ALL-SEEING EYE

Publié le par kareldjag




All-SEEING Eye







All -Seeing Eye is another Desktop Intrusion Prevention System designed to monitor several system's areas :

-processes,
-loading dlls,
-services/drivers,
-Browser Helper Objects (BHO),
-ActiveX,
-HostFile,
-Winsock LSP,
-registry keys,
-files and folders...

There is a free version with limited features, and a paid but more exhaustive version.
Only the free one is tested here.


CONFIGURATION : no specific rule (default settings).



Disclaimer: All-Seeing Eye is often effective for detecting events, but unfortunately does not integrate options for blocking instantaneously the action.
In this case, results are considered as "failed".



***All-Seeing Eye is the winner against:


-Execution protection with leaktests:



-Joke test:

-launch several applications at the same time:





-open/close the CDRom drive:



-CDRom autorun test:




***All-Seeing Eye failed against:


-Process termination:




-dll injection with Zapass and Copycat:


-with Copycat:




-Process hijacking.



-Registry tests:


-with Regtest 1 and 2:


-with Scoundrel Simulator (detects only the start up entry):




-Finjan tests:










NB. All-Seeing Eye detects executables launched by the Finjan Files (such as WScript.exe, packager.exe) but can't block the creation of the "You have been Hacked" folder.
With a specific rule for folder guard, it detects the creation of the folder but can't block it:







-Simulating a trojan with Trojan Simulator (can only remove the start up entry after the event):









-Data theft with Trojan Demo (detects only the execution of calc.exe, and can't block data from being stolen):



-API Manipulation:


-with APISpy32:






-with ExecuteHook (does not detect the hook, just the execution of notepad.exe):


-with Kapimon.



-Memory Manipulation:

-with UH:


-with Physmem.



-Service/driver Manipulation:


-service/driver installation (detects the event but can't block it):





-loading a driver with Kapimon (detects the event but can't block it):



Other tests (service termination, driver modification) are not possible, because ASE does not act as a service.



-Buffer/heap Overflow test.



-Deactivation Methods:


-trashcan/quarantine:



-blacklist.





CONCLUSION:


The Pros:


-effective as an application firewall (execution, loaded dlls and services/drivers...),

-anti-spyware abilities (BHO, start up entries),

-possibility to monitor specific files, folders and registry keys,

-color code per type of event (...)



The Cons:


-ineffective for blocking events ( and then malwares installation):


1.three mouse clicks for choosing an answer/action,

2.no radical and simple choices for answers (such as block/allow now),


3.does not block temporarily the event while waiting for user's decision,

4. alerts often behind time after the event (one or two seconds);


-inefficient self-protection (easily terminated with the Task Manager!),

-does not act as a service,

-mostly based on detection,

-requires a little knowledge to distinguish suspect from legitimate events (for log events for instance),

 -only available in english (...)




COMMENTS:


With the list of monitoring system's area, All-Seeing-Eye is certainly an effective soft for controlling activities and detecting suspect events such as new dll and BHO which are often a sign of spywares installations.
Unfortunately, All-Seeing-Eye is a powerful eye and radar, but without arm and missile!

This program is really frustrating: it has very interesting detection abilities, but does not provide simple and efficient features for blocking or suspending monitored events.

If processes can be terminated, events related to a dll or a driver for instance can't be blocked: for a driver, the user must click on "temporarily ignore (during this session only, won't be authenticated)", and is warned frequently during the session.
A malware can only need one second for infecting a system; and consequently is it really serious to search more info on the web when a malware try to install itself?

An effective proactive or behavioral blocker soft must let the user answering in a simple, easy and effective way: one click, one second.
And most of all, the event must be temporarily blocked while waiting for the user's decision: it's not the case with All-Seeing-Eye.

Therefore i really doubt of the efficiency of this product in a risky surf environment (CWS domains, porn sites, email-Trojans -Keyloggers used in Phishing etc).
Since All-Seeing-Eye provides very limited options for blocking events, it will be only considered as a blind alarm.
And this product is quite disappointing because it has interesting detection abilities.
As a free product, AntiHook is much more recommended.
 


COMMENTAIRES:



All-Seeing-Eye est un nouveau bloqueur comportemental ou HIPS personnel.
Il est disponible en version gratuite (celle testée ici) et en version payante (avec plus d'options, entre autre pour le P2P).
Sa fonction principal est d'agir en radar du système en surveillant certaines zones, et en alertant l'utilisateur de tout événement susceptible de présenter un risque pour l'intégrité de l'OS.

La surveillance des dlls, des applications, des extensions de navigateurs, des clefs de démarrage, du fichier host ou encore des services et drivers en fait un outil efficace pour débusquer l'activité de certains parasites (spywares entre autres).
Mais dans la pratique, All-Seeing-Eye se révèle inefficace pour bloquer les événements qu'il détecte.

Utilisé dans un environnement de surf risqué (sites X, pages et mails piégés) propice à l'installation de parasites en tout genre, All-Seeing-Eye risque de présenter certaines insuffisances dans le blocage des comportements suspects.
En effet, répondre à une alerte nécessite trois fastidieux clicks (dont le premier est de dérouler la liste des options permises!).
De plus l'éventail des réponse permises ne permet pas de bloquer une action de manière radicale (type "bloquer maintenant"), et surtout l'événement détecté (comme l'adjonction d'une dll ou d'un driver) n'est pas temporairement suspendu dans l'attente d'un choix.
Et dans ce cas l'option qui permet d'interroger le web pour un événement donné apparaît comme un véritable non-sens (pendant la recherche, le malware s' installe tranquillement).

Un bloqueur comportemental efficace se doit:

- d'empêcher toute action détectée tant que l'utilisateur n'a pas validé sa réponse,
-d'offrir des options et des choix simples et rapides (un click, une seconde).

Force est de constater qu'All-Seeing-Eye ne boxe pas dans la même catégorie qu'AntiHook et consorts...

Au final si ce programme présente quelques caractéristiques intéressantes pour la détection, il peut vite agacer l'utilisateur: c'est un oeil certes perçant, mais dénué de bras armé; c'est une alarme efficace, mais qui ne bloque pas la porte: tant que ce produit offrira si peu d'options de blocage, il ne restera qu'un simple radar.
On peut lui préférer AntiHook sans aucun regret.




RATING: 6/10

Publié dans HOST INTRUSION and PREVENTION SYSTEM TESTS

Pour être informé des derniers articles, inscrivez vous :
Vous aimerez aussi :
ABUSE SHIELD
ABUSE SHIELD
PODIUM and OVERALL
PODIUM and OVERALL
SOFTCLAN INTEGRITY 2005
SOFTCLAN INTEGRITY 2005
ANTIHOOK V2.5
ANTIHOOK V2.5
ARTICLES COMING SOON
WINDOWS ROOTKITS FREE COUNTERMEASURES Part 1: Introduction to Rootkits
Commenter cet article