PODIUM and OVERALL

Publié le par Kareldjag aka Michel

PODIUM





ProcessGuard (PG) VS System Safety Monitor (SSM) VS Viguard




NB. the secure mode (administrator for SSM, "blocking new and changed applications" for PG) is not enabled.

Viguard with critical files protection (Windows\System32, INI etc).






***Rootkit Test with Hacker Defender 1.0.0:








-ProcessGuard: can prevent the installation by blocking the driver (with no specific rule for service.exe).




NB. For a high protection against rootkits, it's suited to deny/uncheck the box "install Drivers/Services" option for service.exe.



-System Safety Monitor: can detect and prevent the installation.




NB. For a strong defense against rootkits, it's recommended to configure a special rule for service.exe and to deny the driver installation permission.



-Viguard:



If we launch a totall installation of the rootkit, Viguard can detect and block it (INI protection), but if we launch only the service, the user is not instantaneously warned by an alert (only before the shutdown).



NB. the rootkit can be put into quarantine:








NB. For a strong defense against usual rootkits, it could be helful to deny creation/modification of .sys/Ini/DRV files on the FileWall options (but set up permission rules for programs legitimate access).








1: ProcessGuard, 2: SSM, 3: Viguard.

 

NB. The service (and processes) can be run hidden, but this is the goal of the next test.





***Hiding/spoofing a process (in Windows explorer):


NB: an access to physical memory is necessary for this testa.





-ProcessGuard: PG does not detect the hidden process in "explorer.exe" (even when we launch "explorer.exe" from Windows\System32 with the "block new and changed applications" option).


-SSM: can only prevent the spoofing on administrator mode (access to memory is automatically denied) and does not make any difference by MD5 control.


-Viguard: does not detect the hidden process, even if we run an integrity scan.




ProcessGuard, SSM and Viguard failed against "hidden process test".






***Libraries manipulation:





-ProcessGuard: any manipulation is automatically blocked and prevented.



-SSM: System Safety Monitor detects "the attack", but can only prevent it on Administrator mode or with specific rule:





-Viguard: Can prevent its own process from being profiled.









1: ProcessGuard and Viguard, 2: System Safety Monitor.




***Disabling the startup registry key:


-ProcessGuard: ProcessGuard can be easily disabled from the startup menu.





-SSM: with all plugins enabled (registry startup), SSM can block the action and reverse automatically the change.






-Viguard: has strong features (detection and prevention, automatic scan before a shutdown and when system starts ) against this method and therefore can't be disabled from the startup menu without an alert.








1: Viguard/SSM, 3: ProcessGuard.




***Launching an HTTPS connection ( with Kapimon):














-ProcessGuard: PG detects the injection of code in Internet Explorer, but can't block the connection to Verisign web site and does not inform about it.





Specific rule is necessary : "deny once or deny always" for IE.





-SSM: It detects that Kapimon wants to get the control of Internet Explorer with a code injection, and also detects which web site/connection will be launched.






NB. With specific rules, we can prevent any unauthorized launching attempt of the browser.








-Viguard: Viguard is the winner.





 


NB. With specific rules, it's possible to monitor many more actions (loaded modules, access to internet with NetTrap, deny access to Verisign web site as untrusted servers etc...).


1: Viguard 2: System Safety Monitor 3: ProcessGuard





***Crashing instantaneously the systemb:


-ProcessGuard: PG can't prevent the computer from crashing instantaneously without a specific rule for Windows Service Controler (Windows\System32\service.exe)

The option "intall service/driver" is a needful permission to install new softwares on the system and is not present in the default configuration.


But if we deny this permission, then any new service/driver can't be installed and loaded .







-SSM: System Safety Monitor detects all Bang actions and the user can easily prevent the system from crashing.




 

-Viguard: Viguard detects the loaded driver and can block it.




And if we deny the action, Viguard asks the user if he wants to kill the program:




1: Viguard and SSM 3: ProcessGuard.

 

(a) For more informations, take a look at some papers about DKOM (Direct Kernel Object Manipulation) by Jamie Butler (writer of FU rootkit);

 (b) this test shows what can happen when the computer is instantaneously crashed by an attack (Buffer overflows, DOS etc).



COMMENTS:




It seems difficult to choose a winner between ProcessGuard, SSM and Viguard.


If i take into consideration only results and just results, Viguard and System Safety Monitor would certainly fight a battle for the first place.

But these tests are made for all consumers and consequently ease-of-use/effectiveness is the first criteria.


As a consumer, i defend products which can provide a high degree of security for all users and family's members: from the children of 7 years old to the grandmother of 77 years old, anyone has to be protected.


A strong line defense should not only concerned knowledgeable, advanced or experienced users (professionals, programmers etc).

Making advanced attacks (rootkits, code modification etc) easier for the final consumer/user is really a well appreciated programmer's effort.


Therefore, ProcessGuard is my first choice: it does not take too much time to configure (very intuitive), and any user has just to check a box/option to get a strong protection.


SSM and Viguard are as powerful as ProcessGuard, certainly more exhaustive, but are less confortable to use.

As an integrity protection partisan, Viguard seems very interesting and has more features and options than System Safety Monitor: ability to launch an integrity scan, to reinstall itself and repair infected files, to deny access to any file/folder etc.

And the major weakness of SSM is the driver/service which can be easily disabled.


All these criteria urge to choose Viguard as the second choice and System Safety Monitor as the third choice.




PROCESSGUARD



VIGUARD



SYSTEM SAFETY MONITOR









NB. A special mention for SoftClan Integrity 2005, Safe'n'Sec,  AntiHook and OSsurance Desktop which are also very effective and  promising products.






OVERALL




Nowadays, a classical defense with a firewall and anti-virus-trojans-spywares scanners is not sufficient against the new generation of threats which often use stalth1 methods to avoid scanners and evade resident engine detection.


Antivirus are limited2 and there's many files3 that scanners does not integrate in their database and a system can be infected and corrupted in a home user or in a corporate environment as a recent scandal has shown it in Israel, United Kingdom or US.


Therefore it seems necessary for any user who seriously takes into consideration his online security to integrate a proactive protection on his line defense.


These "personal HIPS" tests and reviews had shown that solutions exist against all kinds of malwares, from the basic trojan to the stealth rootkit4.

And in all cases, it's technically hard to code programs which can mix and combine ease-of-use, effective multi-layered protection without soliciting user's intervention.

At the last resort, any security soft requires education and effort from the user: it's the price for a strong line defence and for mind's tranquillity.

Ultimately, the choice is as usual a question of experience and budget.

 

 

(1): "Hide'n'Seek: anatomy of stealth malware" ( F-Secure):

this pdf by Gergely Erdelyi is here (save with right click);

(2): about limits of AVs: "Owning Antivirus", by Alex Wheeler and Nell Mehta:

the pdf is here (save with right click);

(3): like this keylogger for instance (checked on VirusTotal),

this stealth trojan or this stealth backdoor (used in pentests/audits);

(4) " Hidden threats" by Rick Dudley: the pdf is here.





CONCLUSION:




Aujourd'hui, une protection classique avec un parefeu secondé par les usuels anti/virus-trojans n'est guére suffisant face à la nouvelle génération de malveillances utilisant des méthodes furtives5 pour éviter les modules de détection.


Il existe de nombreux parasites6 qui ne sont pas intégrés aux signatures des meilleurs antivirus et tout système peut donc être infecté; que ce soit dans un environement familial ou d'entreprise comme l'ont récemment montrées certaines affaires en Israël ou en GB.


Il apparaît donc nécessaire pour l'utilisateur qui prend la sécurité de son ordinateur au sérieux de déployer une protection dite "proactive" ou comportementale.

Ces tests de quelques logiciels personnels de" prévention et de détection d'intrusions" ont démontré que des solutions existent contre toutes les typologies de malveillances, du basique trojan au furtif rootkit.

Dans tous les cas, il est techniquement hardu de développer des programmes offrant une protection multi-niveaux, faciles à utiliser, efficaces, et ne sollicitant pas l'utilisateur.

Tout produit de sécurité requiére un effort d'apprentissage de la part de l'utilisateur: c'est là le prix de l'efficacité et de la tranquilité.

Et au final, le choix est une question d'expérience, de niveau de connaissance, et bien sûr de budjet.



(5):" Panorama des techniques de résistances aux antivirus" (SOPHOS/OSSIR):

Ce pdf de Vanja Svajcer est disponible içi.

(6): tel cet enregistreur de frappes ( scan sur VirusTotal).



The Pros and The Cons of "personal HIPS7":



The Pros:


-run on kernel low-level8 for most of them, then can intecept more activities (physical memory, device/driver installation etc);

-no signatures update, no waste of time with scans;

-detect/stop/prevent the infection before it occurs ("prevention is better than cure");

-can detect unknown malwares by their behaviour monitoring while scanners engines can see nothing (recently, the Kelvir worms invasion had bypassed all AVs during a few hours);

-provides a powerful activity control on the system (...)


(7): Host Intrusion Prevention System is just a terminology to nominate these proactive softwares; HIPS are more sophisticated but have the same goal: prevention/detection of unusual/suspect activities: Viguard is the product which more correspond to the definition;

(8): short info on alinea 1.3.4 here,

or the exhaustive article of Mark Russinovich (part 1 and 2 about Windows architecture).

 

 

The Cons:


-often requires:

*the user's intervention (alerts, permissions, rules, configuration),
*to be knowledgeable (to distinguish a legitimate from a suspect activity),

*to be experienced (Windows system);

-must be installed on 100% clean computer, especially for softwares which use integrity control like Viguard, Abtrusion Protector, ProcessGuard, SSM/OSD/SCI;

-can't clean/repair infected files (except Viguard): classical AVs can be necessary;

-are not the "ultimate solution" as it was announced by two editors: any system can be penetrated (often a question of time), and social engineering is the last attack to use when Oday9 exploit and all others attacks had failed10/11.


Personal HIPS can't protect against network, web application and buffer overflow attacks (with efficiency).

Even in a small business environment (example: cybercasino), specialised IPS/IDS are more recommended.


(9): "0Days: How hacking really works" by Dave Aitel: the pdf is here.

(10):" Electronic Attack" by Thomas Chen: the pdf can be found here.



Suggested programs by malware typology and others parameters:



-against worms:

1: Viguard,

2: Parador File Protection,

3: PrevX/OSsurance Desktop.

-against keyloggers:

1: ProcessGuard,

2: System Safety Monitor,

3: AntiHook.

-against rootkits:

1: ProcessGuard,

2: SecuriTask2005,

3: System Safety Monitor/Viguard/AntiHook.

-to protect data and files access (database workers/lawers/notaries/writers/scientists):

1: SoftClan Integrity 2005,

2: Parador File Protection/Viguard,

3: Safe'n'Sec.

-to control activity (application firewall):

1: Safe'n'Sec,

2: System Safety Monitor/AntiHook,

3:ProcessGuard/Viguard/SCI/OSD/SafePC/SecuriTask2005.

-to protect system's integrity:

1: Viguard,

2: SoftClan Integrity 2005,

3: OSsurance Desktop.

-for beginners/classical users:

1: SecuriTask2005,

2: SafePC,

3: OSsurance Destktop.

-in a SOHO environment:

1: Viguard Pro,

2: ProcessGuard/SoftClan Integrity 2005/System Safety Monitor,

3: Parador File Protection.

-in a public computers environment(public libraries, cybercafes):

1: SoftClan Integrity 2005,

2: OSsurance Desktop,

3: SSM/ProcessGuard/AntiHook/SecuriTask2005/AbtrusionProtector.

-for Internet Explorer users/addicts:

1: Viguard,

 2: SecuriTask2005,

3: AntiHook/System Safety Monitor/PrevX Pro.

-best budjet:

1:Abtrusion Protector/SSM (until dec. 2005)/AntiHook and PrevX free versions,

2. SoftClan Integrity 2005 (Euro zone),

3: OSsurance Desktop/PrevX Pro/Safe'n'Sec.

-easy management (the ones which require less users intervention):

1: Abtrusion Protector,

2: SoftClan Integrity 2005,

3: OSsurance Desktop.

-Compatibility: no incompatibility (except Viguard and resident AVs) with scanners (Anti/Virus/Trojans/Spywares) or between them:

the user just needs to avoid two products which have similar features (Safe'n'Sec and AntiHook which work as an application firewall seem to be the more compatible and easy to combine with any other product).


NB. A special mention for Jetico Firewall which has detected the majority of tests.




Mantra for Intrusion Prevention11:


"That which can not be detected should be prevented;


that which can't be prevented should be detected."


(11): "Tutorial session" by Ellen Mitchell: the pdf is here (p.77).


Marotte pour la prévention d'intrusion:


"Ce qui ne peut être détecté doit être anticipé;


ce qui ne peut être anticipé doit être détecté."




Acknowledgements:



A big thanks to my angel Melinda, for her presence and help on screeshots; thanks to some friends for their incentives and criticisms.

Also thanks to publishers feedbacks, especially for some teams who were very attentive to the results: OSsurance Desktop, Abtrusion Security, PrevX and Viguard Pro.


Final words:


-as usual, it's more easy to test and review softwares than coding effective security programs like these ones.

-I can't know all available products on the market, and i've avoided many of them for inefficiency: then the list is only composed of very good products.

-It was quite diificult to choose the methodology.

Generally, the same methodology is applied for all products ( "crash-tests" for cars, a same malwares database for antivirus etc).

Therefore, comparisons are possible for the consumer.

For these tests, i've tried to choose various scenarios which cover general features of all products: then even if the product does not have registry or buffer overflow protection, the test is applied: it's necessary for comparisons, informations and the rating.

A different methodology for each product is not serious.

And if i've tried to be as objective as possible, there is always a very minor (5%) part of subjectivity.

But ratings are always in relation with objective factors (behaviour vs tests files, quality of the package, languages etc): highter is the rating, the more exhaustive is the product.

In any case, the rating should never be the first criteria for the choice.

Although, these tests are not and could not be perfect.

- Some products have more prevention than detection features and must be evaluated in a risky using and unprotected environment (surf on warez/porn/hack/P2P sites whith NONE protection ); and after an hour, the pc can be analyzed to define the infection level.

This is particularly true for products like Abtrusion Protector (that which is not recorded is not allowed to run), OSsurance Desktop and SCI2005.

Consequently, the rating for these products is a minimum rating in comparison with others products results.

-a rating just above average (6 or 7/10) does not necessarily mean inefficient product; and a place on the podium does not necessarily mean recommended product (just passed the test with effectiveness).

On the other hand 10/10 does not exist in my philosophy: there's no perfect solution.

-i don't recommend specifically one of them: the best manner for a neutral opinion is to try the product by yourself.

-some products had been tested during 10 or 15 days only: it's not really sufficient for analysing "the pros and the cons": for more information, it could be helpful to take advantage of users experience on forums.

-Security softs tests often demostrate more products abilities than products effectiveness: the ultimate judge is the user's satisfaction after one year of use.

-there's too many security soft publishers who are more interested in making our wallets less heavy than taking care of our computers security.

It's not the case of those products: choosing one of them will never be a wrong choice.


(TO BE CONTINUED)


 


Commenter cet article