Crystal Security - Discussion

Are you running it with .NET Framework 4 or older?

 

Hey siketa,

Win 8 = .Net Framework =>4 (nothing <4)

Later,

Bob

 

Hi,

Thank you for your feedback

Maybe i know what is causing taskhost.exe crashes.

Please disable protection ("Un-Protect" button) and then restart Crystal Security (confirm that protection is disabled). If after that taskhost.exe crash
is gone then i know what is causing your issue.

It does not matter

Regards,
Kardo

 

Kardo,
After placing Crystal Security in Un-Protect mode, exiting, restarting, Crystal Security is once again in Protect mode, not Un-Protect mode. All my safe applications and settings are still there intact but it just reopens in Protect mode.

Regards,

Bob

 

Hi Bob,

Thank you for your reply.

Sorry, actually please uncheck under Settings "Enable protection" checkbox and then click "Apply".

After that restart Crystal Security.

Regards,
Kardo

 

Kardo,
I did as you asked and Crystal Security reopened in Un-Protect mode. But, once I enabled it and clicked on Checkup, followed by a prompt for Admin elevation, and Crystal Security started its checkup procedure, I then shortly received the .Net Framework>taskhost.exe error dialog box.

BTW, if one enters manually any applications to the Whitelist, runs a check on them, then clicks on Checkup I found that all my Whitelist apps are erased. Is this by design or is it a bug?

Regards,

Bob

 

All bugs I found are fixed now, excellent work. Seems stable for now.

Do you have a roadmap for future new features?

Regards

 

Hi Bob,

Thank you for your feedback.

Okay. I think i know what is causing it. I´ll try to fix it.

Currently by design but this kind of behavior will be changed with next version.

Regards,
Kardo

 

Hi,

Thank you for your feedback.

Good to hear that

Yes.

There is plan to add Explorer context menu for files & directories into next version.
Also will be added integrated whitelist to improve Real-time protection and Checkup (possibility to perform Checkup without internet connection).

Regards,
Kardo

 

Hello,

Edit: Website is now accessible

Regards,
Kardo

 

Getting this error with latest version when opening a few programs in a short time (locked access ?)

-------------------------------------below---------------------------
See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.IO.FileNotFoundException: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
at System.Diagnostics.FileVersionInfo.GetVersionInfo(String fileName)
at CrystalSecurity.Main.ActiveMonitoring_Tick(Object sender, EventArgs e)
at System.Windows.Forms.Timer.OnTick(EventArgs e)
at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.18052 built by: FX45RTMGDR
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll
----------------------------------------
Crystal Security
Assembly Version: 1.0.0.0
Win32 Version: 3.0.0.67
CodeBase: file:///C:/Program%20Files/Utilities/Crystal%20Security.exe
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.18047 built by: FX45RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.18021 built by: FX45RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.18044 built by: FX45RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
Accessibility
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.17929 built by: FX45RTMREL
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------
System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.18060 built by: FX45RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.18060 built by: FX45RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
System.Management
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.17929 built by: FX45RTMREL
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Management/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Management.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

 

Hi,

Thank you for your report

Will be fixed with next version.

Regards,
Kardo

 

Getting 2 errors running Crystal:

Se slutningen af denne meddelelse, hvis du vil have detaljer om,
hvordan du starter JIT-fejlfinding i stedet for denne dialogboks.

************** Undtagelsestekst **************
System.NullReferenceException: Objektreferencen er ikke indstillet til en forekomst af et objekt.
ved CrystalSecurity.Main.ApplySettings()
ved CrystalSecurity.Main.ApplyButton_Click(Object sender, EventArgs e)
ved System.Windows.Forms.Control.OnClick(EventArgs e)
ved System.Windows.Forms.Button.OnClick(EventArgs e)
ved System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
ved System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
ved System.Windows.Forms.Control.WndProc(Message& m)
ved System.Windows.Forms.ButtonBase.WndProc(Message& m)
ved System.Windows.Forms.Button.WndProc(Message& m)
ved System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
ved System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
ved System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Indlæste assemblies **************
mscorlib
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 (RTMRel.030319-0100)
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll
----------------------------------------
Crystal Security
Assemblyversion: 1.0.0.0
Win32-version: 3.0.0.67
CodeBase: file:///C:/Crystal/Crystal%20Security.exe
----------------------------------------
System.Windows.Forms
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
Accessibility
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------
System.Configuration
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 (RTMRel.030319-0100)
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
mscorlib.resources
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 (RTMRel.030319-0100)
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/mscorlib.resources/v4.0_4.0.0.0_da_b77a5c561934e089/mscorlib.resources.dll
----------------------------------------
System.Windows.Forms.resources
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms.resources/v4.0_4.0.0.0_da_b77a5c561934e089/System.Windows.Forms.resources.dll
----------------------------------------

************** JIT-fejlfinding **************
Hvis du vil aktivere JIT-fejlfinding, skal værdien jitDebugging indstilles
i afsnittet system.windows.forms i konfigurationsfilen
for programmet eller computeren.
Programmet skal desuden kompileres med fejlfinding
aktiveret.

Eksempel:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

Når JIT-fejlfinding er aktiveret, bliver alle ikke-afviklede
undtagelser sendt til den JIT-fejlfindingsfunktion, der er registreret på computeren, i stedet for
at blive afviklet af denne dialogboks.​

When running checup mode i get this error:

Se slutningen af denne meddelelse, hvis du vil have detaljer om,
hvordan du starter JIT-fejlfinding i stedet for denne dialogboks.

************** Undtagelsestekst **************
System.IO.FileNotFoundException: C:\Windows\system32\csrss.exe
ved System.Diagnostics.FileVersionInfo.GetVersionInfo(String fileName)
ved CrystalSecurity.Main.ActiveMonitoring_Tick(Object sender, EventArgs e)
ved System.Windows.Forms.Timer.OnTick(EventArgs e)
ved System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message& m)
ved System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Indlæste assemblies **************
mscorlib
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 (RTMRel.030319-0100)
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll
----------------------------------------
Crystal Security
Assemblyversion: 1.0.0.0
Win32-version: 3.0.0.67
CodeBase: file:///C:/Crystal/Crystal%20Security.exe
----------------------------------------
System.Windows.Forms
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
Accessibility
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------
System.Configuration
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 (RTMRel.030319-0100)
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
System.Management
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 (RTMRel.030319-0100)
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Management/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Management.dll
----------------------------------------
System.Windows.Forms.resources
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 built by: RTMRel
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms.resources/v4.0_4.0.0.0_da_b77a5c561934e089/System.Windows.Forms.resources.dll
----------------------------------------
mscorlib.resources
Assemblyversion: 4.0.0.0
Win32-version: 4.0.30319.1 (RTMRel.030319-0100)
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/mscorlib.resources/v4.0_4.0.0.0_da_b77a5c561934e089/mscorlib.resources.dll
----------------------------------------

************** JIT-fejlfinding **************
Hvis du vil aktivere JIT-fejlfinding, skal værdien jitDebugging indstilles
i afsnittet system.windows.forms i konfigurationsfilen
for programmet eller computeren.
Programmet skal desuden kompileres med fejlfinding
aktiveret.

Eksempel:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

Når JIT-fejlfinding er aktiveret, bliver alle ikke-afviklede
undtagelser sendt til den JIT-fejlfindingsfunktion, der er registreret på computeren, i stedet for
at blive afviklet af denne dialogboks.


​

I have .NET 4 installed (even reinstalled twice) and not running anything besides. Hope you figure out the problems

 

Hi,

Thank you for your report!

Will be fixed with next version.

This is a known bug (64 bit systems) and will be fixed

Regards,
Kardo​

 

Hello,

Crystal Security 3.0.0.68 Released

Thank you to all testers who helped me with suggestions, testing and translations!

Changelog:

New

¤ Shell integration [Windows Explorer]
¤ Azerbaijani language (translation by Rufat Mammadli)

Updated

¤ Turkish language (translation by YIGIDO_58')

Fixed

¤ Several reported bugs
¤ Other minor bugs

Download: http://www.crystalsecurity.eu/downloads/Crystal Security 3.0.0.68.zip

Other

English translation file is updated.

Download: http://www.crystalsecurity.eu/translation/Crystal Security [EN].zip

Screenshot [Shell integration]



Screenshot [Shell integration]



Screenshot [Shell integration]



How-to-run

1. Download Crystal Security zipped file from download link.
2. Extract downloaded .zip file with some extraction tool (e.g. 7-zip or WinRAR)
3. Double-click (run) extracted executable file of Crystal Security (Crystal Security.exe)

Note

.NET Framework 4 is required.

Regards,
Kardo

 

'The possibility to perform Checkup without internet connection' is it included on this last release ?

 

Hi,

Currently no.

Regards,
Kardo

 

Kardocristal,

Once you'll add this feature let us know, I'm impatient to test your security program. Thanks for this improvement

 

Using program hash to check whether hash allready exist in whitelist/blacklist is a partial off line checkup, what is the status of using the whitelist/blacklist as a cache?

 

I tried visiting Crystal Security's website, and it says the domain name expired 09/23/2013. It says it is pending renewal, or deletion.

 

No problem here.

Later...

Bob

 

Hi,

@ Ashanta:

Sure

@ Windows_Security:

Already implemented.

If file is in Whitelist then you should not see notification for the same file anymore.

@ Cutting_Edgetech:

You tried to visit old domain.
Crystal Security website address is: www.crystalsecurity.eu

Regards,
Kardo

 

Thx, I have some other questions/suggestions

GUI improvement
1. Change REMOVE OBJECT into UNLIST OBJECT (remove and delete are confusingly simular).
2. Add title to Blacklist and Whitelist (see can't touch me pic, I did not see 'blacklist' in title, same with whitelist)

QUESTION
What does quarantain do?

Possible bug
After I have added an AREA to guard (Downloads of Chrome), clicking on the gear wheel icon, does not trigger the options screen to show.

Define levels/criteria for safe/suspicious/unsafe
I would like to set levels for safe (e.g. zero detections) and unsafe (e.g. more than five detections), suspicious is everything in between (derieved from safe and unsafe levels).

Define auto decide behaviour
Let the user decide on auto-decide behaviour, for Safe, Suspicious and Unsafe (see below example)
Safe: add to whitelist (without notification)
Suspicious : notify (user input required), Optimization TIP: Only upload to CAMAS when it is suspicious
Unsafe: add to blacklist (without notification)


How Crystal Security is positioned, beware of fake security
I would not like Crystal to Quarantaine or Delete files, considering the fact
a) that Crystal Security runs with MEDIUM level integrity it can't touch objects with higher rights/integrity levels.
b) VT check up by CC runs asynchroniously with program launch, so I doubt whether CC can block a process from being started in real time (simply because it takes time to get VT-results).
See picture "Can't touch this", where notepad.exe is blacklisted BEFORE launch (with medium level intergity level) and CC has NO ACCESS rights to a medium IL process to quarantain or delete because notepad is in Windows folder (requires elevation to move/delete).

How Crystal Security might be positioned: Malware Detection Companion
1. Check on Malware mode
Checks all executables launched, builds up a whitelist, notifies about suspicious and unsafe programs. In Silent mode it writes a log to the DESKTOP (or user specified folder) in plain text. Please explain that VT check lookup takes time, so CC does not block in real time. This has the advantage that system impact during build-up of whitelis is low. Whitelist acts as cache, so after build-up impact on performance is minimal.

In Execution Check-up mode the blacklist is greyed out, as are options like quarantain & delete (simply because Crystal is unable to stop installed malware with higher credentials, most malware tries to survive re-boot, so problably takes care of obtaining these credentials, as suggested only make promises you can keep, don't fall into the fake security pithole)

2. Intrusion Detection mode
Checks all changes in autoruns entries, builds up a whitelist and notifies user about suspicious and unsafe.

Crystal Security also checks executables written to temporary folder and download folder plus any user added AREA's. New (uninstalled arrivals) have a fair chance of being quarantained (moved) Crystal Security into a quarantaine folder. This folder has gotten a "deny file execution/traverse folder ACL (let Windows take care of blocking execution of PE-files). ACL does not stop DLL's, but you could set the "enable SAFE DLL search mode" in the registry to compensate for this and check whether the default on installing unsigned drivers is at least set to WARN in registry also.
In this mode the blacklist is enabled AND only has the function to quarantain (move to more or less 'safe' deny execution folder). Silent mode same as with 1.

3. Paranoid Companion mode
A combination of modes 1 and 2. Due to the whitelist cache this mode settles down to low system impact (and can be the default at installation).

 

A technical suggestion

a) A driver level proces hooker which triggers actual VT-lookip ptoces

b) A has check in stead of uploading the binary (faster), so in line with Kees suggestions
1) hashcheck
2) when new hash an upload of binary to VT
3) when suspicious CAMA test

Additional checks (they have API's you might be able to use them after contacting them)
-hash check at threat expert
-hash check at team Cymru

PS. don't mind when you implement Kees functional suggestions first

 

Hi Kees,

Thank you a lot for your suggestions!

1, Will be changed in next version.
2. Okay

File extension will be changed to non executable.
Before extension change, program tries to kill process (if file is running).

Hmm, this is very strange bug. I´ll try to re-produce it.

Will be added in the near future.

Good suggestions! Thanks!

Different suggested protection levels will be added in the near future.

Regards,
Kardo