GUI
• - Voice Narration Display On/Off on GUI
• - Report Unknown report On/Off display on GUI
• - Primary A.I. Report Display On/Off on GUI
• - Primary Risk Analysis display On/Off on GUI
• - Advanced Risk Analysis report On/Off display on GUI

* Improved:

• - Reduced Info Button request display data from 12000 to 9000

* FIXED:

• - MD5 and Sha1 now display correctly in "Info" button file information output

This a latest pic captured during the automated part of the analysis...

 

Go check the new release!
thanks for you input... this is the BoerenkoolMetWorst release!

 

Nice

 

Advanced Process Analysis and Identification System Database Updates

New Signatures Updates 09 September 2013

Primary Malware database

New Trojans lots of new Malware, and a Rootkit

Most is less than 10 hours old as I write this...

Who wants fresh identification?

 

I noticed that if you have Voice Narration turned off, there is still a voice if you turn other stuff on or off.

Fresh is the best; "Give it to us raw and w-r-r-riggling!"

 

Ok! I'll try and reproduce the issue...

You mean when you activate features it still narrates things like saying "Feature enabled"?

I think I may know what you refer too...

Thank you for the input!

 

Yes, indeed.

 

Wow...anybody tested this live malware and rootkits yet?

 

Fixed!
I'm working on some minor improvements... You should have an upgrade later on today or tomorrow if I have time to compile a new installer.

Thanks for letting me know so quick!

 

I am really liking this program...seems true bullet-proof so far

 

If it's documented somewhere and you can find and scan/analyze it's binary it will find what it is or provide you with the functionality necessary to identify whatever it is...

It's not like a fully automated protection, you actually need to pick what you want analyzed, but it's very powerful...

 

Any place to send suspicious files? it fails via UI?

 

Hi,

In the registered version you can easily generate a report, and send it to me simply by clicking the "Report Suspicious" Button...



It wont work in the unregistered version because you need to configure the built in SMTP server/transmitter for it to work.

I only need the report generated by A.P.A.I.S. as it's extensive and all I really need to evaluate most malware...

In the Unregistered version you can submit reports to me but you must type them up via my live help messenger:



The rest requires me to perform reverse engineering and being only a 1 man show...

Well don't have much time. So I only work on reversing binaries I acquire myself...

The thing you can do is submit to the following sites as it will help a lot of engineers work on these malware samples:

http://malware.lu/
https://malwr.com/

GD

 

Advanced Process Analysis and Identification System Technician's Edition
http://hermes-computers.ca/apais_1.php

New Version Release: V.1.0.0.3601 (10 September 2013)
http://hermes-computers.ca/downloads.php

* NEW:

• - Added a Secondary sound byte to Process, Drivers and Auto Startup Analysis requester

* IMPROVED:

• - Minor code improvements

* FIXED:

• - Sound bytes still on Even when disabling/Enabling menus centric settings while Voice Narration is set to OFF

 

No problem

Now that's quick as well

 

i am going to install this on my USB,since I do some malware cleaning and analysis,I will add this program to my list

 

Good Work!
I would consider registering if you want to use it to ID malware broad base across multiple systems using it on a USB Stick.

Here is why:
You will obtain a much larger malware data base. The third malware database file alone represents almost 3 Million extra malware signatures to identify malware...

Another thing is you will activate the Technician's Field notes and the



Process Analysis Reports which allow you to have portable data on each process you have ever analyzed using the tool if you so chose.




Another very powerful feature is the automated Persistent Process Signature tracker.
Each time you analyze a file, it documents it's checksums (multiple) file name, version and size, and makes this historical data available to you with a single click...

This is also persistent across all systems if you use it from USB. It's very useful as it allows you to see discrepancies across versions but the best part is it easily allows you to identify signatures impersonation (Collision) when you use it in conjunction with the Internet Analysis Module to check Virustotal or some other source to confirm the varied signatures, and visually identify, compare, and perform validation checks...

For example if you see that the MD5 Signature for the file is the same but the Sha1 is different than the ones provided by A.P.A.I.S. when you validate it at virus total, this is a typical impersonation that you either just discovered locally or that went unnoticed at virus Total. You can then either blacklist, further investigate, and report the event to V.T. or take whatever action you think appropriate etc...

One way to deal with this is to email the Process Analysis Report to the developers, and let them figure out if this is legit or not. In either cases A.P.A.I.S provides an easy way to share data, and analytical investigations with just a few clicks.

Also having the data on hand from other scans, where you can now visually identify the local discrepancies in signatures, once you id one, you can go and hunt for all the others hiding on all your systems. It's real easy.

Signature impersonation is quite commonly used to hide malicious binaries, and make them look as legitimate to white listing systems. this is due to MD5 and Sha1 being cracked and rendered useless for encryption several years ago. Identification of impersonation is important ,but difficult to spot as it must be done visually by comparing multiple file checksums, however it's importance should not be understated, and discoveries should be dealt with immediately.

The registered version offers many useful advantages. I would highly recommend it for technical pros as these features are designed for them...

And I made registration really affordable and easy to do.

Just follow the steps in this picture:



I hope this help...

GD

 

Advanced Process Analysis and Identification System Database Updates

New Signatures Updates 13 September 2013

Windows Database

• Just a few missing entries added!

Primary Malware Database

• Malware signatures out the Wazoo!

Happy Hunting!

 

Advanced Process Analysis and Identification System Technician's Edition
http://hermes-computers.ca/apais_1.php

New Version Release: V.1.0.0.3652 (25 September 2013)
http://hermes-computers.ca/downloads.php

* NEW:
- Sha256 sha-384 and sha-512 checksum Signature generators
- You can now analyze sha256 signatures via Virustotal.com (Internet Analysis Module)
- New Sound byte to sha256 Analysis via virustotal.com
- New sound byte to Checksum signature calculation
- Info Button now gives you MD5, Sha1, Sha256, sha-384 and sha-512 in addition to displaying file integrated data
- Tracker now also documents Sha-256, sha-384 and sha-512 checksum at each pass
- Technician's field notes now also include Sha-1 Sha-256, sha-384 and sha-512 checksum in the file note

* Improved:
- E-mail and local reports, now also provide Sha-256, sha-384 and sha-512 checksum Signatures
- corrected typos, in Gui's
- removed lots of redundant code documentation
- deleted several deprecated or rewritten functions
- Re organized some of the Constants and variables for optimal performance
- Now Internet Analysis - specific search page labels are correctly representing actual function instead of generic ones.

* FIXED:
- Resolved Condition where manually selecting a static file would sometimes crash A.P.A.I.S.
- Attempting to report malware in Unregistered version (Free) would crash the application
- Fixed sound bytes for Sha1 Verifications (Internet Analysis) module plays MD5 check sound clip in error
- Fixed Report Suspicious File Crash A.P.A.I.S. when unregistered users tried to report malware using it.

 

Ladies and Gentleman's this is a request satisfaction week!!!
I just spent a rather large number of hours trying to satisfy your needs by answering user requests and implementing either what you asked or trying to up the ante one plus on the request wherever feasible...

I originally answered your request by adding a visibar on the bottom of A.P.A.I.S to show status on some options, but found it was insufficient...

You now have tick marks on all settings and options within the menus...
As for the other thing on DEP and ASLR... Well DEP it is for now, and I'm expecting ASLR to be fully functional in the production version within the next few months so stay tuned...

The installer will now allow you to select not to install a start menu entry...
Thank you for all your input, and comments...

If you have any more requests just let me know, I'm really easy to reach either here, PM me or use the live help messenger on my site...

All the best!

Guy Deschênes

 

Advanced Process Analysis and Identification System Technician's Edition
http://hermes-computers.ca/apais_1.php

New Version Release: V.1.0.0.3713 (02 October 2013)
http://hermes-computers.ca/downloads.php

* NEW:
- Added Sha256, sha-384 and sha-512 signatures to the Optional "Report Unknown" to developer report module
- You can now Skipp lengthy Identification sequences of Known hostiles if file is a known part of Windows or is already Globally white listed
- Setup now allows the user to skip creation of program shortcuts (Useful for Portable USB edition)

* Improved:
- More work was done to further improve easy Check-sum Impersonation, and collisions identification
- implemented a few minor code based Performance enhancements
- Menus "Settings" now display a nice blue tick/check mark on all user selected options (suggested by BoerenkoolMetWorst @ Wilderssecurityforum.com)
- Re engineered optional trade off between speed, and features: When you disable sound + Discontinue scans if file = part of Windows List or Global White List and you select Skipp Known Hostiles List scans:Black List/Primary/Secondary/Tertiary Malware databases = up to 82% faster scans when right condition is trigger.

* FIXED:
- Improper format output from Info button resolved...

 

Advanced Process Analysis and Identification System Technician's Edition
Database Updates


New Signatures Updates 04 October 2013
Between Yesterday and today's updates you now have new:

Global Whitelist
Primary Malware Database


Happy Hunting!

On a side note:
Would users prefer the "Insecure/Vulnerable" database to be global or do you wish to continue full control manually as it currently exists?

Let me know your preference, what you need in the field is always paramount to me.

Guy Deschênes