Introducing EdgeGuard Solo Beta (zero-day malware defense)

Discussion in 'other anti-malware software' started by Eirik, Oct 10, 2008.

Thread Status:
Not open for further replies.
  1. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Hi All,

    My name is Eirik. I product manage endpoint security at Blue Ridge Networks. Blue Ridge has been delivering security solutions to the government and enterprise sectors for over a decade. We have made our anti-malware security software called EdgeGuard Solo (Beta) available as a free download. By distributing and supporting it as freeware, we hope your feedback will help us become a better anti-malware solution provider.

    EdgeGuard Solo is intended to supplement existing signature-based security software. We designed it with two premises in mind. First, sophistication or complexity can be counterproductive to ordinary PC users. So, EdgeGuard Solo does not ask end-users ‘what now’ questions or provide them a lot of technical suspicious activity information. Second, any software will eventually be compromised. EdgeGuard Solo is meant to be the last line of defense. It prevents guarded applications and the executables they spawn from altering key resources in the PC.

    EdgeGuard Solo does not interfere with the internal workings of an application. So, while it prevents web browsers from being used to install rootkits, for example, web browser specific session attacks (XSS, session cookie stealing, etc.) are outside the scope of this tool.

    Given the knowledge and experience of Wilder Security forum participants, I suspect we will identify one or more additional safeguarding features that we can add without complicating the user experience.

    Thus far EdgeGuard Solo evaluations within a VMware virtual machine have surfaced no problems. Other security software such as HIPS products may conflict with it. Please let us know of any such conflicts. The EdgeGuard Solo support page provides user-instructions and lists known issues. Registration is optional and only used to notify users of free updates.

    EdgeGuard Solo is a beta product. There are many more features and enhancements to come. For example, we are working to have it provide better feedback to users. I hope to harness your insights to improve it.

    I am looking forward to your feedback and questions.

    Thank you for your time,

    Eirik

    Eirik Iverson
    Product Management, Endpoint Security
    Blue Ridge Networks
     
  2. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Hi

    Sounds interesting, but I assume it is for 32bit only?
     
  3. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Correct
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks for the info and link.what kind of security is EdgeGuard?hips,sandbox,?
    thanks in advance.
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Eirik I will gladly take a look, thanks.

    -no problem in a vm I take it
     
  6. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    Neither, its difficult to categorize. As you get more familiar with it, I believe you'll see what I mean.
     
    Last edited: Oct 10, 2008
  7. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello Eirik,

    EdgeGuard Solo sounds like it is an application sandbox. Am I correct in my assumption? If not, what is it? Thanks in advance.


    Peace & Gratitude,

    CogitoErgoSum
     
  8. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    Hello Eirik,

    and welcome at the fora.

    Very interesting application. I gave it a quickrun on a VM and I confess that I like it.

    I was wondering for some time now, why none of the major security providers has not made an easy hardening program for home users... Security admins and advanced users know how to do it using group policies, but the vast majority do not even know that they exist.

    It seems that EdgeGuard Solo is the answer and can be an excellent addition to SuRun.

    Now to the point:
    1. I think that you should add a feature to change the color of the systray icon or add a notification popup when it is disabled.
    2. A feature to import export rules would be nice. I would hate to manually add everything in the protection list to more than one pc. :p
    3. What areas and which registry keys does it protect?
    4. Could you add a feature to let the user to manualy add some folders to the protection? For example the folder where he stores his important documents, etc...
    5. Is it going to remain freeware for home users after the beta stage?

    thanks,
    Panagiotis

    edit: I forgot to mention another feature. It would be nice to add an entry at the explorer content menu. Something like "run protected"...
     
    Last edited: Oct 10, 2008
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks:thumb:
     
  10. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Might take a look at it. I'm getting bored of my SBIE+Returnil protection.
    +1 on pandlouk's questions...
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    this is very simple but i dont see any help file,i dont get any pop ups,
    nothing at all.no event log too.
     
  12. Solo_Support

    Solo_Support Registered Member

    Joined:
    Oct 7, 2008
    Posts:
    5
    Location:
    Chantilly, Virginia
    EdgeGuard Solo prevents write-access to system resources (System directories other than user directories, HKLM Registry hives and some user keys like Run RunOnce). The Sandboxing re-directs write calls to cloned resources.

    Thanks for your questions,

    EdgeGuard Solo prevents application write-access to system resources (System directories other than user directories, HKLM Registry hives and some user keys like Run RunOnce) whereas Sandboxing re-directs write calls to cloned resources.

    EdgeGuard Solo assumes any application at a given time has unknown vulnerabilities that could pose high risks.

    EdgeGuard Solo creates a "shield" around an application selected in the Guard list (and the applications created by the Guarded application) so that if the application attempts to write to say system32 or HKLM\ EdgeGuard Solo blocks the write. We would also caution though, It is not possible to replicate the functionality of EdgeGuard Solo by simply applying an ACL/DACL approach, which would get exceedingly complex quickly and interfere with normal application operations.

    We are eager to hear your perspectives and experiences.
     
  13. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hello Eirik, Hello everybody,

    EdgeGuard Solo v1.02.0007, in Windows Task Manager :

    BrnTokenGuardTrayApp.exe: Use Memory 2824Kb; Page Errors 711; VM Memory 704Kb; Handles 22; Threads 1.
    EgaSecSvc.exe: Use Memory 3360 Kb; Page Errors 1673; VM Memory 2056Kb; Handles 59; Threads 4.

    Kx-Ray (v1.0.0.54 XP : http://forum.ytkpro.com/viewtopic.php?p=27369 ) show on Black ( = rootkit behavior ; bad, bad ...):
    SSDT: Module BrnFilelock.sys with API NtCreateKey, BrnFilelock.sys with API NtCreateSection, BrnFilelock.sys with API NtOpenKey;
    Message Hooks: 2, from BrnTokenGuardTrayApp.exe;
    Ring0 API Hook: process ntkrnlpa.exe with API IoWriteOperationCount and Hook Type: Relative JMP.

    Yes, it is not very clean, this behavior ...
    And: I would like On Demand software (= NOT real time protection; Thank you Pete! -- My EDIT October 14, 200:cool:...
    I remove EdgeGuard Solo ... Would you excuse me, Eirik?...

    I clean with CCleaner and RegSeeker.:thumb:
     
    Last edited: Oct 14, 2008
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    Hello Eirik

    First welcome to Wilders. I did some testing with the beta in a VM machine.

    I want to be sure I did the right thing in terms of usage as my results were disappointing. When I first installed it and tried adding IE, I also got the error mentioned above, so I tried again uninstalling all my other security software in the vm machine. What I then did was install Edgeguard.

    I assumed if I added a piece of malware to the list it should not have been able to touch the system. I also assume if IE was protected, and I used file>open in IE to fire up a piece of malware the system should be protected.

    I then tested with three different pieces of malware. The first two are protected by other software that drops the rights of the system, the third isn't. All three are prevented from damaging the system with Sandboxie. In none of the cases did EdgeGuard Solo protect the system.

    Did I do something wrong?

    Pete
     
  15. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i tried it with the zemana test and fail all test i performed:D
     
  16. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Thanks for the explanation.


    Peace & Gratitude,

    CogitoErgoSum
     
  17. Solo_Support

    Solo_Support Registered Member

    Joined:
    Oct 7, 2008
    Posts:
    5
    Location:
    Chantilly, Virginia
    1) We’ll integrate this feedback into our development efforts.

    2) You can do this now actually. If you wanted to deploy EdgeGuard Solo across many PCs with the same list of applications to guard, all you have to do is replace EdgeGuardSoloAppList.txt file, located in the user’s profile directory, %UserProfile% with the one you prefer to be used.

    3)HKCU Run and RunOnce
    Entire HKLM is write-protected for the Guarded application. This includes Run and RunOnce
    We are doing research to expland especially HKCU area in a meaningful way. We do not wish to create exceptions specific to applications. We are watching for high risk keys.

    We’d appreciate your input in this area.

    4) Currently only the user’s directories are open. All system directories are off limit to Guarded application. If I understand correctly, you recommend adding a directory within the user’s area that could also be off-limits. Thanks for this input. We will consider this for our product.

    5) EdgeGuard Solo = freeware, before and after beta
     
  18. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i also terminated edgeguard services using the task manager:D
    i also tried againts drivesentry couldnt be terminated
     
  19. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    I look forward to the answer from Eirik on this one. :blink:
     
  20. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    We are adding alerts and history to the next release. We will add client-based help too but this may be later. Meanwhile, our EdgeGuard Solo support web page may be of assistance:

    Eirik
     
  21. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks for the info
     
  22. Eirik

    Eirik Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    544
    Location:
    Chantilly, Virginia
    We did not activate its self-protection in this release.
     
  23. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    Terminating a process or a service from task manager is not a security threat. As long as the driver is not unloaded and the applications in the list remain in protection mode the only thing that you will miss are the pop-ups. ;)

    If you do please give us the ability to have it disabled. All those products with the futile self-protection make us reboot the pcs more often than we should.

    ps. The only program category that needs self-protection is the antivirus active engine, the drivers and the kernel . On everything else is totally useless, but.... :rolleyes:
     
  24. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    ok i see.
     
  25. Solo_Support

    Solo_Support Registered Member

    Joined:
    Oct 7, 2008
    Posts:
    5
    Location:
    Chantilly, Virginia
    Thanks Pete for the feedback. Currently, if the application resides in the user's directory, the EdgeGuard Solo does not enable the protection for such application. This is a known issue in this release and will be fixed. I am sorry if it was not mentioned before in the original postings. I wonder if this is the issue you have faced in your testing.

    If you could provide us the malware, we would love to replicate the issue you have reported.

    Regards

    EdgeGuard Solo Support
     
Loading...
Thread Status:
Not open for further replies.