ABSTRACT A classical defense with anti/virus/trojans/spywares has shown some limits against advanced threats like worms, network backdoors or rootkits. The security of computers has to evolve in an innovative and more efficient way. Among many scanners products, there is some interesting programs which try to prevent all kinds of threats without signatures database. ProcessGuard, Viguard, System Safety Monitor are some of them. i will test each one of them with some attacks and threats demonstration tools. DISCLAIMER Those tests are totally independent: i have no mercantile relation with any vendor. And i'm not a beta-tester of anyone of them. Those tests had been made seriously and rigorously. But mistakes are still possible. All versions of tested programs have been get legally : -full specific version by the editor and trial version regarding paid products, -as freewares for a personal use for some of them. In all cases, those tests are just personal tests. They have no other pretention at all and i just hope they will be appreciated by users and could help them to get an objective and neutral opinion. RATING The final rating takes into consideration: *objective results of the different tests, *objective and subjective criterion and parameters: -graphic interface, - memory in used, - easy to use or not, - advanced features and rules for experimented users, - best value for money, - quality of the support (forum or not, papers, faq and information on the web site), - quality of the package (installer, help files ), -Languages available (minimum: english + spanish +french), -the degree of protection, -prevention vs detection features... METHODOLOGY *Some products records files during the set up as trusted ones, *test files are Win32 executables, *The majority of the tested products have executable filtring features and abilities, Therefore: - most of the test utilities are run from a floppy disk, or a CDRom (except specific programs like Kapimon, Autorun, Farce et Attrapes and Buffer Overflow test files). -executables are allowed to run with a "once time" permission. The final target of a test is not to see if the product can detect or block it. It's principally to see how the product reacts and what is its behaviour. NB: we can't forget that test files launched in a test environment are different from malwares behaviour in a classical using. In all cases, i've disabled some of my own protections to limit any risk of errors for the results. Tests made on Windows XP SP2 with all patches and on 3 different computers: -AMD 3000 with 1024 Mo Ram, -AMD 2600 with 256 Mo Ram -Intel P4 3.2 Ghz with 512 Mo Ram. TEST UTILITIES *** Execution Protection with Leaktests: we'll test the executable detection ability of the program ( not its ability to detect which method is used by the leaktest ): - Copycat, - DNSTester, - Ghost, Is the winner the program which can detect and block the leaktest. ***Terminate and Suspend a Process: We'll try to terminate or suspend the running program: -Classic and hard method: ProcX and APT, -Bazooka method: CopyLock (only if the firt test has failed and for some products). Is the winner the program which can't be terminated. ***Implant/Inject a dll in a process (dll injection): Zapass or Copycat, We'll try to inject a dll implant in a process and to establish a connection with the affiliated program. Is the winner the program which can prevent and specify exactly this attack. ***Hijack a process with a dll: Hijack test: we'll try to hijack a program by injecting a dll in a process. ***API Manipulation (hooking): We'll try to launch the program by using API calls. Is the winner the program which can block another instance of itself from running. For specialized products: Is the winner the program which can prevent an API hooking on the System. - Is the winner the program which can detect hooking attempts and the Executehook : Notepad's hooks. ***Scripts and Data Attacks (Finjan test): Finjan Test Files. These three tests create a new folder named "You have been hacked" on the desktop (Windows Scripting Host is enabled for running the VBS test). -Finjan VBS Demo: -Finjan JPG Demo: -Finjan Tetris Demo: Is the winner the program which can detect and prevent the creation of the new folder. ***Registry test: - Regtest (attempt to reach run keys, and simulate a real reboot), - ScoundrelSimulator (add a new start up key, disable regedit etc), If the program has a powerful registry protection: - Add an hidden key : RegHide. Is the winner the program which can detect and block the call to the keys. *** Simulate a trojan (client/server + start up in the registry) : TrojanSimulator. Is the winner the program which can detect and block the start up key which install the server. ***Memory Manipulation: we'll try to read, write and modify the memory of the program: -Memory modification and writing: UH, Is the winner the program which can prevent its own process to be read, written or modified. -Access to Phisycal device memory: PhysMem: Is the winner the program which can detect and block the memory's attempt access. we'll try to copy all the personal files and report it in a HTML page (we suppose that Windows was not as hardened as it should be: telnet, ftp). Is the winner the program which can detect the access to the Task Manager, Telnet, FTP or the personal foders. ***Service/driver Manipulation: - Install a service: FSGuard or SVCGuard (System Safety Monitor Service, but not necessary for the recent version):we'll just install the program and the service. - Stop a service: Take Contol or APT or (we'll try to stop the service directly), EkinX -Modify a service/driver: SDTRestore : -unloading a driver: with Kapimon Is the winner the program which can detect and block the installation, termination and modification of the service. ***CDROM Autorun: We"ll run a CDRom with an autorun (CDStart.exe), Is the winner the program which can detect and prevent cdstart.exe from running. Open/close the CDROM Drive and launch several Windows applications in the same time: Farces et Attrapes , Is the winner the program which can detect and block the cdrom drive Or the Windows applications from running. ***Buffer/Heap Overflow Test (Stack/Heap): - SDTest (by StackDefender), ***Deactivation methods: Autorun3: - Trashcan : a kind of quarantine, - BlackListing: A3 will prevent this program from running (by wiping automatically the process). Is the winner the program which can't be moved to the quarantine and can't be deleted automatically. NB . If there is two or three softwares wich have the same rating, a few others tests will be add to distinguish and define the final winner. ***Rootkit test with HackerDefender 1.0.0. By running various commands, we'll see how the software reacts against HXDEF. When the rootkit is running, it is detected by specialized soft like UnHackMe: And the HXDEF service is running (and can also be hidden ): ***Hiding/spoofing a process: We'll use this rootkit method (used by FU for instance) by a specific tool against Windows explorer ( Explorer.exe). When explorer.exe is spoofed, ProcX can't calcutate the MD5: Filemon can't specify informations: But the hidden process is easily detected and removed with a specialized tool: ***Libraries manipulation: With DependencyWalker, we'll try to manipulate the process execution of the program. ***Disabling the start up entry: With Autorun3, we'll prevent the program from running at the reboot by disabling the start up registry key. ***Launching an HTTPS connection (with Kapimon): On a command line, Kapimon will inject a code in Internet Explorer to get an HTTPS connection to Verisign web site (the behaviour is quite similar to some Leaktests). ***Crash instantaneously the system: With , we'll try to crash the system instantaneously: Bang "the system will crash within a second with the crash code 0.DEADDEAD. Bang.exe dynamically install's OSR's Bang.sys driver as a service named BANG... this driver crashed the system when it is run..." N.B: All these tests represent a kind of attack and method which are used by real malwares: starp enties for basics trojans, dll injection by Cool Web Search trojans and rootkits, hooks by keyloggers or rootkits, access/copy files and buffer overflows by worms, service-driver installation by rootkits, data theft by worms ETC. The "Jokes test" shows what an hacker can do when he has gained access and total control of a PC. The "CDRom autorun" test shows a possible infection vector from external drives (CDRom/Floppy disk) by autoexevirus for instance. For more information: - take a look at this page from Diamondcs, -or download (click on "download paper") this excellent pdf by Candid Alex WUEST (from the SANS Institute). Free Tools used during the tests: - Srip32 : To take screenshots, - YKill : Process informations, - Regshot : For registry comparisons. -EkinX: For running service/driver. - Ethereal : to detect if suspect datas are sent. - Filemon : to intercept process activity. - Jetico Firewal l: to control some tests which require internet access (Data Theft, Hijack test, Copycat). NB: All those demonstration tools are not dangerous. But some of them must be used with prudence (can crash the system like Kapimon). In advance sorry for my english.