Any AS preventing "writing into memory" ?

Discussion in 'other anti-malware software' started by Perman, Nov 30, 2007.

Thread Status:
Not open for further replies.
  1. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    Just curious to know: any AS is good at prevention of malwares' writing into memory, not prevention of execution(AVG AS' guard, Boclean can protect this).

    I have prevx 2 as realtimer, does it cover this area ?

    Thanks.
     
  2. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks:

    Help me to get these things onto a right track.

    Suppose a malware hiding in a downloaded program landed in w/ IE7:
    (1) with DeePfreeze' s frozen mode, nothing will be left after reboot, so it is ok here.

    (2) with DF's thawed mode, and DefenseWall on guard, anything d/l w/ IE7 will be contained in that untrusted area, upon reboot, it will be gone. So, it is ok here too.

    (3) if I decide to install that program, the malware in question will subsequently write into memory w/o my full knowledge, here comes my question: is there any AS can be there to stop it ?

    Any suggestion is mostly welcomed.
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    There is no such thing as "write into memory", at least not in the way you described. Where'd you get that idea from?
     
  4. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
  5. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    There are a number of ways to "write into memory".

    Two of the most obvious are:

    1. Open /device/physicalmemory and write to an arbitrary address.
    2. Open a handle to a process and call VirtualWrite to modify the memory of an existing process.

    Prevx1 and Prevx 2.0 prevent all write access to /device/physicalmemory as part of its self-protection as this technique can be used to remove kernel hooks. Prevx 2.0 also prevents write access to its own processes - it monitors accesses to other processes (describing them as process hijack attempts) and blocks when the process is determined to be malware.
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Hi ghiser,

    Since you're here, I thought I might as well take the opportunity to ask: how does Prevx determine when a process is malware? Assuming a process requests access to physical memory, as you describe; what other checks does Prevx perform in order to recognize the process as malicious, if any?
     
  7. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    There is no simply answer to that I'm afraid. It's all decided by the AI engine sitting in the Prevx 2.0 CWC. It depends on a lot of factors like speed of propagation, source of original file, what created it, where, when, its identification signatures, sandboxing analysis etc. There are a whole raft of possibilities; the fact that the process may attempt to write to physical memory is only one of them. It may also depend on the behaviour of the file across multiple PCs, varied bahaviour of geographic regions or temporal relationships.
     
  8. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Thanks for the reply.
     
Loading...
Thread Status:
Not open for further replies.