Idea: karma-based executable blocking

Discussion in 'other anti-malware software' started by Gullible Jones, Mar 2, 2015.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Inspired by Firefox's KarmaFilter extension, which was in turn inspired by SpamAssassin and suchlike. The idea is that various information about an executable file can count against it for a certain number of points. Too many points, and the OS won't execute it.

    e.g. maybe something like this, with a "cutoff" of 10 points before the EXE is blocked:
    - No digital signature: +3 points
    - No ASLR: +3 points
    - No program icon: +2 points
    - Packed executable: +8 points
    - Build date more than 3 years old: +4 points
    - Missing author/version info: +3 points
    - Digital signature does not match author/version: never execute!
    (Obviously there could be other stuff, but you get the idea...)

    So, your typical Cygwin executable would be
    No digital sig (3)
    No ASLR (3)
    No icon (2)
    --> 8 points, barely makes it.

    Whereas most malware droppers I've seen would easily have more than 10 points. (No digital sig, no ASLR, packed, fake build date...)

    What's the advantage vs. a normal antivirus or HIPS? Well...

    vs. antivirus: all of the above data can be gotten without any in-depth code analysis. So it would be faster to look at executables, and probably less prone to attack than AV engines. Also just a lot simpler.

    vs. HIPS: not whitelist based, more set-and-forget.

    This would probably best be implemented with a driver and service, in order to have a (small) chance of blocking payloads. But I think it would be reasonable to make it an Explorer shell extension, or something like that. The main idea is not to block exploit payloads; it's to prevent a user from unwittingly installing a trojan horse. Which, in my experience, is a very common occurrence.

    Sound reasonable?
     
  2. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    That's how reputation systems work.. Trend became VERY effective in recent incarnations largely because of DNA, and Reputation types of systems. A file has to pass a wide variety of 'conditions' before it can pass through the reputation engine of Trend, and some of those are exactly condtionals you describe. This is why I keep saying going forward, the only solutions I am interested in deploying are reputation/karma/DNA types of systems. I don't trust raw signature and heuristic products any longer.
     
  3. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,003
    Location:
    USA
    Are there any such products available?
     
  4. guest

    guest Guest

  5. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Trend 2015, Norton 2015 come to mind as the most potent in this area. Also F-Secure (Deepguard), and a few others. I put my trust in Trend or Norton for the reasons you cite, both have strong karma based type engines IMO.
     
Loading...