ANTIHOOK

Publié le par kareldjag aka Michel


ANTIHOOK



AntiHook is another Desktop Intrusion/prevention System which can help the user to control normal applications and to detect suspicious ones.

AntiHook targets principally spywares (detects BHO, ActiveX, and new IE modules) and advanced attacks (dll injection, memory area modification etc).


There is 2 versions available:


-The pro version which is paid,

-The free version for Home users.

Only the Pro version (trial) is tested here : version 2.0 build 11 on "normal mode".




***Execution control with Leaktests:



-AntiHook detects Ghost and DNSTester and can block their actions: AH is the winner.






AntiHook is the winner against execution control test.



***Process Termination:



-ProcX can't terminate or suspend antihook.exe: AH is the winner.


-APT can terminate the process but only after many triesout: AH failed.





I consider that AntiHook has an efficient self-protection: AH is the winner.



***Dll injection/implant:



Zapass or Copycat can't inject a dll in antihook.exe.




AntiHook also detects this attack against another process and can block it.






AntiHook is the winner against dll injection test (detects the action and asks the user to allow it or not); and also failed for prevention because it can't prevent the attack automatically.



***Process Hijacking:



AntiHook can't be hijacked: AH is the winner (for detection).








***API Manipulation:



-with APISpy: another instance of antihook.exe can't be launched. Ah is the winner.





-with Kapimon: AntiHook does not detect API hooks on the system. AH failed.





-with ExeHook Demo: AntiHook detects the general hooking and also the Notepad's hooking. AH is the winner.





AntiHook is the winner against API manipulation (for detection).



***Finjan Tests:



-F.Demo: AH can't detect the creation of the folder: AntiHook failed.


-F.VBS: AntiHook detects the Windows Host Scripting and all launched actions by the VBS like Notepad: AH is the winner.


-F.JPG: AH detects only packager.exe and its action (launching notepad.exe):

AH is the winner.






I consider that AntiHook failed against Finjan tests (can't prevent or really detect the creation of the "You have been hacked" folder).



***Registry tests:



-Regtest 1 and 2: AntiHook failed.

-ScoundrelSimulator: AH failed.



It's not necessary to run the others trests: AntiHook failed against registry tests.



***Trojan Simulator:



AntiHook intercepts the trojan's action and can easily block it.

AH is the winner.






***Memory manipulation:



When we allow UH to run, AntiHook can't prevent its own process to be read, written or modified.

AntiHook failed.



-Physical memory access with Physmem:

AntiHook can't intercept and specify the access.





AntiHook failed against memory manipulation tests.




***Data theft with Trojan Demo:



AntiHook can detect and block some of actions made by the trojan demo (calc.exe, browser hijacking), but not the data's stealing.


AntiHook failed against data theft test.



***Device/service manipulation:



-service installation: AH can't specify that a new service will be add: AH failed.


-service termination: AntiHook failed (with EkinX).








-driver modification: AntiHook is the winner (its driver can't be modified or reconfigured).


-unloading a driver: AntiHook failed.


AntiHook failed against service/driver manipulation tests.





***CDROM autorun:



AntiHook can detect the cdstart.exe process and has the ability to block it.


AH is the winner.






***Fakes/Jokest Test:



-open/close the CDRom drive: AntiHook failed.


-launch several Windows applications: AntiHook intercepts any of them. AH is the winner.




I consider that AntiHook is the winner against jokes tests.



***Buffer/Heap Overflow:



AntiHook can just detect files tests actions but not the attempt to the stack.




AntiHook failed against Buffer/Heap overflow tests.



***Deactivation Methods:



-trachscan: AntiHook is the winner,




-blacklisting: antihook.exe can't be wipped autamatically by Autorun3 (just removed manually by the user): AH is the winner.






AntiHook is the winner against deactivation methods tests.






CONCLUSION:












***The pros:




-efficient self-protection (integrated in Windows kernel),





-Can prevent advanced attacks/threats (against itself or another process),


-efficient detection ability of hooking methods (used by Keyloggers or rootkits),


-runs as an "hidden service" (AntiHookProcessSensor2k, associated with a device driver),






-protection and advanced rules editor for Internet and Windows (shell) explorer (RulesEditor was not tested).






***The cons:




-no possibility to configure applications in a specific zone or log,


-many minor incompatibilities and interactions with legitimate programs (AntiHooks detects any hookig ability, legitimate or not): antivirus like McAfee, anti-keylogger like SnoopFree, Acrobat Reader , and complete security softs like ProcessGuard or System Safety Monitor (with their service driver),


-inprecise alerts (no informations about the kind of attack),


-answers to alerts (no checked by default, no possibility to permit an application once only),


-the graphic interface is really a torture for eyes, especially alerts (written in minuscule letters),


-No help files or specific manual for the user (only a faq online).


-more detection than prevention features,


-a little weakness for detecting actions launched on CMD.



-pretentious marketing,







-not compatible (integrates on Windows kernel) with old versions of Windows (95/98),



-only available in english language.







COMMENTS:





AntiHook is an interesting product, especially for the user who wants to protect his system against some advanced threats like the Cool Web Search trojans, keyloggers and spywares (ability to detect new BHO, ActivX and additional modules).

The activity control is really efficient but unfortunatly too much vague.


Then the user must have the ability to distinguish legitimate activities from suspect ones.


But it's quite a young soft on the market and has to grown up with many improvements :

-for the easy-of-use,

-to complete some features,

-make the interface more nice .


In all cases, it's one of the promising program in the list.






COMMENTAIRES:



AntiHook est l'autre produit australien de ce panel (codé par un ruuse d'origine) dont deux versions sont disponibles: la pro, payante; et la personnelle/home qui-elle- est gratuite.


Intégré au kernel de Windows lui permettant ainsi d'intercepter les appels de bas niveaux, AntiHook s'avére trés efficace dans le contrôle d'activés (parefeu d'application).

Il permet en effet de détecter non seulement les eécutables, mais egalement les modules additionnels au shell de Window, les BHO, activeX et autre plugins.

De plus, un editeur de règles evoluées est intégré dans le package (requiére une installation) pour Internet Explorer et l'explorateur Windows.



AntiHook peut surtout s'avérer efficace dans la détection d'activités suspectes, en particulier de Spywares et d'enregistreurs de frappes (keyloggers).


Toutefois, ces alertes se révélent trés imprécises (n'indiquent pas la nature de l'actvité) et peuvent apparaîtrent difficiles à interpréter pour l'utilisateurs peu rompu aux parefeu d'application et autres contrôleur d'activités.


De plus, il semble étonnant d'hériter d'une interface terne, tortueuse pour les yeux et de surcrôit en noir et blanc: à l'heure oû la majorité des gratuiciels s'affichent en couleur, cette faute de goût mérite d'être réparée.



Au final, le produit me semble encore jeune pas encore abouti: d'aprés ses auteurs, des améliorations significatives sont à attendre pour la version 2.5.







RATING: 7/10  


Commenter cet article