New kid on the block? - DriveSentry

Discussion in 'other anti-malware software' started by sukarof, Nov 6, 2006.

Thread Status:
Not open for further replies.
  1. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    http://www.drivesentry.com/

    New kid on the HIPS(?) block, well I have never heard of it but it seems to have some nice features. Will test it later.
     
  2. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    Looks interesting, looking forward to your opinion. Im currently running Prevx. Wonder if theres too much overlap with this
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    hmm..drat. it is not yet available for download (will be released 10th of November) I will try it then. I also have Prevx1. I like the idea that one, supposedly, can decide what extensions a application can write. But we will see once it is released.
     
  4. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    the download link is up and working now.
     
  5. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Yes it is up, I did miss that the trial (PRO version) was downloadble. It is just the freeware version that one cant download yet.

    First brief impressions:
    Installation went fine and no reboot needed, which is always nice. same goes for when uninstalling the software. They offer a generous 60 day trial.
    You have to create an account that you log on to when drivesentry executes, since this program is sort of community based like Prevx1. btw prevx1 and drivesentry work fine toghether. Prevx1 did not recognize this software so it asked for permission to start.
    But I think that Geswall and Drivesentry do not work well together. I have set geswall to sandbox all the help files, so when I click on "help" in drivesentry my vmware session reboots. I think that has to do with Geswall trying to sandbox the helpfile.

    When I tell drivesentry to protect my windows folder including all sub folders it crashes and freezes the vmware session. Maybe it is just a bug in DS or maybe one isnt supposed to protect windows folder and all the sub folders?
    I have not tried Drivesentry in my "live" environment, just in a snapshot in vmware.
    But when protecting other folders drivesentry does its job being a "firewall" to the hard drive. I have to allow/deny every program that tries to write/modify/delete anything in the protected folders. Once allowed they become trusted to do all that in the protected folder.
     
  6. zorro zorrito

    zorro zorrito Registered Member

    Joined:
    Feb 19, 2006
    Posts:
    149
    It looks fine, I'm going to install it, I like it protects registry, so that working with another like porcess guard or antihook, it could be great!. Let's see how it works.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I downloaded the Pro version but I had no internet connection on my virtual machine, so I could not create an account, I really hate having to create an account first. :cautious:

    But anyway I will try to test it later, looks interesting, I think more HIPS should focus on folder/file protection. But I hope it´s not too intrusive, a while back I tested a tool named "Parador File Protection" and that app was a joke, it alerted about just about anything. o_O
     
  8. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    I downloaded DriveSentry but had a problem so contacted support and was told a new build was uploaded. I don't like having to create an account but in the interest of science I created one.

    I've been running DriveSentry for a few days and it seems very slick looking and does what it says on the box. I did notice that it doesn't hassle you to much which is good. I'm not 100% sure but I also don't think it uses API hooks which is good going forward.

    Data firewalls seem a logical move to prevent zero day threats as I dont think process monitors and VM tools are the way forward. Process monitors don't save me when I download a crack and allow it to run and it's then free to do whatever it likes. I also worry about VM tools after reading this doc (http://www.codegurus.be/codegurus/Programming/virtualpc&vmware_en.htm) it makes me wonder will viruses become more intelegent to detect where they run from and behave until they execute in a live environment.

    DriveSentry is one of the better products I've seen for a while but they must include more features in their free "lite" version or better still make the product free :)
     
  9. wilbertnl

    wilbertnl Registered Member

    Joined:
    Dec 29, 2004
    Posts:
    1,850
    Location:
    Tulsa, Oklahoma
    What happens when malicious code is injected in for example Windows Explorer to perform a disk write action?
    This is for malware a common way to pass though firewalls (using Internet Explorer).
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    @ interact, thanks for the review, I still have not played with it, was a bit busy.

    @ wilbertnl, can you give a bit more info?

    Btw, this thread should be moved to the "Other Anti Malware Software" section. ;)
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    Whyo_O Do you work for free.
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    With DeepFreeze, why would I need DriveSentry, I wonder?

    bellgamin <== (curious but lazy)
     
  13. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    wilbertnl I tried a number of attacks in memory on a trusted program. From Ring3 (user mode) I used WriteProcessMemory (WPM) to update an instruction of a trusted program at the OEP to an INT3. DriveSentry detected the WPM and asked me if my "test" program was allowed to write to the exe.

    1, Trust program (A) in DriveSentry.
    2, CreateProcess on program (A) suspended.
    3, Allow my process to have write access to (A) process memory.
    4, Find OEP from PE header of process (A).
    5, Write my new instruction @ RVA of the OEP into process (A).
    6, Clean up and resume process (A).

    DriveSentry detected step (5) and prompted me.

    I next disabled drivesentry and injected a small (3kb) loader into a trusted program to display a message box (e.g a simple PE virus) this technique can be used to patch the process memory on the fly from within. I restarted Drivesentry and then ran the patched trusted program and DriveSentry prompted me that the program had changed. I guess I could have done this test far quicker with a hex editor :)

    I also examined hooking the RVA of the API calls that DriveSentry was possibly using to monitor system writes but they have implemented a Mini Filter Driver. This is more secure as kernel mode api hooks can also be re-hooked and M$ has stopped this trick under Vista. I didn't really examine the drivers as WinXP sp2 has done it's best to screw up my fav' driver debugger Softice!

    The only review I've read on DriveSentry was for a beta back in august-> http://svenontech.com/tag/Protector

    I've just checked out DeepFreeze (Faronics Corporation / http://www.faronics.com/) under VMware (XP sp2) but it doesn't work? bellgamin no shortcuts are created under the start menu. The task tray icon doesn't do anything when clicked. I guess if I wanted to create a backup/restore of my disk then TrueImage works well :) I've also tried another program (Anti-Executable) from their site which scans the drive then reboots and then does nothing? Are you sure these programs are not a hoax?

    Please can anyone else validate my sanity with DeepFreeze.

    interact
     
  14. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    DeepFreeze is used throughout computers classrooms of dozens & dozrens of entire school systems and university computer classes. It is also heavily used by libraries, kiosks -- anywhere that computers are used and must be restored (after use) to a pristine status. I have DF running on several of my associates' computers, as well as my own. Works just fine.

    Do a search on "DeepFreeze" here at Wilders It is used by several denizens and highly regarded. Another of the same ilk is ShadownUser, but much more expensive. Here is an Example.

    In any event, my question re using DF vice DriveSentry was somewhat tongue-in-cheek. Why? Because DF deletes EVERY change made while in frozen mode. No questions. No pop-ups. No backtalk. ^_^

    By the way, that was a very interesting set of tests that you put Drive Sentry through. Well done, & thanks!
     
    Last edited: Nov 15, 2006
  15. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    bellgamin,

    I will examine DeepFreeze again under the real O/S. I ran it B4 on a clean build of WinXP sp2 under VMWare.

    Many Thanks,

    interact.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I do not think you can compare DeepFreeze with DriveSentry, I mean DS is a HIPS and DeepFreeze not really. Let´s stay on topic. ;)
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Anti-Executable (AE) gives you indeed the impression that NOTHING happened after installing it, because AE is the most hidden software I've ever seen. AE is a very unusual software.

    1. AE isn't listed in the Add/Remove Screen and requires a special uninstall.
    2. AE isn't listed in any usual program menu.
    3. AE has one folder in Windows Explorer, that can't be accessed.
    4. AE has one icon in the system tray, that doesn't work as a normal icon : clicking, right clicking doesn't work. You can even hide this icon, once you are familiar with AE.

    You really have to READ the manual or the WELCOME email to work with AE and it really works like advertised. Any whitelisted executable will work normally, but all not-whitelisted (good or bad) executables won't be able to install themselves. :)
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Decided to try it the free version.

    Experience so far:

    - Gives some pop-ups initially. Protects my C (program) and D (data) drive (max 2 directories is not a practical limitation of the free version).
    - Gives a color indicator when the pop-up appears, so the user can assess the risk.
    - Protected my office documents, mail and music (max 5 file types in the free version)
    - Asks confirmation when a program for the first time try writes or deletes a file in the two protected directories.
    - Does not seem to slow down the system noticeably

    Conclusion: it works, except for 1 BSOD when starting Paint.

    On paper the defense layer looks good:
    - communication level = inbound firewall of NatRouter
    - threatgate level (Internet, P2P, DVD ROm etc) protected with DefenseWall
    - process level protected by SSM with user interface disconnected
    - data level: DataSentry free (access level read/write) + Antivir free (content level blacklist Antivirus)

    After a day or so I decided to uninstall. Not because the program is not working well, but I do already have 2 HIPS running and I could not think of any additional value of DataSentry over SSM + DefenseWall. When a malware is smart enough to break through the first line (DW) and is able to mislead the second line (SSM), I really can not believe DS woudl be smart enough to detect it. The more of the same feeling is against my idea of putting together a security set. Because DS would be the back up of my backup, I decided to keep SSM (also teh disconnect user interface is a strong option of SSM).
     
    Last edited: Nov 17, 2006
  19. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    ErikAlbert - I managed to finally get it working for some reason Anti executable required two re-boots. I think the problem was I couldn't find a manual and didn't get any welcome email - I guess they must be hidden also :)

    Anti-Executable scans for any PE32 file on a drive then if one is unknown creates a pop-up blocking the process from running. I think the idea is OK but I found some limitations.

    1, I wrote a simple screensaver that is a time-bombed trojan which after a week encrypts all the most recent documents.

    2, I then installed Anti-Executable which scans all the PE32 files and creates a "white" list and then reboots.

    3, I forwarded the system clock and then ran my "trojan" screensaver which runs without challenge and encrypted my recent documents.

    I also noticed that it's possible to copy and run my trojan over other trusted programs e.g Trojan.exe -> notepad.exe

    I think there are other process monitors e.g PrevX which are better. I still haven't had chance to check out DeepFreeze but I will when I get chance.

    interact.
     
  20. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    In raising the question about DF versus DS, the question I asked was this...
    There was method to my madness. Namely...

    +DS will prevent writing to your HD on a case-by-case discretionary basis.
    ++DS is discretionary from the standpoint that it asks what you want to do when there is an attempt to write to your HD.

    WHEREAS

    +Upon restart, DF will kill ALL that was written to your HD while in frozen mode.
    ++DF is also discretionary from the standpoint that you can exempt specified folders from frozen state & thereby decide, case-by-case, as to whether or not to have something written to an exempt folder (thawed) or written to the virtualized HD (frozen).

    The point I was trying to make is that spending $$ for DS would be rather questionable if one primarily operated while in a virtualized-or-sandboxed mode. In my case, & others like me, perhaps, I wouldn't need or want DS because I use DF and thereby exercise much the same discretionary responsibilities, and attain much the same results, as would be applicable if I were instead to use DS.

    NUTSHELL: DS & DF do relatively similar jobs -- prevention of undesired writing to one's HD -- but by somewhat different methods.
     
  21. ESQ_ERRANT

    ESQ_ERRANT Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    72
    Has anyone ever heard of the Company that manufactures this product? I checked the site. Two addresses are given --

    USA Office - (HQ)


    DriveSentry Inc,
    339 N.Bernardo Avenue, Suite 206
    Mountain View, CA 94043
    EU Office.


    DriveSentry Ltd,
    32a Stoney Street, The Lace Market,
    Nottingham, UK NG1 1LL

    -- But, there is no elaboration. The Company has set up its own forum and the first section is titled "Company News." But, when clicking on it, there is nothing. Apparently, this is a startup. That is okay, but I would like to know something about the principals. Slick website and forum to boot -- but nothing in the way of who, what, when, where and why. I'll stay clear of this in the absence of any information whatsoever on the people and/or company that markets this software.

    The only person indicated is someone referred to as "John" -- the administrator of the forum and there is nothing further given as to his identity. Isn't anyone curious as to who or what is behind "DriveSentry?"

    Re: AE -- it is a fine product. Telephone support is readily accessible and excellent. The program blocks every executable period, except for those pre-installed. Even, then, a particular executable may not be allowed, including some Microsoft update executables. But, these can be placed in the exempted folder or in trusted applications. To download any new program, simply turn off AE. Then turn it back on after installation. It would be nice if AE also protected against scripts as well as executables. But, there are programs like Wormguard or NoScript for those.
     
    Last edited: Nov 16, 2006
  22. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    611
    Location:
    Melbourne, Australia
    Prevx is based in Derby.

    DriveSentry's UK office is Nottingham, 10 miles away.

    The point I'm making is that most of the UK's ICT industry is down on the M3/M4 corridor, 200km away.

    Ian
     
  23. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    611
    Location:
    Melbourne, Australia
    which 5 file types are recommended for protection?

    Ian
     
  24. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    Iangh are PrevX and DriveSentry the same company? I've never been to the UK or USA so I cannot debate on their location.

    interact
     
  25. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    Prevx has no relationship with DriveSentry.

    Until it was posted earlier in this thread I didn't even know they had an office in Nottingham.

    ghiser1
    Prevx Security Architect.
     
Loading...
Thread Status:
Not open for further replies.