Introducing EdgeGuard Solo Beta (zero-day malware defense)

Hello EASTER,

At least for me, EdgeGuard Solo has yet to conflict with Avira AntiVir Personal, DefenseWall, Primary Response SafeConnect 3.5 beta, Returnil 2008 Personal Edition and Returnil 2008 Premium Edition beta.


Peace & Gratitude,

CogitoErgoSum

 

I cannot answer your question with an absolute yes or no, somewhere in between. We are expanding our security coverage in this space in the coming releases and currently working with specific Microsoft groups to address this in a much broader sense, and to minimize potential for introducing software conflicts.

Eirik

 

Hi all,

I'd like to thank CogitoErgoSum for sending us malware samples (in password protected zip files for practical transport, btw). These were tested in a Win XP SP3 environment with EdgeGuard Solo. Two or three samples did not appear to function properly, leaving me to wonder if those specific samples were Vista-only.

As some of you have pointed out, EdgeGuard Solo does not yet yield attack alerts and details. The testing of these samples utilized a few monitoring utilities (file system activity, registry accesses, etc.) on both the test host and a control host (i.e., no EdgeGuard Solo).

6767exe
Test malware crashes. Found no reliable sample for this test.

BrotokAX
Blocked


CutWailF
Blocked


D9Etmp
Blocked

Generic327639 (a.k.a., KillDisk)
Performs MBR (Master Boot Record). EdgeGuard could not block RAW I/O actions. We are discussing options with Microsoft for possible industry-wide solution that avoids software conflicts among security and peripheral vendors.

BTW, I'm not sure how an attacker can financially gain from this form of attack. Comments?

GpCodeI
Appears to be Ransomeware to encrypt user’s files. Malware failed to work. Test is not conclusive

KillAV-33
Blocked

PandexG
Blocked

PandexH
Blocked

QQRob-18
Blocked

RustockNCD
Blocked

Sinowal-42
Inconclusive. Malware does not appear to be working to create any damage

SinowalB
Blocked

TrojanDNSChanger-3943
Blocked

AgenFQvar
Blocked

We welcome other malware samples to test. I cannot guarantee that we'll test all received. We will be candid about test results though.

Cheers,

Eirik

 

Hello,

Sounds like an interesting application. But theres not a screenshot in sight at the EdgeGuard Website to see how this app looks. Can anyone who has used this product kindly provide a couple of screenshots? Thanks!

 

Erik can you speak with Matousec? he is going to do a new test soon, maybe he can add your soft to the HIPS test

 

The support page has some screen shots.

The GUI will change quite a bit in the next release (January) of EdgeGuard Solo to accomodate the additional features. I'm not prepared to announce the features yet but can say that those that have followed this thread will feel as though we've been listening.

Eirik

 

I'd be happy to

 

I stand corrected. [Although placing the screenshots in the Products Page area, rather than found under the "Support" area might make it easier to find in future.] Thanks Eirik!

 

How do you install firefox add-ons/updates with Edgeguard?

Is it similar to Ilya's Defensewall in that you have to run FF as "trusted"?

Ian

 

Hello Ian,

To the best of my knowledge, you have to temporarily disable EdgeGuard Solo when installing firefox add-ons/updates.


Peace & Gratitude,

CogitoErgoSum

 

Iangh,

CogitoErgoSum is correct. The next release will borrow from and improve upon our EdgeGuard product where temporarily disabling a single application is not only easier but timed, so one doesn't have to remember to re-enable protection.

Eirik

 

Hi Eirik,

Raw I/O writing is used mainly for 2 reasons:
-1. for disabling the boot to restore protection of softwares like deepfreeze, eazfix, rollbackrx, returnil, shadow defender, and so on.
-2. it can be used for mbr based rootkit/trojans. The OSes do not see the raw data but the rootkit (started during the boot time) knows where it's file reside. Is similar with the techinc of RollbackRx/EazFix preboot application and their snapshots.This kind of rootkits are almost impossible to detect.

Panagiotis

 

Does EdgeGuard provide any additional protection over "classical" HIPS (e.g., Comodo Defense+), aside from being easier to use?

 

Its difficult to paint this answer with a broad brush. EdgeGuard Solo dynamically guards any executable or ActiveX control spawned by a guarded application. One of the better known HIPS products would benefit from a major improvement in its ability to counter exploits of ActiveX controls, which can be very dangerous when exploited.

EdgeGuard Solo, and its enterprise cousin's anti-malware capabilities, are positioned for 'ease of use' in part through prioritization of risks to be mitigated. We are not striving to be the vendor that gets the highest percentage of possible attacks. Instead, we prefer it be the toolset that is most fully utilized in its deployments rather than the toolset that is only partly utilized in its deployments. Frequently under-utilized tools could get the last n percent of attacks, if only folk would do the extra work required. Instead, they set the tool to 'medium' or let functions be idle. They can actually get less protection because of under-utilization.

The space shuttle main engines have the highest specific impulse (460 seconds if I recall) of just about anything out there. This means it gets more thrust for every kg of exhaust it expells from its nozels. Operationally, however, the shuttle is very burdensome so it is seldom launched. The value of security products suffer when they are operationally difficult and distracting.

So, we're striving to spare end-users/administrators from sifting through piles of 'false positives' and implementing convoluted configurations and re-tuning.

Eirik

 

Hear hear

 

CogitoErgoSum sent us more malware samples. Thanks CogitoErgoSum. Below are the results. In short, all 17 of these samples were blocked by EdgeGuard Solo.

AgentYMX02 (*)
Blocked
Attempted write to \Windows\system32\drivers\pclhdd.sys

AgentYMX03 - 16 (13 Variations on AgentYMX02)
Blocked
Malware displays error message and terminates

AgenALM
Blocked
Attempted to create C:\windows\system32\msvcrtd.exe

AgentEY
Blocked
Attempted to modify HKLM key

AgentEZ
Blocked
Attempted to create C:\windows\system32\service\dll.dll


An Observation
Some malware samples vary attack vector based on host conditions (e.g., permissions to write in places). When insufficient access found, some malware samples display an error message, crash, and in rare cases run as a dormant process. These conditions-based samples might lead one to incorrectly infer that EdgeGuard Solo (or other tools) did not block the attack. All samples were also run on another machine without protection to observe them in action. These tests were conducted on Windows XP SP3 hosts.

CogitoErgoSum, thanks again for the malware samples.

Eirik

 

very impresive erik,so practicly edgeguard limits the rigth of malware for modifying or doing damage to the system sounds good

 

erik are these samples run directly from internet explorer or save and run?

 

Yes. It literally intercepts the initiation of these actions and decides whether or not to allow or deny.

BTW, the next release, in January, will address the drive-by downloads that you requested earlier. Also, its user alerts and event detailing will be greatly improved. It will still and always be intended to be a non- or low-intrusive tool that aspires to be forgotten and only remembered when it blocks something.

Eirik

 

thanks sounds good for extra layer and peace of mine

 

Yes, from IE.

 

ok thanks,and what about saving and running the samples from documents?is it same?will edgeguard block it in real time?or introducing the malware from a usb device?

 

When a guarded application opens/runs a document containing malware, EdgeGuard Solo will block the malicious actions in real-time regardless of the documents location.

 

it sounds terrific application.
now is there a new release soon with new features?are you adding protection againts termination?

 

Due to the holidays, the next EdgeGuard Solo release will be available in January. It will include self-protection of its files, registry keys, and processes.

And, the "beta" designation will be removed. It will always be freeware.

I encourage folk to register. Its not required to use EdgeGuard Solo. But, it enables us to alert you to the next release availability and thank you for your participation/feedback (we will not abuse the privilege of being able to email you).

Eirik