Crystal Anti-Exploit Protection 2012 Beta

Discussion in 'other anti-malware software' started by sg09, Jun 28, 2012.

Thread Status:
Not open for further replies.
  1. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,713
    Location:
    Kolkata, India
    http://www.crystalaep.com/about.html

    The software indeed seems interesting.
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Another new App :eek: ;) Good find sg09 :thumb:

    If it didn't require .NET i would have tried it. Hopefully some of you will & let us know how it fares :)
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i want to try it:thumb:
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I gather this is like EMET
     
  5. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    Hmmm...looks like something similar to EMET with "white list filtering" feature. But I'm surprised how logo of Crystal is similar to logo Kristal by Kardo Kristal in our forum...maybe is it only fortuity?
    Below some screenshots
    main window
    120629095024_9.jpg
    alert window
    120629094923_8.jpg
    basic options
    120629094039_3.jpg
    advanced options
    Panorama.jpg
    I don't know how to enable "Enabled Features" in main screen...
     
  6. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Interesting indeed. Maybe I will try it once it's out of beta. Would it work with EMET or do I need to uninstall EMET first?
     
  7. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,713
    Location:
    Kolkata, India
    It offers a good help documentation PDF file. I wonder if its unethical to upload it for those who haven't tried it yet. That help PDF explains each module in quite detail.
    This type of logo is quite common these days.
    http://i.imgur.com/a6dVX.jpg
    Guess whose logo is this!! ;)
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    From the looks of the advanced options windows

    1. EMET/Buffer Overflow guard like functionality
    2. Monitors (allow/block) process creation (same process name spawning is often legitemate but is also used to hijack process credentials)
    3. Blocks code execution from obvious drive by drop zones (temp, download, netshare,etc)
    4. Whitelist/blacklist function for protected programs to allow execution of specified dll's (e.g. only allow your browser to run flash and pdf)
    5. Active-X and Content filtering for IE. Content filtering involves data formats which could have code in it like images and streaming media. The author has planned some more options (but I think he might a bit over ambitious in his goals).

    All in all really interesting application

    @Ichito what is the cpu usage?

    Thx
     
    Last edited: Jul 1, 2012
  9. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    Thanks Kees for your mention...below there is screenshots with resource usage
    120701130759_1.jpg
    The same processes are added to autostart (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
    I think that can be important the info from PDF Guide:
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    THX, Ichito & SG09

    Really interesting application, I have asked the designer/programmer to join Wilders to attract more beta testers.
     
  11. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    Going to test it ON xp
    and will report back
     
  12. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    527
    Location:
    USA
    None of the protected apps will open for me. I'm guessing it is a conflict with EMET. Will try a clean image later.

    Which program covers more areas, EMET or Crystal.
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    See post 8, one through four are allready implemented according the documentation, so Crystal
     
  14. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,199
    Location:
    Los Angeles, California
    I tried it but nothing that is protected would open they all crash o_O
     
  15. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    527
    Location:
    USA
    A clean image didn't stop the application crashes so EMET is not the problem. I get a BEX error when IE or Windows Media Player tries to run. Running on Vista 64 bit. No 32 bit PCs to test on.
     
  16. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,199
    Location:
    Los Angeles, California
    Im used that without EMET and I'm 32 bit o_O
     
  17. Peter4020

    Peter4020 Registered Member

    Joined:
    Jul 3, 2012
    Posts:
    8
    Location:
    UK
    Hi all, I'm the developer of Crystal AEP. Thanks to all of your for your interest and for taking the time out to test the software!

    I am sorry to hear that it crashes on some of your systems, I'd be interested to know if it crashes always and for all applications you've tried it with, or whether that just happens with certain applications? Does it crash when configured to run at Minimum or Moderate security levels?

    Crystal is fairly invasive in that it attempts to intercept various OS functionality and subjects the application state to a fairly comprehensive set of security checks at runtime to try to determine whether the application is under attack. I have tried to make the process as transparent as possible to applications which Crystal hooks, but I am sure I will have missed a few tricks here and there, and I hope to work the incompatibilities out of the software one at a time!

    The software has been tested mostly on Windows XP and Windows 7, with only minimal testing on Vista, so it's very useful for me to know that it misbehaves on a fairly standard installation of that OS, and I will definitely investigate that as soon as I have a chance.

    If you have any questions about the software please do fire away and I will reply to them as soon as I can! Suggestions are also always welcome and, although I probably won't be making any major changes for at least a short while as I am fairly busy with work, I will definitely put them on a list which I will work through whenever time permits.
     
  18. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    527
    Location:
    USA
    Hello,

    All apps that I've tried crash every time, even when the protection slider is at minimum.

    If I uncheck the box under the expert options "Enable Anti Malicious Code Execution Behaviours" then the programs will run. Screenshot attached, hope it's readable.

    Thanks for your time and for coming to this forum.
     

    Attached Files:

  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Peter thanks for joining Wilders. I really like the idea behind your program. My first suggestion would be to develop a clean version 1.0. So this would have the consequences of skipping content filtering for a while (and move the modules out of the first release). Secondly I would add a debugger or log facility to leverage the testing on different machines and configurations (and make it easier to back track problems).

    Regards Kees
     
  20. Peter4020

    Peter4020 Registered Member

    Joined:
    Jul 3, 2012
    Posts:
    8
    Location:
    UK
    @jdd58: Thanks to you and all the rest for testing the software and for your feedback! Which version of Windows is it that you run? I found that Crystal misbehaved on some machines when I made the software Low Integrity mode compatible and have since made some code changes to try and increase reliability.

    Those changes are actually present as of a couple of hours ago in the latest installer on the Crystal website, although I have not pushed out an update as I hope to address one or two additional minor details before I push it out, and want to minimize the number of updates I subject users to! If you would be so kind I'd be very interested to know whether the latest version on the site fixes your woes or whether I still have diagnostic work to do yet!

    @Kees1958: Thanks for inviting me, I'm glad the software is of interest to you! I have tested it extensively against exploits both public (Metasploit) and private, and believe the software goes a long way to helping address the zero-day problem. Of course it's not impenetrable and I'd never suggest otherwise, a Crystal aware attacker would definitely find a way to circumvent the software if they were committed, but until it reaches critical mass I expect it will continue to be very effective.

    Those are great suggestions and I will definitely work on building a utility for crash reporting and analysis as soon as I get a moment. I should have done that before release, I will definitely try to add it to the update which follows the next. What do you think of the idea of perhaps moving content filtering off of the main UI and into the expert options? It seems fairly robust, I just have not written many filter modules yet.

    Many thanks again to all of you!
     
    Last edited: Jul 3, 2012
  21. Tomwa

    Tomwa Registered Member

    Joined:
    Feb 3, 2010
    Posts:
    162
    @Peter

    Do you know when/if you will make a version capable of protecting 64-bit processes?
     
  22. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    527
    Location:
    USA
    Peter thanks for the quick response. I am trying this on 64 bit Vista.

    Security software: MSE, nProtect MBR Guard, EMET.

    The latest installer fixes the problem with IE. Chrome does open also, but I am presented with a dialog box to allow wow_helper.exe. I allow, but it is terminated as a malicious process. This continues in an endless loop.

    Screenshot attached. BTW it is also working with EMET enabled.
     

    Attached Files:

  23. Peter4020

    Peter4020 Registered Member

    Joined:
    Jul 3, 2012
    Posts:
    8
    Location:
    UK
    @jdd58: Thanks for all the info and for taking the time to test the updated version. It's great news that it actually works for IE at least now. That problem with Chrome is something I have seen before but haven't had an opportunity to track down, however on my system it only happens when running Crystal at maximum security level and then inconsistently.

    Now I know it's affecting you (and presumably other users out there too!) I will make that issue a priority and hopefully once it's addressed it will remedy any other problems you may be having too! Other than Chrome and IE, may I ask whether Crystal works for other protected programs (on the default list, or even things you may have added yourself?).

    It's also great to know it appears to work with EMET on your platform. I'll investigate more thoroughly on Vista x64 because I actually haven't tested that platform, and WoW64 may well work slightly differently (at least I have never seen the wow_helper.exe application on Windows 7!).


    @Tomwa: If Crystal 32-bit ends up being fairly popular and useful (and people find it to be effective) then I will almost certainly port it to x64 (and perhaps even OS X).

    At present there are surprisingly few reliable exploits out there for 64-bit applications and I would have a bit of work ahead of me to understand the equivalent attack possibilities for these processes. It's something I need to do though!

    Thanks all!
     
  24. Tomwa

    Tomwa Registered Member

    Joined:
    Feb 3, 2010
    Posts:
    162
    @Peter

    I've downloaded and install Crystal however I noticed a few things about the install process:

    1. If a file is unable to be created/altered it just throws up a message and quits. This is generally bad practice as it could leave a broken install incapable of being removed on the system (If the uninstaller didn't copy correctly for example). This is the case caused by my KIS 2013, since the program was restricted it couldn't create a file in my Program Files (Protected by Kaspersky) and it simply gave up and the install failed. What should happen is it should offer the usual options of Ignore, Retry, and Abort. This way I could alter the Kaspersky settings and simply click retry. Abort should of course rollback the changes caused by install. This is a minor annoyance but it can help prevent issues so do with it what you will.

    2. Why so many flashing command windows? It's like dance of the epileptic command prompt.

    Is there any way to submit crash logs, etc.?
     
  25. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    527
    Location:
    USA
    Other than Chrome the programs on the default list that were on my PC worked fine. The added ones did also.

    I am trying Crystal AEP on a Windows 7 laptop today. I installed a portable version of Comodo Dragon and added it to the protected list. I get the same malicious code prompts (ROP) intermittently that I did every time with Chrome on Vista.

    The other thing I noticed is that the Crystal AEP process uses constant CPU when a protected app is running. About 2% with IE and 10% with Comodo Dragon. Once the GUI is closed in the tray is gives a message that protection is still enabled, so is it advisable to keep it closed to avoid the constant CPU? The remaining proctracker.exe process uses no CPU.
     
Loading...
Thread Status:
Not open for further replies.