Playing with Cyber Hawk

Now I can access the website.

 

Sorry for the trouble with our web site. We had some issues last night and early this morning which resulted in the site being down. We've addressed the trouble and all should be well now.

Becky

 

My wife recently (I assume it was her) somehow allowed installion of Starware Toolbar in Internet Explorer while actually surfing on FireFox on her Full Admin. User Account. An AVG ISS scan found it and I naturally eliminated it, but I also received an alert from Cyberhawk about an IE change for some reason after scan. My questions are. If CH detects any changes with IE then why did this alert come after the scan, and does it detect things like Starware ToolBar? I realize there is the possibility that my wife may have simply allowed the installation if CH popped up while she was on FireFox, but she doesn't remember any kind of an alert. I don't know much about Starware Toolbar or how it gets into someones PC, so I just don't know for sure if it was indeed detected by CH initially or not. I hope I am clear on this for help from CH Support or anyone, and haven't confused you with my attempt to explain this. Thanks in advance. This isn't really a big deal to me, and I'm just curious about the alert I eventually received and then denied. I have unfortunately deleted the alert from my Protection Log, (sorry) but I do remember it mentioning there was an attempt being made to change something in Internet Explorer.

 

Hi, folks: just went onto CH's web site, there is a very interesting chart; protection coverage illustraing comparison among few well-known AVs, can it be possible that folks at Novatix publish report involving more well-known AVs? I look forward to seeing it. Thanks.

 

I am not sure but I think might be ur wife accpted the install of toolbar when CH alerted her. When U uninstalled toolbr, again there were changes in IE so CH alerted you again. That seems OK.

 

My Wife has done the same thing perhaps. But how could you blame her? I think this is the problem useing HIPS.. The user has to approve. Since these pop up screens confuse some people the tendency is for people who are no t knowledgeable about this concept to approve everything & get on whith theri work.

 

I see. Are you aware that you need to configure the .ini file to hide processes on a system with hxdef? What activity should Cyberhawk prevent if hxdef100.exe is run without configuring its ini file?

If you go ahead and hide a process on your system with hxdef, you'll see that it is effectively killed once hidden.


Kurt

 

I know, but just test it that way...

I can try it with the ini file...

 

With calssical HIPs u may do like this but with a good behavioural blocker u should think more.

 

I am surely not upset with my wife, (She's the one that usually gets upset with me. LOL)and this is the second time the Starware ToolBar has been installed. The first time was awhile ago without Cyberhawk on board, or any HIPS running. I just want to be sure that CH detects these things, and I will show my wife what the CH alerts look like, and how to deny and remember the decision. She's pretty good at picking things up, so it shouldn't be much of a problem in the future. Apparently however, she isn't good at picking up on the fact that getting upset with me isn't working, as she hasn't stopped doing so over the 27 years we have been together. LOL. Thanks for everyone's input.

 

Just wonder is there no AV on ur system. This spyware must be detected in real time by ur AV anyway.

 

Yes, I wish it were that easy.
Unfortunately, if malware is not performing any malicious behavior on a system, Cyberhawk cannot detect it. Once activities appear on the system, like a process is being hidden, you'll see Cyberhawk prevent these malicious activities.

If Cyberhawk were a signature based product, it might be able to recognize the hxdef100.exe binary immediately (if it weren't packed or perverted), without even running the file. But Cyberhawk is not signature based, so using hxdef as a test sample without hiding a process is not a valid test.

Thanks for the interest!


Kurt

 

I agree. However, I have found that a pop-up by Cyberhawk has a 95%+ probability of alerting about a true nastiness. Other "classical HIPS" often cry wolf. Not so the Hawk.

My guidance to my granddaughter for responding to a CH pop-up- "If in doubt, block it out." Of course, I have Image for DOS (IFD) backing her up. IFD enables her computer to invoke Groundhog Day anytime she wants it to.

Groundhog Day is a movie in which the main character finds himself repeating the same day over and over.

 

That is the nice thing about SSM, you can detach the user interface.

 

You are completely right!

With this kind of threat, I should test it in a different way because CH is a behavior blocker...

And about the keylogger detection?

 

I think that you are referring to the delay in keylogging detection against Martin's? I agree with you that the delay seemed to be a bit lengthy. Yes, we reviewed some of Cyberhawk's monitoring and identification, and we believe that we can approach this type of keylogging more aggressively in an upcoming build.


Kurt

 

The program appears to be some kind of browser hijacking program that attempts to track your surfing habits and to send you pop up ads. One of those "nuisanceware" programs.
http://www.spywareremove.com/removeStarware.html

I doubt that an AV program was not installed nor being used since so many of them have been tested on the computer beforehand judging from the many comparison testing that was done.

 

aigle I also use AVG Security Suite 7.5, but the Spyware Guard it offers, which due to the thread here about the Suite makes me think it may not be the old Ewido Anti-Spyware, apparently only detected the Starware Bar during scan and not in real time. I may try to download the Starware bar to see if CH pops up, but if as you said CH must have detected another change after Quarantining it through AVG scan and then deleting it. I would also like to hear what CH Support has to say about this type of detection as well. The thing is my wife and I both only use FireFox, but I guess some Web Sites actually use Internet Explorer through FireFox, right? Anyway, I really like Cyberhawk, and I'm sure it will keep improving.

 

It,s surprizing that Guard did not detect Starware bar in real time.

 

I know, you would think the old Ewido Anti-Spyware would detect it in RealTime, but as I mentioned it was brought to my attention here in this Forum in the AVG Security Suite thread, that the Spyware Component in the Suite may not be Ewido at all. It was somewhat confusing, at least to me, and I'm still not sure if it at least uses the scanning capabilities of Ewido. Of course since I have Cyberhawk on board as well, I'm not that worried. I would still like to hear from the folks in CH Support though, if Starware Toolbar and all Browser Hijackers are definitely stopped by CH. Take care aigle.

 

while i post on another thread about mem usage ,every program CH examined the mem usage will increased from 5 plus mb to now it reached 11.61 mb.so if i were to have alot of program,CH mem usage might shoot up to 20mb 30 mb in no time.i wonder is CH able to return it mem usage to stable/normal state.i will let it run for few hrs to see.

ps/ lastest mem usage : examined 35 prog phys:11.61mb virtual:8.05mb.
let see whether it stay around 11mb

 

In the previous version (and possibly in the Pro version soon), you could add trusted processes. CB did not check those. I added my other security aps in this list to decrease mem usage.

 

Downloaded Starware ToolBar with Cyberhawk running I didn't get any warning. After it installed I opened Internet Explorer, and when I tried a search with Starware CH did pop up an alert saying Explorer Bar Installed triggered by IEXPLORER. I then tested Winpatrol Free and Arovax Shield. Arovax Shield alerted me right away that something was trying to change my IE Parameters , but when I denied the change Starware still installed. WinPatrol Free however, with it's lack of true RealTime, did alert me within two minutes after installation that two Stareware Tool Bar dll's were trying to be installed which I denied, and when I checked IE there was no Starware ToolBar was present. I also waited until after I installed the Toolbar again to open WP Free up, and within two minutes I was alerted to the fact that Starware ToolBar was trying to change my IE Browser, and when I denied the change and opened up IE, Stareware ToolBar again wasn't there. The last two times while using WP Free was while CH was also running which didn't alert me. I did have to manually uninstall Starware in Add/Remove Programs and run ccleaner to fully eliminate it, but I must say I liked the way WP Free not only alerted me to any changes, although not right away, and was so accurate in it's descriptions of what was going on. I realize CH is looking at a bigger picture perhaps when it comes to Malware and Spyware, but I believe it should have alerted me to the two dll's that were trying to be installed correct? I'm not complaing as both seem to run fine together, but it would nice to use CH which is RealTime, and despite this covers I believe more areas of my PC.

 

Hi, folks: Nowadays majority of software vendors try to build heavy armored app, adding this , upgrate that, thinking the heavier the better, not so most of the time. WinPatrol, the cute scotty, has been quitely performing its duties, rainy or shine. It is the few security apps I still keep from the day 1. It works like National Guard, light and effective, although sometimes not speedy soon enough, it will eventually get job done. The plus version even more impressive. I used cyberhawk three times w/ different version, hoping this time around problem would go away. I am still awaiting THAT version. I guess when you are building a heavy-armored tank, missing bolt here and twisted nut there does create major headache. Cheers.

 

You are not fair at all in ur comparison. It is much easier for WP to alert on toolbar as it has been programmed to check for new start up enteries, new services and new IE add ons/ settings while CH is not designed for that. It will only alert new malicious attempts that is not an easy task. If u install Yahooo toolbar or google toolbar, WP will still laer u so what does it mean, Yahoo and Google toolbar are spyware?