Question about Mamutu

Discussion in 'other anti-malware software' started by Hungry Man, Nov 28, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    What exactly is being monitored specifically?

    For something like creation of autostart entries that's really "Adding an entry to the registry" or to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\

    And for manipulation of the hosts file it would be "Writing to the hosts file in \etc\hosts" or something.

    I am just wondering what API calls are being intercepted when that's the case or what else is being monitored specifically.

    ex: I don't know what "Spyware behavior" entails - I'd like an indepth explanation.

    in short, what specific actions compose each of these behaviors?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No one's got a link?
     
  3. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Nope. At least, I don't.
    Their knowledge base articles are pretty much 'starter level' info pages.
    I've never found any more specific info than what's posted above (their forum doesn't provide more in-depth info either).
    I'd contact dev Fabian Wosar (fw at emsisoft.com) for deeper info on Mamutu, not sure what they are willing to provide though.
     
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I don't really think they would provide the rule sets or heuristics they use, that could compromise the product i guess and as a business that is bad :rolleyes:
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Something like Mamutu could easily be reverse engineered in terms of behavioral blocking attributed to kernel calls - whitehats/ security companies do this all of the time to malware or AVs even. Heuristics rules can often be reverse engineered as well (just test different things that might break rules) though scoring based on those rules is much more complex.

    You can't tell the entire program but if you know "This call infects the computer" and "This program stops infections" it's easy to say "It's probably that call."

    I'll try contacting a dev, thanks. IDK why they won't even give a simple explanation - I don't necessarily need something as low as the API but it would be nice to know what "spyware behavior" actually entails.
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Yeah, I tried finding some more detailed info on them as well, but couldn't find it. I do know that behaviors from that list are more a combination of action/behaviors, for example, for the Keylogger behavior warning to appear, an executable needs not only to log keystrokes, but also connect to the internet.
     
  7. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Briefly, "spyware behavior" entails the behavior of an component, not the specific sequence of bytes in that
    components binary representation.

    An example of "spyware behavior" would be an component, and/or unknown component, monitoring user behavior and/or
    interacting with another component, such as an Web Browser, monitoring that components behavior and/or the users
    interactions with that component, then/or petitioning calls to the Windows Application Programming Interface (API) that
    can potentially leak information about that behavior, such as petitioning calls to save the data to an file and/or
    transmit that information to an Remote Host.


    EDIT: clarity


    HKEY1952
     
    Last edited: Dec 1, 2011
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I see. Thank you.

    There are quite a few of them that are fairly vague but I suppose I can just do some research.
     
  9. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    You are welcome Hungry Man


    HKEY1952
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There are academic papers out there regarding listing high level malware behaviors, but unfortunately for those papers I've looked at there is apparently no publicly available program or code.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'd like to see them if you have them. The code is less important - if I can see what the behaviors are specifically I can figure out the code.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There is definitely one free paper available on this but I don't remember its name; I don't recall if it is specific enough to be useful to you. Maybe check the references in paper "Behavior abstraction in Malware analysis" or do this Google search "high level" malware behavior filetype:pdf or maybe malware behavior filetype:pdf.
     
    Last edited: Dec 3, 2011
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Will do thanks.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    There is also one free paper (at least) that lists the behaviors found most commonly in malware.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There's at least one more, because that isn't the one that I remembered.
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    It's "Tracer: Enforcing Mandatory Access Control in Commodity OS with the Support of Light-Weight Intrusion Detection and Tracing."
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Oh yes that. I've read that.
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Anyone have a whitepaper on mamutu maybe?

    I'm also interested in any tests witih Mamutu vs Malware. Videos, papers, whatever.
     
  20. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    For videos i guess some amateur Youtube videos would work :D
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'll take them =p
     
  22. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    I've used Mamutu for almost 2 years because it was recommended here and because of the reputation of the company behind it, Emsisoft. I've looked for more information about the program and for testing, without much luck. If you find anything Hungry Man I'd be interested in reading about it.
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'll send you a PM if I find anything of interest.

    I used Mamutu as well and liked it. I'm curious as to how effective a pure behavior blocker can be.
     
Thread Status:
Not open for further replies.