Katie DriveSentry

Discussion in 'other anti-malware software' started by DriveSentry, May 19, 2008.

Thread Status:
Not open for further replies.
  1. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    Kees,

    Thanks I will test this config today, do you know how I can embed a Youtube video into a page on this forum of the results??

    ~interact
     
  2. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    tbay2ahome,

    Yes of course the viruses are as follows:

    Trojan.PWS.Lineage.PP
    Generic.Malware.PVPkg.915454D4
    Win32.Bagle.BV@mm
    Win32.Bagle.AX@mm
    Win32.Bagle.AG@mm
    Win32.Auric.A@mm
    Win32.Asone.ABM@m

    The three others are encrypted variants of:

    Win32.Android.A@mm
    Win32.Asper.B
    Win32.Chet.A@mm

    All these files are a format called PE32 and there are a number of tools that allow them to be compressed/encrypted and still run as normal. I have encrypted the above 3 to fool scanners so they cannot recognize the signature but the virus still runs. This is a good way to emulate a real zero-day attack. A number of AV tools can still detect them even if they're encrypted but the CPU overhead to do this is a good reason why some AV tools slow the PC down :)

    If you want copies please PM me and I will send you a URL to a good site ;)

    ~interact
     
  3. andylau

    andylau Registered Member

    Joined:
    Jan 27, 2006
    Posts:
    696
    Hi interact,

    I think you should test more different kinds of malwares. Most of your samples are Virus and Worm only and seems a bit old. Some are variants
    e.g.
    Win32.Bagle.BV@mm
    Win32.Bagle.AX@mm
    Win32.Bagle.AG@mm

    You may add such as
    Infection type : Worm.AutoRun,Virus.Xorer,Virus.Delf,Virus.Agent,Worm.Viking

    Trojan&backdoor : Trojan,Trojan-Spy.KeyLogger,Backdoor,Trojan-Downloader,Trojan-Dropper,Trojan-Clicker

    And other types of malwares, e.g. Rookit,Adware,Spyware and so on.

    More types of samples can be clearer to reflect software's ability.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    It means that rules are there, either in some files or reg enteries and these can be backed up at least manually. Am i true?

    Also what is ur opinion about this( current pop up interface/ options need work).

    Also there should be an option to disable advisor completely without any more pop ups.

    Thanks
     
  5. DriveSentry

    DriveSentry Registered Member

    Joined:
    May 19, 2008
    Posts:
    198
    Hi aigle,

    Thanks for your comments and feedback.

    1) Yes, rules can be manually backed by the user. But this is not something that DriveSentry facilitates, so would need to be an independent record/ backup.

    2) Modification of the popup and the Options screen is in the pipeline.

    3) I am not really sure what you mean by the last question? Notifications can be disabled through the drop down menu in the popup. Also automated popups can be turned off through the options screen or the wizard.

    I hope this helps :doubt: .

    Kind regards

    Kate.
     
  6. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    663
    Hi Katie!

    Why is it so difficult to get an answer to the following question? (Both here on the forum or by PM) Is it too stupid or what?

    -----------------

    Is DS compatible with Actronis true image or other imaging programs?

    How about Returnil or PowerShadow?
     
  7. DriveSentry

    DriveSentry Registered Member

    Joined:
    May 19, 2008
    Posts:
    198
    Hi Ako,

    Thanks for your questions. I apologise for the delay :rolleyes:

    We use DriveSentry with True Image on a daily basis, so there are no problems there. Returnil has also been tested with DriveSentry and works fine.

    I will pass a request on to the QA team to do some testing with PowerShadow. Has anyone else run DriveSentry with PowerShadow?

    Sorry again for the delayed response.

    kind regards,

    Kate.
     
  8. 337

    337 Registered Member

    Joined:
    Nov 4, 2006
    Posts:
    232
    Location:
    Georgia, USA
    Might try their forum? http://forum.drivesentry.com/ :thumb:
     
  9. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    663
    OK. Thank you for the answer.
     
  10. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    On a very short and provisional test - seems OK. No obvious (i.e. BSOD) issues immediately.

    Blue
     
  11. DriveSentry

    DriveSentry Registered Member

    Joined:
    May 19, 2008
    Posts:
    198
    Hi BlueZannetti,

    Thanks for your feedback. Much appreciated. That is very useful ;) .

    Please dont hesitate to contact me in future if you need any assistance :D

    Kind regards,

    Kate.
     
  12. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Katie,

    Have you tried to fully vet DriveSentry against Limited User Account (LUA) and/or LUA/SuRun with DriveSentry supposedly running with elevated rights? It seems to be having some minor issues.

    Blue
     

    Attached Files:

    • DS.png
      DS.png
      File size:
      6.9 KB
      Views:
      869
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    I mean if I want to turn off acess to online data base completely, what is the way?
     
  14. DriveSentry

    DriveSentry Registered Member

    Joined:
    May 19, 2008
    Posts:
    198
    Hi BlueZannetti,

    We are currenly looking into this. I will get back to you on this.

    regards,

    Kate.
     
  15. DriveSentry

    DriveSentry Registered Member

    Joined:
    May 19, 2008
    Posts:
    198
    Hi Aigle,

    To turn off access to Advisor completely ensure that the following options are set to "No".

    Options ->

    Auto block malicious programs - NO
    Auto allow whitelisted programs – NO
    Auto allow community trusted – NO
    Upload stats – NO

    Hope this helps.

    Kind regards,

    Kate.
     
  16. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    No problem, the fix should be a very minor adjustment and the behavior should be easily replicated.

    DriveSentry runs fine with Admin level credentials supplied via "Run as" under a LUA (as one would expect).

    Blue
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Thanks.
     
  18. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris

    BlueZannetti,

    I think they have a bug in their installer as I've installed Drivesentry on my GF PC as limited user OK. Here's how I did it:

    1, Login as limited user
    2, RunAs Drivesentry setup
    3, enter admin user / password
    4, At end of install UNCHECK start drivesentry
    5, Close installer
    6, Run Drivesentry all should work fine :)

    I think when you run from the installer from "runas admin" then drivesentry tries to access the admin folder and cannot so errors.

    ~interact
     
  19. DriveSentry

    DriveSentry Registered Member

    Joined:
    May 19, 2008
    Posts:
    198
    Thanks Interact,

    We have identified the problem and will be implementing a fix shortly.

    regards,

    Kate.
     
  20. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Those settings doesn't work. DriveSentry still connect to Advisor.
     
  21. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Not quite sure what's up, but I reset pertinent SuRun settings, and DriveSentry now launches fine. No net changes in settings were evident. Might have had a bit of a config. issue under SuRun. Works fine at the moment, basically unsure why, but seems more related to SuRun than DriveSentry.

    Blue
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,709
    Location:
    U.S.A. (South)
    Great discussion and topic posts here. Thanks Kate for taking the reins on both DriveSentry & our behalfs. This is abundantly useful and sure to advance interest in this application.

    But i need help.

    In a simple security setup which i use for everyday internet access now, minus NO Returnils or other ISR's "OR" AV's, but impliment only EQS beta 4 (HIPS) + Kerio 2.15 (Custom Rules) and dare i say an old version of CyberHawk i had lying around for a long spell but find it very useful and "Lite" + stable, can i benefit with DriveSentry? And where and how? Plus which of my current apps, if any, would it be better to remove should i bring on-board DriveSentry.

    Lastly, is there anyway for a DriveSentry app to ward off MBR interference from an infector of that section or is it better left up to another form of coverage.

    Thanks to all of you so very much for your inputs, concerns, and satisfactory reports so far.

    EASTER
     
  23. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Is there any way to block that database download? Haven't tested that to block DriveSentry with firewall. Trying that next :D

    I really like DriveSentry but I just want to disable Advisor and it's local database.
     
  24. DriveSentry

    DriveSentry Registered Member

    Joined:
    May 19, 2008
    Posts:
    198
    Hi MikeNAS,

    By design, DS will attempt to connect to Advisor to retrieve program information and updates to the local database.

    However, if this concerns you, you can block DriveSentry's access to the Internet through your firewall. DS will still protect your system, but you will not receive any program info in the 'Advisor' screen, no community statistics will be available and your local database will not be able to connect to the Internet to update itself when necessary.

    I hope this helps.

    kind regards,

    Kate :D
     
  25. DriveSentry

    DriveSentry Registered Member

    Joined:
    May 19, 2008
    Posts:
    198
    Hello Easter,

    Sorry for the delay in getting back to you :eek: . Help is here!!!

    In answer to your questions - Cyberhawk and DriveSentry work well together. Any HIPS tools can be replaced by DriveSentry if they are file and registry focused. However, whitelisting and blacklisting technology set DriveSentry appart from the rest, allowing for the automation of program access decisions – greatly minimizing the popup notifications (experienced by conventional HIPS solutions). DriveSentry automatically allows access to whitelisted applications, blocks over one million known threats and queries the unknown.

    We currently have a developer working on MBR and other additional security functionalities. Our primary objective for the near future is to work on adding more functionality available to the user to secure their system and data.

    Thanks for your comments and questions ;) I hope i have helped you.

    Kind regards,

    Kate.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.