YaGuard: Adds real-time system protection with the help of Yara

Discussion in 'other anti-malware software' started by novirusthanks, Mar 31, 2015.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    yaguard-objects-blocked.png

    Product page:
    http://www.novirusthanks.org/products/yaguard/

    In short, this program monitors for processes executions, DLLs and kernel-mode drivers and scans them in real-time with your custom (precompiled) Yara signatures (http://plusvic.github.io/yara/). It is in its very first version and it is mostly an experimental project. The program needs Admin rights to run for now. Some information about the installation (all is explained in the Readme.txt file):

    1) You need to install (if not already installed) Microsoft Visual C++ 2010 Redistributable Package

    Download (x86):
    http://www.microsoft.com/en-us/download/details.aspx?id=5555

    Download (x64):
    http://www.microsoft.com/en-us/download/details.aspx?id=14632

    2) Check what bitness is your oeprating system and open accordingly the \X86\ (32-bit) or \X64\ (64-bit) folder

    3) Copy the file nvtyaguard.sys in C:\WINDOWS\system32\drivers\ folder

    4) Move the program folder to a folder that is accessible by everyone, such as C:\ or C:\Program Files\

    5) Double-click on the executable file YaGuard.exe

    6) Now if all goes well, you should see the program interface

    7) When an object is blocked it is logged in the text area present in the program interface

    Read the section "Test Demo Binaries" present in the Readme.txt file to test the program.

    **This program should be used by experienced users**
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Will give it a play later.
     
  3. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    92
    Interesting! :)
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    This is exciting, novirusthanks. Very creative as well. I am very excited to play with this later tonight. I see a huge amount of potential here.
     
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    @novirusthanks


    May I offer a cross sell suggestion/commercial application to add extra power to NVT PRO

    1. NVT filters running processes, NVT gets an extra mode: maximum protection

    2. When user launches a vulnarable process (e.g. a browser) and NVT is in maximum protection mode, NVT lauches YaGuard

    3. User can do things which extra intrusion protection is good to have, because of impact (e.g. online banking via browser), when closing down browser or maximum protection mode, Yaguard process is stopped again.

    You could start with browser, but extend this in future to other internet facing or rich content/scripting applications (mail, pdf, media player). Initial version only adds a tray icon notification and offers a log afterwards.


    Regards Kees
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    Windows Security, I usually agree with you on most things, but why have extra modes/levels of protection which are really just preset profiles? Why not just make everything modular with tick boxes? That will allow the user to enable exactly which protection features they want to use. ERP went away from having all the different lock down modes, and everyone i'm aware of was pretty happy about the change. What do you think?
     
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    You got a point there: keep it simple is good practice.

    Just thought of a way on how to incorporate developer's work (Yaguard) into his main product (NVT).
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    It's clear Andreas must have a strategy, but not clear yet what that is.

    Pete
     
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Did you clean up the attic or garage and found your lost copy of Zen and the art of motorcycle maintenance? :D
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    ROFL. You are 100% correct, and I've been practicing. How did I do?
     
  11. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Well, it is clear you understand the art of motorcycle repair, but not yet clear when Zen is going to hand over his bike for public release.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Okay, back to the serious.

    I am confused. Don't see what to download from where.
     
  13. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,289
    Location:
    England
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
  15. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Do you have plan to host sth like Yara sig repository so that average ppl can get benefit from it?
    Otherwise it will be only beneficial for those who can analyze malware by themselves.
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    @Windows_Security

    Thanks for the suggestions, we are open to any suggestion/comment and soon we will discuss them. Not sure if will be a good idea to integrate this to ERP since users may not be very experienced with Yara, but we'll see.

    @Yuki2718

    We do not have intention, at the moment, to offer a Yara rules repository. This project can be useful to companies that already have access to premium/free Yara rules and want to add a real-time protection on their systems easily with YaGuard. For example, if a 0-day malware is discovered and AVs have no rules yet and/or the AV is not present, a company can create a Yara rule and load it on YaGuard for real-time protection. This is also a prototype/skeleton that can be integrated in other programs. We are already working on a project that may incorporate this.

    Below there are some links about free Yara rules repositories, may be useful to other users:
    https://github.com/AlienVault-Labs/AlienVaultLabs/tree/master/malware_analysis
    http://yararules.com/rules/
    http://yararules.com/
    https://yaragenerator.com/
    http://www.yara-generator.net/rules
    http://www.deependresearch.org/2012/08/yara-signature-exchange-google-group.html
     
    Last edited: Apr 14, 2015
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Hi Andreas

    I've not done anything with this so far as it appears to be a bit of work, and I don't quite see what it brings in terms of protection.

    Pete
     
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    @Peter2150

    No problem, it is mostly useful to users that already know/use Yara rules.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Okay, thanks Andreas
     
  20. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Thanks for explanation, I can understand your intention somewhat. Also thanks for links, tho I know Yara somewhat, I didn't know most of them. It seems some of them are free, so those who want to combine them with Yaragurad may get benefit, tho I don't know how and if you can auto-update rules.
     
  21. Mage

    Mage Registered Member

    Joined:
    Nov 4, 2010
    Posts:
    22
    The fact that you can block any executable object (library, process executable and driver) in real-time based on completely customized rules makes the potential much greater than preset rules for allowing/disallowing. It's much more versatile and flexible to the end-user. That's a concept that I can appreciate :thumb: Of course it's for experienced users only and you have to know how to write Yara rules yourself, or you could download rules that others are creating etc. The author of Yara is an employee of VirusTotal, that's why it's also used on virustotal.com among several other security services and products. It's a pretty useful tool in any malware researcher's tool belt
     
  22. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    66
    Very nice project! I can see this becoming huge with some security-obsessed customers :)
     
  23. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    Thanks for the feedbacks guys :)

    Tomorrow we should release a new version that supports DLL monitoring also on Windows XP and 2k3 OSs with some more enhancements. It'll also have an installer for automated installation, so more experienced users can quickly try it.
     
  24. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    New version has been released:

    yaguard1.1.png

    [13-04-2015] - v1.1.0.0

    + Added support for DLL monitoring on XP and 2k3 OS
    + Improved the kernel-mode driver
    + The program can now be installed via the setup file
    + The VC++ 2010 Redistributables are automatically installed
    + Added some useful buttons in the program interface
    + Minor fixes and optimizations
    + Improved the Readme.txt

    Product page:
    http://www.novirusthanks.org/products/yaguard/

    ** This program should be used by experienced users **
     
Loading...