AntiMalware by Trustware

Discussion in 'other anti-malware software' started by Vikorr, Sep 20, 2005.

Thread Status:
Not open for further replies.
  1. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Does this mean you have to specify "Trusted" files/programs to be protected along with "Untrusted" programs to be restricted? How can you restrict the likes of Internet Explorer from accessing and changing real system files (e.g. fonts, cache, Microsoft's Java VM) or registry keys without breaking it?

    If you are creating "shadow" files or registry keys to accommodate all attempted changes, how long do these last? (e.g. could user-requested changes vanish on reboot like with DeepFreeze and similar software). What happens if an untrusted program uses a Windows component to do its dirty work? (possible examples include cmd.exe, rundll32.exe, net.exe). What if a user decides a download is actually trustworthy (e.g. an anti-virus scanner) - do they have to reinstall it as a trusted program? Finally, how about multiple untrusted programs - do they each see different files/registry key values or do they all see the same "Untrusted, temporary" values?
    What happens if that trojan tries to install a driver or create a keyboard hook? Or for that matter tries to access Physical Memory to overwrite the Service Descriptor Tables? (which could disable any other security software - including the likes of Process Guard, though this can now block physical memory access).

    If anyone running BuferZone wishes to investigate, visiting the Win2K/XP SDT Restore page and trying that utility would be a good initial test (I'm running rather too many other betas to consider testing it myself at the moment).
     
  2. edotan

    edotan Registered Member

    Joined:
    May 1, 2005
    Posts:
    4
    Hi,

    First let me introduce myself: I'm Eyal Dotan, the author & CTO of AntiMalware. I'm glad to answer as I regularly read this forum, but rarely post.
    Like Eldad said, what AntiMalware's BufferZone does is virtualize untrusted processes "Write" access to FileSystem & Registry.

    You don't have to decide what files to Trust. What you need to decide is basically what's your scope of protection.
    Example: in the full Home versions we Untrust by default Internet browsers & P2P & Messeging programs. In Corporate versions, we additionally Untrust any Unknown new program that arrives after our installation (unless authorized by the admin console).
    Paranoid, the difference with standard HIPS solutions is that we *don't* restrict access to protected files. We just emulate Write operations on them.

    The idea came from the fact that protecting certain registry keys / files with ACCESS_ALLOWED / ACCESS_DENIED becomes at some point a compromise between security and usability: either you protect all the risky files/keys (and God... there's a lot) and then many programs won't function properly (or alert too much); or you protect less system resources and then more programs will work correctly, but some smart hackers will find their way through.
    For example: if you protect the HKLM\..\RUN key, you will prevent simple intrusion programs. But smart ways of getting through may be for example to create a malicious DLL and register it as a Shell Extension, which will then run at every startup.
    This is why virtualization is stronger: because it is flexible (for legitimate programs), it provides a very full protection (because we don't have to limit our protection to certain files / keys).

    Our BufferZone registry & file system is persistent. It doesn't disappear after reboot. Not until the user decides to. This is why you can actually install software in it, and use it. Currently our virtualization isn't perfect yet, but more and more programs will function in it with time.

    Nice question. BufferZone works with inheritance. Meaning that if IEXPLORE is in BufferZone, everything it downloads or executes will run in BufferZone too.

    Wow, lots of questions! We really need a FAQ ;)
    Programs that you installed in BufferZone and then decide to Trust can technically be moved out of BufferZone, but we recommend to simply reinstall them as Trusted.
    And yes, all Untrusted program are in the same BufferZone and see the same "Untrusted" registry & files.

    BufferZone is very flexible, but some operations are forbidden. Like the ones you mentionned.
    And we'll be happy to hear from smart guys around this forum if anyone can find other dangerous operations we haven't taken into consideration.

    Eyal

    PS: the Home version is Beta.
     
  3. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    Thanks kareldjag and Painkiller.
     
  4. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Just thought you guys would be interested to know - I ran some more tests on AM. I downloaded the following tests, which ran in the buffer zone of AM <borrowed some test idea's from Kareldjag's site>

    3 x Finjan data theft tests = all passed
    http://www.finjan.com/SecurityLab/SecurityTestingCenter/

    Ghost security http://www.ghostsecurity.com/index.php?page=freeware
    Reg test 1 = failed (AM does say it allows writing to a virtual registry)
    Reg test 2 = passed (no autostarts are allowed by untrusted programs)
    ProcX termination test = passed (can terminate the GUI but not the Service)

    DiamondCS Hooktest http://diamondcs.com.au/processguard/index.php?page=attack-keystroke-loggers
    Passed

    Zapass <dll injection> test http://www.whirlywiryweb.com/article.asp?id=/trojanimplant
    Pass

    Another test I did at a CWS website, with IE set to medium security, prevented all driveby downloads <I know the site was 'working' - I tested that first too>
     
    Last edited: Oct 1, 2005
  5. Painkiller

    Painkiller Registered Member

    Joined:
    Aug 24, 2004
    Posts:
    42
    When you mean Pass what do you mean o_O? ... It was able to breach the AM,

    Cause i have tested all you said and didn’t get the same results.

    3 x Finjan data theft tests = Blocked ... like a charm

    Ghost security http://www.ghostsecurity.com/index.php?page=freeware
    Reg test 1 = failed
    Reg test 2 = failed

    See AM alllows it to write to the reg but it's a virtual one so the program think he passed

    Zapass <dll injection> Blocked and even it crashed when running in BZ cause it couldn’t Implant the DLL

    So want to explain more the tests you did, like env and how you do the tests man ...

    btw: put this tests on BufferZone community , I’m sure they will have a better explanation for you ...

    Painkiller o_O



     
  6. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Hi Painkiller

    I see that 'pass' may have been vague. What I meant was, passed - like a test <exam> at school...a pass means you did well. In other words, AM passed the tests (by blocking those attempted datatheft, hook etc).
     
  7. Painkiller

    Painkiller Registered Member

    Joined:
    Aug 24, 2004
    Posts:
    42
    Ha ok ... so we are clear ...


    COOOOOLLLLL

    Painkiller
    btw: keep up the good work .. :cool:
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,582
    Location:
    The Netherlands
  9. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Yes it works like this but with any program not just internet based which is the way Green border sounds. I have not yet tried Green boarder but with anti-malware you can easily change a program from running in the trusted zone to trusted with a right click mouse selection. With Green border it says it deleted the files associated with the program but at this time anti-malware does not.

    Thanks,

    Chris
     
    Last edited: Oct 2, 2005
  10. Mucker

    Mucker Registered Member

    Joined:
    Apr 20, 2005
    Posts:
    42
    Being rather inexperienced I would like to know if I have to clean temp files in both the buffer and the real zone ?

    Mucker
     
  11. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    I have two computers in the house. One for my grandaughter to play on. I tried Antimalware on that computer. There is a kids web site called Noggon that she loves. It would not open. The computer just hung. That is on DSL, 1.8 GH Dell 8200
     
  12. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    I installed AM Home, and it seems to have a MAJOR conflict with Prevx Home...is anybody facing this issue?
    Any workarounds for this?
     
  13. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Hi Abhi, AntiMalware does not work with Prevx (of any kind). It has a major conflict with the prevx driver. Unfortunately, because the Prevx driver works even when you turn Prevx off, you can really only have one or the other on your computer system.

    Mucker, if you download a file through IE to say c:\downloads <it is untrusted>....when you delete the file from c:\downloads, the file is also deleted from the c:\virtual folder where a virtual copy of it was made.

    There is also an option to 'Clean Buffer Zone' which wipes all settings from the bufferzone (but doesn't wipe virtual files that have a corresponding file somewhere on your computer)....personally i would like them to make the 'Clean Buffer Zone' button something that will allow us to clean individual programs from the bufferzone (although I know you can 'release file/folder from bufferzone')
     
  14. Mucker

    Mucker Registered Member

    Joined:
    Apr 20, 2005
    Posts:
    42
    Vikorr,
    Thanks for the reply, It helps me to understand better. Vikorr. I have Prevx1 Beta installed and Bufferzone is working OK except I can't get Yahoo to boot up--Firefox and K-mellon both work fine though. Thanks again.

    Mucker
     
  15. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    If you haven't already can you please report any/all the problems you have to support?

    Thanks,

    Chris
     
  16. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Heya Mucker, thanks for the info on Prevx1. That was the driver that caused AM to crash on my computer...and when I used to have Prevx Pro, AM wouldn't work on my computer then too...so maybe it's just luck of the draw in relation to Prevx

    In relation to Yahoo, mine boots up fine, but I found it won't autostart if you make Yahoo untrusted. One sec, I'll find the answer to the question I posted to their forums:

    And

    Hope it helps
     
  17. Mucker

    Mucker Registered Member

    Joined:
    Apr 20, 2005
    Posts:
    42
    Chris, I posted in bufferzone forum and e-mailed support, thanks


    Vikorr.

    Idon't use Yim, I meant my yahoo browser, I don't really use it so it doesn't matter to me, but possibly to someone else may be important. this is a very interesting program, and I would like to understand it much more completely.

    Thank,
    Mucker
     
  18. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Doh, heh, sorry, thought's that's what you meant. Didn't know Yahoo had a browser :)

    Some more info from the reply to the post of mine <just for interests sake on how AM works>

     
    Last edited: Oct 2, 2005
  19. Mucker

    Mucker Registered Member

    Joined:
    Apr 20, 2005
    Posts:
    42
    Vikorr.

    Thanks for the reply and the info.

    Mucker
     
  20. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    Do you think I should go ahead and uninstall prevx home? Is AM better than prevx in protection from trojans, spywares, viruses etc.? What do you suggest?
    Vikorr , I look forward to your comments too!! :D
     
  21. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    From the tests I ran on it, and the replies I recieved from the BufferZone support people in their forums, I would say that yes, AntiMalware is better protection for your computer than Prevx. Certainly AntiMalware doesn't throw up popups that require you to answer a question that you could get wrong, like Prevx home does <not saying that Prevx is bad, just that AM is more userfriendly, and I would say it offers more protection than Prevx>

    Also, just remember that when installing certain programs (not all), they should be installed as trusted, because the bufferzone basically stops the use of drivers, and prevents autostarting.

    In relation to drivers re installing -drivers are often used by other security software <+ some others>, but if any malware uses a driver - they are really bad...so preventing drivers from working in the bufferzone is a good thing.
     
  22. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    Great info, Vikorr. Thanks a ton!

    I have been trialling Sandboxie and its also pretty user friendly and claims to offer extended security through virtualization.
    How does AM compare to sandboxie? I feel they use the same philosophy.
     
  23. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    The only problem with sandboxie is that my laptop's touchpad scroller stops working when I open Firefox using sandboxie.
    If I open firefox without sandboxie the scroller works fine!
     
  24. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    I've never tried sandboxie, but from posts of others, it seems the following are the differences : <someone correct me if anything about Sandboxie is inaccurate>

    Sandboxie :
    It appears you have to manually start SB (not sure about this)

    Is a virtual environment : anything run inside sandboxie (eg IE) stays inside IE, and disappears when SB is shut down.

    You have to specify which applictions SB monitors (eg, IE, Outlook, P2P, IM's, installs)

    Can't install anything permanent from within Sandboxie

    AntiMalware :
    AM is an autostarting program.

    AM is a virtual environment. Anything run inside AM (eg IE) stays inside AM, but does you never have to shutdown AM (unless you are installing a trusted program)

    AM monitors all area's that may be a vector for infection (eg IE, Outlook, P2P, IM's, installs)

    AM has some restrictions on what untrusted program can do - eg set hooks (used in keylogging), inject dll's (used to bypass security), and a number of other things.

    Able to install simple programs through AM (but not ones requiring drivers)

    Basically AM is more automated than sandboxie.
     
    Last edited: Oct 3, 2005
  25. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    whew!

    Almost keeping up here!
    Be gentle.

    Couple of questions:

    -@ Vikorr Could you elaborate on:
    -WHere does this app stand wrt FFox

    -If I understand (?) this app allows installation of Malware/untrusted apps in the virtual HD but disallows permission to run. How are these malwares removed?

    -is a permanent log or record kept of these sessions monitored by AM and how are these stored +/- deleted?

    -I saw a comment that "trusted installs are allowed to operate/install to the real HD, or does AM just keep them in the virtual space?

    (head spinning now must go for fresh air)

    Regards.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.