Foltyn SecurityShield (beta)

Discussion in 'other anti-malware software' started by ichito, Nov 15, 2016.

  1. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,851
    Location:
    Poland - Cracow
    Foltyn SecurityShield...security app which is mentioned for the first time in AVLab test results and on this forum in that place
    https://www.wilderssecurity.com/threads/fwiw-avlab-protection-test-against-ransomware-threats.389850/
    It's Polish currently "beta" product developed by Łukasz Foltyn (known from MKS Vir, Foltyn Commander and Gadu-Gadu) and his first appearance was in AVLab test few day ago.
    Today FSC made his debut by own page
    http://www.foltyn.com/
    Not so much info about FSC
    More we should expect on special artickle on AVLab...I don't know if in English too.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Interesting, seems to be a very basic HIPS focused on blocking ransomware, and it performed very well in the test, it blocked them all. Have you already checked it out? This is tech that SpyShelter could use, know what I mean? BTW, MBARW performed very badly, strangely enough.
     
  3. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    Interesting, so for now its only an anti-ransomware... Would this compliment my setup SBIE, VS, and AG?!
     
    Last edited: Nov 15, 2016
  4. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,851
    Location:
    Poland - Cracow
    Yes, I know what you mean about SS in this context...and it would be good move if Datpol would want implement more or less similar module.
    Back to FSS...it's already on my Vista - current version 1.0.12 and no changelog
    - works smooth and quite light in resources - 3 processes (included one service)
    FSS-01.jpg
    - it generates some reports...I think rather about detected/blocked threads because the box is currently empty
    - it has manager of allowed (whitelisted) and blocked (automaticly or by user) processes
    FSS-04.jpg
    - and very small settings...you can only choose action after detection
    FSS-05.jpg

    No more info about FSS from me at this time :)
     
  5. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,425
    Location:
    Paris
    For any interested I took Foltyn for a quick spin fully realizing that this is a 1.0 beta release. The first two files that I tried were a shade variant (DaVinciCode ext) and a Raacrypt; both were able to trash Documents and in the case of the Shade other stuff also.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Non of those apps use behavioral monitoring to protect against ransomware, so why not check it out.

    Thanks for the screenshots. And yes, if it's really this good, I would suggest to the SS team to hire these guys.

    That doesn't sound good. Apparently security tools that are purely "behavioral monitoring" based have difficulty to protect against all forms of ransomware. How do HMPA and MBARW perform against these samples? Also, you never answered my question about your comment about WAR being an anti-executable.
     
  7. lukfol

    lukfol Registered Member

    Joined:
    Nov 16, 2016
    Posts:
    6
    Location:
    Foltyn Software/Poland
    Can you please repeat the test with latest update (1.0.14)- you may install it over current installation just by downloading & executing from http://www.foltyn.com/fss.exe

    Yes it is a beta version and it needs to be fully tested with multiple system configurations, I think we know why it didn't work for you and we think we fixed it.
     
    Last edited by a moderator: Nov 16, 2016
  8. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,851
    Location:
    Poland - Cracow
    Hi lukfol...nice to see you and we hope you will be our support and source of every needed info :)
    My first comments was sent to Adrian (AVLab) few minutes ago :)
     
  9. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,425
    Location:
    Paris
    Rasheed- I was always hoping that WAR would develop into something Specific for ransomware. It has not, but instead will alert to anything not Whitelisted, just like an anti-exe. I am not by any means saying it is inferior- it is most certainly not! But when an application will alert in identical fashion to a cerber ransomware file AND a Seakmonkey browser beta this gives me pause... Once again it seems that we are reduced to an application like this:

    http://justflipacoin.com/http://justflipacoin.com/
    Lukfol- I will check it out and get back to you. Please understand that I am not by any means criticizing your application as it is an initial beta. Far from it- I hope that it will be great (I lived in Poznan and make a yearly trek to Zakopane so if anything I'm prejudiced in your favor).
     
  10. lukfol

    lukfol Registered Member

    Joined:
    Nov 16, 2016
    Posts:
    6
    Location:
    Foltyn Software/Poland
    Ichito sure I'll be here open for every opinions & suggestions regarding my app. Thank you for opening this thread here!

    cruelsister I'm especially thankful for pointing weaknesses & "wholes" in my app. Beta tests are for that!

    When releasing public beta version, I decided to calibrate it to avoid generating too many false alerts. Then now it is beeing calibrated opposite way, based on data from more users (which we get into our cloud).
     
  11. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    @lukfol
    Clarification upon installation in the "trusted application box" is it really empty?! Was expecting it to gather a list of my installed application...
     
  12. lukfol

    lukfol Registered Member

    Joined:
    Nov 16, 2016
    Posts:
    6
    Location:
    Foltyn Software/Poland
    Adding application to "trusted list" is only needed if it has malware-like behavior, which is uncommon... Treat it as "exceptions". Maybe it should be clarified better. You typically add applications to list if they bring on alert from FSS.
     
  13. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,425
    Location:
    Paris
    Luk- much, much nicer this time, stopping the files I referred to previously. Although I didn't take notes during the first quick test, was the issue with fssmon? Just curious...

    Anyway I did a more extensive test and this time I did take notes:

    1). Specificity for ransomware is absent as FSS alerts to non-signed files being run.
    2). the delete file box on the popup, if checked, does not delete the file
    3). Multiple popups for a detected malware file that will extend to getting the same alerts even after a reboot (files neither running nor persistent).
    4). very nice job on a ransomware strain with persistence functionality that a major vendor (which AVLab gave it a 100% rating against ransomware) could not stop.
    5). System was very sluggish on initial start, but this was a transient issue.
    6). FSS does have issues still with dll dropping locky (an example being here:
    SHA256: 6db3858a3b5ce59bbbc3d48c209e6ef3fedcaf20476d16724f697f6d130cc948

    Other than that, a nice job on an initial beta.

    M
     
  14. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    @cruelsister

    Nice... have you tested all your samples against Foltyn?!
     
  15. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,425
    Location:
    Paris
    Not all by any means as I did the above quick test as I was waiting for my tea to brew this morning (malware and eggs- the breakfast of Champions!). To give to a taste of what it does-

    1). When an exe is run it will connect to the Cloud (via FssMon) to analyze the file (Curiously enough the contacted server is from Digital Ocean in the SOHO section of Manhattan which is walking distance from my loft). The way I test I will also run the ransomware and a few other files to verify specificity- in this case a ransomware file, an unsigned GhostScript, and a self-coded malware obfuscator. All were handled in the same way and blocked. The one issue was with an exe that acts very fast and will trash the system before FSS can act (I used Petya green version to do this)

    2). FSS did do a nice job on JScript based ransomware.

    3). Not so good on the Locky discussed above which was in the form of a "fileless" malware (a wsf file) mostly seen via maladvertising on compromised websites.

    Sorry if this was too much info...
     
  16. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    installed in shadow mode, didn't ask for a restart but froze my system had to a hard restart.

    would try installing out of shadow mode but not in the mod to restore an image if it goes south.
     
    Last edited: Nov 17, 2016
  17. lukfol

    lukfol Registered Member

    Joined:
    Nov 16, 2016
    Posts:
    6
    Location:
    Foltyn Software/Poland
    Thank you cruelsister for your involvement (I hope this is right word, I'm better in C++ than in english :)) Yes you gave me many informations, it will take some time to digest them all :) Regarding the Locky malware- can you send me this sample- you can get my email on my website www.foltyn.com/contact.html And the second sample- "an exe that acts very fast and will trash the system before FSS can act"?

    FSS is connecting cloud but not for analyzing the file (this is planned in future versions! files will be sent to the cloud and run on virtual machine, before they are allowed to run on user's computer). It sends some informations "that help improve application"- for example, to see which applications are running other applications but from temporary folders, to see if we need to scan them in future versions, and ofcourse- code which was detected as malicious, to eliminate false alerts in future. Cloud really improves development of security applications (and all others).
     
    Last edited: Nov 18, 2016
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Can you give some more info about the way it detects ransomware? Is it purely cloud AV based, or does it also watches for file system modification?

    OK, but I suppose WAR does look at suspicious behavior, isn't that what AI is about? Perhaps SeaMonkey does perform certain stuff similar to ransomware? Or did you encounter many false positives? According to competing developers, it simply looks look at certain characteristics like whether a file is signed or not and some other stuff, before deciding that a file is probably malware.
     
  19. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,425
    Location:
    Paris
    Rasheed- It does look for digital signatures for files. This I verified. And the freezing issue that you experienced also happened to me, but this was pretty much on the initial reboot- letting things sit for a few minutes then rebooting made things proceed much quicker. But it seems that this was a Server issue and not a problem with the application itself.

    Now for a confession- I tried things again today, but much more extensively as I ran a total of 65 discrete ransomware samples. The Locky dll dropper was stopped today without issue, and I confirmed that it was not a detection specific for that file by running 4 other similar files; so I think my initial issue was caused by a Server lag in New York and NOT some intrinsic flaw in the application. I should have known better that as an initial Beta the Servers as well as the application itself will be tested for efficiency and I should have run this test over a period of days and not minutes:

    My SINCEREST APOLOGIES for this omission. I should have taken as much care as I do in my videos, but instead was as sloppy as the Pro Testing organizations and this is not acceptable (now I'm going to have to be nice to the people on today's conference call and I was SO looking forward to tearing them up. Oh well...)

    Anyway ALL the other samples were totally stopped except for the Petya's (so at least I can save Face with that one). And for any that care, the other MBR locker (Satana) was blocked for both common variants.

    Łukasz- I've sent you the Petya samples (both versions- Red and Green).
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,626
    Location:
    Mexico
    Looks interesting. Gonna keep an eye on this thread.
     
  21. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,711
    I am following this thread, too. ;)
     
  22. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    on my system not just the app froze but rather my entire computer. it might have been shadow defender too. I have had other problems that happen when I try to install something in shadow mode.
     
  23. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,425
    Location:
    Paris
    Boredog- I just tries the FSS installation with Shadow Defender and all when the same as without SD installed. But that was on a system with only the base OS with a very few other things installed. When I tried it on a clone of my work production system it did take longer initially, and for a while that initial setup was indistinguishable from a freeze (took a few minutes to respond at all). After that things were a peppy as normal.

    As initial betas from just about anybody have a tendency to lag, I'll let this one slide (and I tend to be overly critical).

    ps- Shadow Defender is a really nice piece of software! Running a Petya in Shadow Mode, seeing the malware reboot the system in anticipation of a MBR trashing, then having Windows boot up like normal without any changes always makes me smile.
     
  24. lukfol

    lukfol Registered Member

    Joined:
    Nov 16, 2016
    Posts:
    6
    Location:
    Foltyn Software/Poland
    boredog, cruelsister- in which moment system freezes with FSS- is it during installation and only this moment? What are the operating systems versions?
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    To clarify, I haven't tested FSS and WAR. But I'm still looking for an anti-ransom tool that watches for suspicious file system modification. If I understood the developer of FSS correctly, FSS is capable of doing that, it doesn't even need the cloud to block ransomware.

    At the moment HMPA is no option, because it often conflicted with SBIE on my system. And MBARW does not seem to perform that well, and has problems with false positives. WAR is effective, but doesn't seem to be using behavioral monitoring, it seems to be more of an AV combined with white-listing.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.