SAFE'N'SEC

Publié le par kareldjag aka Michel



safensec:



SAFE'N'SEC is a new product which permit an efficiency activity control.

Each call to the registry made by an application is monitored and shown to the user by an alert: in this case, we can consider that Safe'n'Sec works as a registry firewall.

Here's what is the target of this russian product (extract from the pdf file):




Safe'n'Sec is also available with an integrated antivirus (BitDefender).

Only the single version is used for the test (v 1.1).

The set up is very quick, easy and requires a reboot.






TEST:



Rules:

-to run a test file: "allow current action now",

-on "total control" mode,

-with this configuration:






***Execution control ( with Leaktests) :


SafenSec was able to detect and block any leaktests action.

Any registry key used by a leaktest was exactly shown (then we can learn how they works!).

SafenSec is the winner.






***Process termination:


SafenSec was easily terminated.

But the service is still in used and the system protected.

SafenSec is the winner (the service can't be terminated).





***Dll implant/injection:


SafenSec has not the ability to prevent this attack.

SafenSec failed (does not protect itself against dll injection).





***Process hijacking:


SafenSec can be hijacked.

SafenSec failed.




***API manipulation:


I was no be able to run another instance of snsmcon.exe with APISpy32.

SafenSec is the winner.



-with ExecuteHook demo: SafenSec has just detected that Notepad.exe was launched.

SafenSec failed.



-with Kapimon: SafenSec failed.


SafenSec failed against API manipulations tests.




***Finjan Tests



-F.Demo: SafenSec has detected all launched actions and also the creation of the folder.

SafenSec is the winner.







-F.VBS: SafenSec is the winner (all actions detected).






-F.JPG: SafenSec has detected the packager (and others activities) .

SafenSec is the winner.


SafenSec is the winner against Finjan tests.






***Simulate a trojan with Trojan Simulator:



SafenSec has detected the call to the run key and has stopped it easily.

SafenSec is the winner.








***Registry tests:



-Regtest1: SafenSec has detected calls to the registry made by Regtest and was able to block them all: SafenSec is the winner.





-Regtest 2 (reboot simulation): SafenSec has detected the action but the shutdown was not possible (the computer was blocked and i've "rebooted" the computer manually).

The result of this test can't be specified.



-Scoudrel Simulator: SafenSec has intercepted all actions and blocked the 5 tests.

SafenSec is the winner.



-with RegtickPro: SafenSec has detected the attempt to the registry and can prevent the Task Manager from deactivation.

SafenSec is the winner.



-Reghide: when the Reghide.exe is allowed to run now for the curent action, the "systems internals" hidden key was created and not shown by SafenSec.

When the curent action is blocked, the hidden key can't be created.



But SafenSec failed because the "can't touch me" value was not shown on the alert.



SafenSec is the winner against Registry tests.




***Memory manipulation/modification:



-with UH:

SafenSec can't prevent its own process memory to be read, written or modified.

SafenSec failed.





-with Physmem:


SafenSec was not able to deny the access to the physical device memory.

SafenSec failed.





SafenSec failed against memory manipulation tests.





***Data theft (with Trojan demo):



SafenSec has detected all the action made by the trojan demo and was able to block the data stealing.

SafenSec is the winner.





***Service/driver manipulation:



-Install a service: SafenSec has detected the call to the service registry keys and has also the ability to block it.

SafenSec is the winner.



-Service termination: i was not be able to stop or suspend the service with TakeControl or EkinX.


I consider that SafenSec is the winner.




-service/driver modification: SafenSec is the winner (good self-protection)



-unloading a driver: SafenSec does not detect that the Trace.sys driver is loaded by Kapimon.

SafenSec failed.




SafenSec is the winner against service/driver manipulation tests.





***CDROM autorun:



SafenSec has detected the CDROM and has prevented it from running.

SafenSec is the winner.





***Fakes/Jokes tests:



-open/close the CDROM drive: SafenSec has detected the current action and was able to block it ("block alway this current action": SafenSec is the winner.



-Launch several windows applications at the same time: each application was detected before running and was blocked by SafenSec: SafenSec is the winner.




SafenSec is the winner against Jokes tests.






***Buffer/Heap overflow:



SafenSec has detected the calls made by SDTester but not really the Buffer overflow and has also failed with the OverflowGuard test.






SafenSec failed against Buffer/heap overflow tests.




***Deactivation methods (with Autorun3):



-trachscan: SafenSec is the winner.


-Blacklisting: SafenSec failed.



SafenSec failed against deactivation methods.






CONCLUSION:













***The pros:



-as a registry/application firewall, SafenSec is one of the most impressive among all tested products (total mode).It provides really a powerful activity control on the system,


-effective self-protection (the service can't be terminated),


-effective protection during the boot,


-works as a system start service (more effective during the boot than auto-start ),





-easy and intuitive configuration of programs, applications, actions (three zones: trusted, restricted, partially trusted/restricted and each kind of answer generates a list of applications in of these zones),


-answers to the alerts: "current action'on this session" are already checked and then we just have to click on "allow" or "block" (it's important to answer quickly in case of a suspect event).


-process termination utility,


-exellent support and reactive team,


-nice graphic interface,


-exhaustive informations for the user: pdf on the web site and help file in the set up package,




***The cons:



-consume too much resource,


-does not protect against advanced attacks and threats,


-more Detection than Prevention protection (then requires to be an experienced user and many interventions for alerts),


-very minor bug in the translation: SafenSec likes to remember us that it's a russian product!








COMMENTS:


SafenSec is a new product which could be interesting for the user who wants:

-to have a complete protection with the best value for money (full package with the antivirus),

-to control the activity on his system.


If the "total mode" is really effective to control activities, it requires from the user the "know-how" to distinguish legitimate behaviours from suspect ones.

I've tested this product for the first time at the end of 2004 and the trial was a real torture (no help file, internet connection needed, searching for activation key...).

Anf it's a good sign to notice that the SafenSec team has taken into consideration users opinions (on Wilders forum for instance) and many improvements have been made since the last year (installation more easy and quick, manual, support etc).



NB: i'd like to say a big thanks to Konstantin who sent me a special 30 days trial for my test (10 days only for the classical one).




COMMENTAIRES:



Safe'n'Sec est un logiciel russe d'une société spécialisée dans la protection des licenses logiciels contre les pirateries et autres contrefaçons.

Safe'n'Sec existe en deux versions, l'une avec l'antivirus integré de BitDefender, et l'autre avec Safe'n'Sec uniquement.


Safe'n'Sec est avant tout un contrôleur d'activité basé sur les technologies dite "pro-active".

Son contrôle s'opére au niveau des appels vers le registre oû toute activité est intérceptée, puis signifiée à l'utilisateur par une alerte.

Agissant comme un service pour plus d'éfficacité et de sécurité, il fonctionne selon trois modes d'administration: trusted (confiance), normal (strict) et total, dernier mode avec lequel Safe'n'Sec fait preuve d'une prècision assez impressionnante.

Chaque réponse à un alerte génére automatiquement une liste d'action/application vers trois zones distinctes: trusted/autorisée, restricted (interdite) et partiellement autorisée.


S'il est à même de détecter l'activité d'un parasite, seul l'utilisateur éxpérimenté capable de discerner une activité légitime d'une activité suspecte peut reélement en exploiter tout le potentiel.







RATING: 8/10




















 


Commenter cet article