AntiMalware by Trustware

Discussion in 'other anti-malware software' started by Vikorr, Sep 20, 2005.

Thread Status:
Not open for further replies.
  1. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Hi Longboard. If you are talking about installing Firefox, you would simply disable AM and install firefox (this way it is trusted, and you want it the actual installation out of the bufferzone in case you one day decide to 'Clean BufferZone'.

    If you are talking about running firefox...AM has a small list of browsers that when executed, run in the BufferZone. Firefox is one of those Browsers.

    AM allows installation of malware (but not through drivebydownloads), and technically, AM would allow them to run...but :

    1. they would not autostart (which all spyware, trojans and worms want to do)
    2. they can't modify trusted files (eg viruses; and some s/t/w in order to autostart)
    3. they can't install drivers <actually, if I understand right, they can, but they are rendered inoperatable>
    4. they can't install hooks (used by keyloggers)
    5. they can't inject dll's (method of bypassing security)
    A number of other things they can't do, but those would be the important ones.

    Basically, they are allowed to install, because AM does not detect good or bad, it simply makes new programs <installed while AM is running> untrusted. Untrusted programs can't effect your system <because AM prevents untrusted programs from doing bad things>...ie malware is rendered useless, even if they get onto your system.

    Unfortunately AM is not currently able to uninstall malware (I asked, and they told me they are working on this)

    AM doesn't have (that I can find) a Trusted Install feature. Simply disable it (right click on icon, then disable), and install the program...it is then trusted.
     
    Last edited: Oct 3, 2005
  2. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Is anyone haveing problems getting web sites to open with AM? I can't get this forum to open unless I get out of AM. It seems simple web sites will open but not ones with a lot to them. The computer will just hang. Then I have to go into the AM control center and shut down IE. Then I can go back into IE and open the web site.
     
  3. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    I'm personally not having a problem to any website. I do notice that when I first open IE, it's best to wait a few seconds before clicking on my shortcut to wilders...but after IE is open, everything is normal speed for me. I think this is because on first openning IE - it is transferring into the BufferZone of AM.

    But that's just a guess, perhaps a post to their forum may be helpful.
     
  4. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    Thanks for the info, Vikorr :D You are a great help!
     
  5. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    well, first, thank you so much, Eyal, I'm trialing it and it looks like a very nice piece of software :eek:

    Vikorr, I can see a trusted install feature here, when you right click on a file downloaded through AM protection, there's a "Release from AntiMalware Buffer Zone" option in the right-click menu, plus a "Execute out of Buffer Zone" option (see the shot): guess it's designed for this purpose.

    the only problem I've met by now was to upload that pic :) , AM may be interfering with FF for uploading.
     

    Attached Files:

    • An_M.gif
      An_M.gif
      File size:
      28.1 KB
      Views:
      566
  6. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    What other browsers can run in the bufferzone? Dint find anything on their site yet!
     
  7. Painkiller

    Painkiller Registered Member

    Joined:
    Aug 24, 2004
    Posts:
    42
    Hi,

    According to what i read in trustware documents and frankly what i saw on their BufferZone Community , they support all known Browsers , but what i understood they are not concerning to a specific browser cause they can also protect Messengers and P2P , it seems that many people here post about security in browsers but forget that Your (all) computers running Windows are applicable to many End Point attacks originated from other application then Browsers, like messengers and P2P or any application installed on the computer, currently the only product that support real protection for all "Problematic" application is Trustware AntiMalware ... other application are dealing only with IE and that’s like putting a bandage on a amputated Head :oops:


    Cheers
    Painkiller :-*
     
  8. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    Thanks for that info...
     
  9. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    Okay so I uninstalled Prevx and got myself a copy of AM. When I started firefox in BufferZone, I got a message that "The security settings of your browser couldnt be initialized. Please ensure that there are no read/write restrictions of the directory containing the browser profile." And then, Firefox crashes!!

    Any body had this issues? Help me out cuz I dont know whether I should give read/write access to the directory containing the browser profile in C:\Documents and Settings\ Abhishek\ Application Data\Mozilla\...\...\........
     
  10. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    I'm meeting problems with Firefox too, but it didn't happen right at the beginning: problems started since I used the NoScript plugin right-click. Can't get FF to work through AM since, but can still run FF outside AM :) . A FF reinstall and a BZ clean didn't solve, so I may try to reinstall AM and run FF first, and FF with NoScript, to see if this issue happens again.

    I've sometimes the error message you're talking about, when running FF without AM, but mine doesn't crash o_O I'm wondering if it couldn't be related to the fact that FF settings are not in the FF main folder (could explain your problem, when running FF through AM; I mean a "untrusted program" trying to read/write on protected area).
     
  11. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    That would be a question best posted at their forums. I'm sure they should be able to give you an answer for it <although Nico may be correct>
     
  12. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    anyone running Firefox through Buffer Zone without problems ?? o_O I can't get it working here, only IE does stand it on my setup.
     
  13. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    ...fixed: AM current release not compatible with firefox. Next release should be :)
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Ahh, glad to know it's not just me. :)
     
  15. foxdodger

    foxdodger Guest

    I'm not sure if I want to run firefox in the buffer zone anyway. I understand why browsers are generally considered dangerous and are restricted and untrusted, on the other hand, from the point of view of firewalls they are considered trusted because you have a rule allowing outbound access.

    There's a fundamental conflict between the two really when you think about it. You don't want some other program to alter your browser so as to beat troajns that exploit browsers to leak through, yet putting your browser as untrusted means other untrusted programs can affect it.
     
  16. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Oh, I can understand your opinion, but to put browsers in an untrusted zone does have its own logic: here, to put (Firefox) or any browser in AM's Buffer Zone doesn't mean that its more likely to be affected *no more than to run it without AM, in fact* because the main effect of AM is to create a sort of "super-protected" area on the computer; of course that doesn't decrease the security level of non protected apps, that just means theses untrusted apps will have reduced privileges: they are not more weak themselves, but just less protected than others. Think "relative".

    Thus the fact to improve the security level of one zone, the "trusted programs", doesn't decrease at the same time the security level of the others: The purpose is just to close the doors malware need to reach your computer: browser, Instant messenger, etc. In a way, to run your browser in untrusted zone is protecting it too: if it happens to get affected, you clean the Buffer Zone, and next time you run your browser within, it's clean as if nothing ever happened :) - and you can still use it without AM if you want, exactly as before to put it in Buffer Zone (as disabling AM protection).

    Of course you don't have more chance to get your browser affected in buffer Zone than without it: I think it's the concept of theses two zones that make you think about that, but the way it works is more subtle -hopefully !- it's just about to control effects of any infection.

    I had a close reaction when I first heard about AM, as I'm more used of Process Guard's policy: you protect your browser (and whole system) against unknown processes/files. But the aim is the same for both AM and PG: they just undertake this task by different - apparently opposite - ways.

    Even if your firewall does trust your browser, does it protect it from malware injection ? NO ! :doubt:
    (There's an internet access control in AM corporate version, not in home for the moment). It shows that the firewall 's trust is not enough to trust the whole system, and is unrelated to AM's "ideology": just two different situations.

    I think theses comments can go for other virtualization programs, although I've tested AM only.
     
  17. foxdodger

    foxdodger Guest

    I understand the reason why the browser is usually in the buffer zone. But...

    The problem is you might not know if it's infected. Or it might not be affected permanetly. I'm worried about other untrusted programs taking advantage of the similarly untrusted browser to connect out.

    This is migiated by the fact that untrusted programs can only have access to information that is obtained from other untrusted programs, but this includes fairly critical apps like browsers, email, etc.

    Imagine a keylogger working in the buffer zone logging your keystrokes obtained from the browser while you are keying in your bank passwords. Then using DDE it phones home.

    The bufferzone is never breeched but you are still hurt.

    True, this is no worse than not using AM at all, but it seems to me that the browser is sensitive enough that it should be isolated both ways.

    1) Isolated from untrusted apps

    2) Isolated from other trusted apps to avoid damage if the browser is broken.


    Er no, I didn't think that. I was just musing over the fact that ideally the browser (and most other internet enabled apps which are regularly allowed network access), deserve to be isolated specially, from *both* trusted apps and none-trusted app to avoid getting in a scenario as above.

    It seems to me that there are 2 reasons why you would not trust an app.

    1) You trust the app in the sense that you know it is not malicious on purpose, but you are afraid that it could be exploited somehow to run child processes or directly, so you put it in the buffer zone so if it is broken it limits the damage. Eg Your browser, your email.

    2) You don't trust the app at all. It's some freeware you picked up elswhere, you think it might be a trojan. Putting it in the buffer zone limts the damage as well.

    The problem is that those in category 1 are almost always net enabled software with default allow firewall rules, and AM (and everything else) does'nt make a distinciton behind these 2 types of untrusted programs and allows 2) to modify 1)

    Of course the bufferzone is still not breeched, but as I stated above, it can still cause damage.

    Perhaps having 2 different bufferzones to reflect these 2 catergories of software might help.

    In some ways the PG and defensewall host method can be superior since you can give rights and restrictions seperately. Two untrusted apps don't immedately gain the ability to affect one another.

    But of course you lose the ability to get the rollback effect of virtualization tech.

    I guess if the protection that PG and other apps extends into the bufferzone you will have the best of both worlds..

    Some firewalls like Outpost do. But that's irrelevant.

    I'm just commenting on the fact that to beat leak tests you need to isolate the browser from untrusted apps, and yet from another point of view browsers are themselves considered untrusted just to limit damage.

    Sure, I'm just musing about virtualization programs in general and not targetting AM. I suppose having several bufferzones would be technically difficult due to the virtualisation aspect.
     
  18. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I fully agree, I wish they would stop things like hooks from happening at all within the untrusted zone. It just goes to show, really, that you shouldn't rely on any one thing to provide all security. To limit things further, I do still use DropMyRights.. although that doesn't close that hole completely.
     
  19. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi foxdodger, wow, long reply :eek: .

    New version of AntiMalware available (1.50-51), with network access protection.


    seems you picked the worst case imaginable... your assumption could happen, I don't know to be honest; but... provided Buffer Zone does stop some malware from starting (the program does ask you about "untrusted scripts or macros" and new programs, and I've asked for a "prompt at protected file access call" feature), and I'm not sure a keylogger could install even in Buffer Zone (see E. Dotan's reply above), so the untrusted zone doesn't look at a jungle where everyone can do everything.

    And let's don't forget the keylogger would need to install first: AM should warn you even if it only happen in the Buffer Zone: keyboard hook and service, needed by a keylogger, will cause prompting from AM, or will be refused automatically (according to your settings). Plus the new network protection could maybe play a role here, I've not tested it yet. Without talking about the other security apps you may be running.

    But a simple and efficient fix could just be to...clean the buffer zone before doing any sensible activity, such as online banking :D : just common sense !. But I admit your remark is very interesting.

    Anyway, someone asked a similar question on their forum, the best would be to look at their reply http://trustware.com/forum/viewtopic.php?t=32

    there's a suggestion about two levels of Buffer Zone in this post too.

    I like Outpost too, but wouldn't rely only on it for such a purpose.

    hehe, a good headhache for the computer :D ..

    I agree too, Notok.

    Cheers
     
    Last edited: Oct 9, 2005
  20. foxdodger

    foxdodger Guest

    Hello nico

    I'm not too clear on this point really. Can a program in the bufferzone do global hooks as per PG terminology?

    In my scenario, you are actually testing this app out so it's a case where you want to install something to test. Getting a warning is nice, but Just because some app requires hooks doesn't mean it's a keylogger as you know.

    I guess I will use AM as an area to test apps, but I won't put my browser in there. My browser is more than sufficently protected anyway.

    Sounds good.
     
  21. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    just make sure not to start firefox and netscape while AM's protection is ON, they're not compatible for the moment (although I did run firefox with the new AM protection enabled, by mistake, one hour ago, and seems that was working :eek: ).

    Cheers
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,127
    Location:
    The Netherlands
    To tell you the truth, I´m still a bit confused about what exactly is possible with this new technology, I guess I will have to see it in action myself.

    At the moment I still think that using the normal anti malware tools is the best solution gainst malware. I mean it looks like these sandbox tools do somewhat interfere with normal computing, is this true or not? And I don´t want to constantly be bothered with "trusted/untrusted" questions.

    I can see myself installing new untrusted software in a virtual area, so that my real system won´t get comprimised. But what about browsing the web "sandboxed", I still don´t understand the concept, aren´t there any drawbacks?
     
  23. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Trusted programs (whatever was on the computer when you installed AM) are allowed free reign to do what they want, they have no restrictions.

    Software installed through AM is untrusted and therefore runs in the BufferZone.

    Software in the BufferZone can be made trusted (released from the BZ)

    IE runs in the BZ, because it (and a few other programs) are special programs listed for surveilance by AM.

    Anything created by a program running in the BZ is also untrusted (eg. all downloads through IE)

    The BZ is a virtual environment, including a virtual registry and virtual files.

    Anything running in the BZ has certain restrictions place on it :
    -Can't modify trusted files (eg virus behaviour, or trojan injection etc)
    -Can't creat hooks (keyloggers)
    -Can't autostart (virtual registry is not read at startup)
    -Can't install drivers
    -Can't copy&paste from trusted files <data theft>
    and a few other restrictions that I can't remember off the top of my head.

    That means that certain types of programs won't work in the buffer zone, but many/most will.



    Other things about AM :

    You can set trusted programs so that anything created by them is untrusted (eg IM's can run as trusted - if you want them to autostart - but anything created by them can be set to 'untrusted')

    AM creates almost no popups. The only real interaction needed is if you want to make a program trusted/untrusted.

    edit : I know some of this info is posted previously, just thought it might make more sense to you in this order.
     
    Last edited: Oct 12, 2005
  24. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    The current version does work fine with Firefox, now: just make sure to send the FF-Profile folder into the Buffer zone

    :)
     
  25. RobZee

    RobZee Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    290
    Location:
    Texas
    Thanks for your recap - I have tried to follow this thread but was getting confused - this does help..

    Rob
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.