I just recently managed to see this thread: https://www.wilderssecurity.com/showthread.php?t=245834 ... and couldn't resist commenting on that (even if it's old) since it's my own project. The site is currently down but will be brought up again in some way or another at some point. If anyone is interested in trying it out, I can get the site up again in no time. ajö has nothing to do with garlic - it's swedish and means "goodbye". The software in itself uses some pretty neat tricks to detect stuff like FuTo from userland. In the latest version there's also a kernel module using novel tricks to detect hidden processes. All this is to help experienced users detect malware that AV doesn't find in general. The autostart listing is quite extensive, usually containing around 300 entries. There's also a part that looks for known trojans, in the latest database it detects all versions of Bifrost, C-One, Poison Ivy, Nuclear RAT and Bandook. Even if they are hidden by their integrated rootkits, or modified by any executable scrambler etc. in any way. So it's not very many but it's quite easy to add more targets if given a sample. All this is done in an unhookable fashion. With no possible way to hook things in userland that ajö can't find - except specialized and direct attacks written specifically for ajö (big chance, with the current market..! ). As previously stated it also detects "advanced" kernel rootkit stuff like FuTo from userland. I've had toughts about open-sourcing the code, if there's any interest in that. It's written completely in C.
Currently the site is down, but I'll upload it again tomorrow to a new location -since there obviously is some interest in it. I'll keep you posted.
A one-man project ? Maybe you shouldn't call it an AV ? Unless you are able to get the signatures to catch over 95 % of malware.
Hehe... Well considering that the tags on Bifrost/Bifrose can detect close to 100% (estimated) of the Bifrose.BX (or so) variants of it. You tell me! It doesn't use the utterly flawed file scanning techniques most of todays AVs rely on. But on the other hand it WAS a one man project, and in it's current state most of all a tool to help advanced users detect oddities. It doesn't even remove the malware - that's for the user to do. You get the file location though. FYI I've got another AV working which is much more of a "real AV" (tm), using even more exotic techniques. The only thing left there is fixing the automated malware analysis tool. But it's been left behind due to other projects and uni. But lets put a vapourware label on that for now...