Does OA has protection against direct disk access?

Discussion in 'other anti-malware software' started by aigle, Jun 27, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    In other words, can it withstand against the malware like KillDisk, Robot Dog etc and tools like CleanMBR and Sector Editor etc?

    Thanks
     
    Last edited: Jun 28, 2008
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Aigle

    It doesn't protect against direct disk access as such. But it does offer protection. First of course you have to allow these programs to run, and if you don't end of story. Secondly, you can use Online Armor's Run Safer feature, which will let them run, but prevent them from doing any damage.

    Pete
     
  3. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I'm very fond of this new option "Run Safer Unknown Programs". But anyway I think direct disk access should be intercepted. And Mike said they will address it in the coming release.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It wil be really nice to have this type of protection added.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Aigle

    Although not directly. If I don't use Sandboxie, the OA's Run Safer takes over my browsers. I've tested a lot of the stuff we play with like Killdisk through the browser, and they are nullified effectively. Since my browsers, and email client(which I also Run Safer) I am very comfortable with OA.

    Pete
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That,s OK but I think such a builtin filter in OA HIPS is very important.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I think it's on Mike's list. Just tested it using new OA feature that will be in the next release. Ran it along side SSM. Got three pop up's from SSM. One to allow it to run, and two for low level access. As an ignorant newbie, I allowed all 3. Bye ye disk.

    On the other hand with the new feature in OA, no pop up's at all, and KD was unsuccessful in it's attack. No decision required. It was an unknown program to that machine, so it automatically ran under Run Safer, and the machine was protected.

    Which is better

    Pete
     
  8. greenhorn113

    greenhorn113 Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    149
    Location:
    England
    I'm very fond of this new option "Run Safer Unknown Programs"

    Where is this feature.I have OA paid 2.1.0.131
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Further, as to "run safer unknown programs" -- can anyone give OA's definition of "unknown program"?

    1- Does it mean: "Unknown to OA's central database of whitelisted programs"?

    OR

    2- Does it mean: "Not on user's personal list of 'Allowed' programs?"
     
  10. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    It's a feature of an upcoming version of OA, not available in version 131.

    Cheers
     
  11. greenhorn113

    greenhorn113 Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    149
    Location:
    England
    Thanks, I thought it must be:thumb:

    GH113
     
  12. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    OA defines a program on users PC as trusted or unknown after it is installed and the Safety Check Wizard is run. It uses a white list defined by OA lab. Updates to that list are done via what they call dictionary updates. The exe's hash is one of the variables used.

    As a beta user, I have FF, MS excel, word and Outlook all of which "face" the www (or can) and I choose to set them as "run safer" which has the effect of running them as a limited user.

    As well, there are some exe's that are allowed by OA and are trusted by their lab where I choose to override their settings. IE 7 is one of those and I not only block it from accessing the www but block it from running at all.

    On windows explorer, I let it execute but block it from the www.

    I hope these examples help clarify what is possible. The FW rules plus the HIPS let users "tweak" or "optimize" to match their secuirity policies.
     
  13. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    @Escalader- Vary interesting. Thanks for the information!

    Has there been any further word as to when OA will offer full-scope registry protection?
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    @ Pete2150 & Greenhorn113 That is what I like about Mike of OA (and Ilya of DW), they are open to customer feedback

    @Bill. The paid version has the autostarts registry protection of Tony Klein, he has set up rules sets for regdefend. So the paid version has all the registry protection you need.
     

    Attached Files:

    • oa.JPG
      oa.JPG
      File size:
      63.5 KB
      Views:
      5
    Last edited: Jun 29, 2008
  15. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    My bet would be 1-3 monthes (after Vista version release which already in public beta)

    Edit:

    I mean additional registry protection, actually. In other words user-defined rules editor for registry. Currently it has hardcoded registry protection.
     
    Last edited: Jun 29, 2008
  16. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    They are really fast. Beta build 151 was just announced
    ==
    Hi Guys,

    Pleased to say we have a new build - 151

    It includes the following bugfixes, and a new enhancement

    Free version confuses with advanced mode pseudo-switching - fixed
    Sometime you can see junk in the autorun popup - fixed
    Import "sites.sav" file to My Websites doesn't work - fixed
    "Run OA At Startup" cannot be turned off - Fixed
    Learning mode issue after restore install - fixed
    "File system scan is done" message issue - fixed
    Keylogger detection adjustments
    Direct disk access control - added
    ^^^^^^^^^^^^^^^^^^^^^
     
  17. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    We got partly through this process and then I stopped work on it, to make sure we get our Vista version out as soon as possible.

    Right now as Alex noted - we're in a beta phase with Vista - and busy squashing bugs and fixing/tweaking things.

    Unless something pops up out of the blue, Registry is the next stuff we'll be doing - with our own twist on things.
     
  18. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Oh, sorry, I meant this just appeared in the beta of V3. Mike plans to release it within a month.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That,s good news indeed.
     
  20. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Grrrreat, Mike!
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Just tested Beta 151 Direct Disk access protection against Killdisk, and KD.exe. It works.

    Pete
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    You got a knack for that piece of Plutonium :D Glad you tested it though and it passes, that insidious KillDisk and some others can be real system blasters, this type protection is vital! and should be implimented into all these type apps IMHO.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    What is KD.exe?

    Thanks
     
  24. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Doesn't "Run Safer" protect against this as well ? (Or, of course, just avoiding running as admin)
     
  25. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    On the other side with 151 I noticed that almost every program requests direct disk access under Vista and doesn't do it under XP. Then I thought there is something wrong in implementation and quickly managed a small program that opens device "\\.\C:" with CreateFile. And I was astonished that Vista with UAC allows THIS. I got zero sector of disk C: (allowed by me on OA alert) with WRITE rights.. This is just incredible. I mean this is just incredible that Vista with UAC allows it !. But the fact almost every program under Vista requires direct disk access is also incredible. It looks like not a program itself but some API call ends in this. But then how can I diffrentiate between good and bad ? Then being puzzled I decided to block direct disk access to all the non-system programs to see either it will make them to feel poor. No, ti didn't. They felt themleves pretty good being denied DDA. Confusing results ..
     
    Last edited: Jun 29, 2008
Loading...
Thread Status:
Not open for further replies.