VIGUARD

Publié le par Kareldjag aka Michel




Viguard





vigcons5.jpg



setttings.jpg



Like its forefather Invircible, Viguard is more considered as an antivirus without signatures.

It's a french product which is well known in administrations and corporate environment in Fance or in USA (the general public is more familiar with AV scanners).


Tegam, the enterprise which was the legal publisher of Viguard does not exist any more since the end may month.

The new rights possessor is SOFTED, a small business which is the technical programmer since 7 years.



Viguard is available with different version (corporate and home).



-the Home version (about 69 dollars actually),


-the Pro version (about 99 dollars actually).


The Network version is more intended to enterprises (workstations).




The current version is Viguard pro V 11.0620, which was released in june (22).



A trial english version can be downloaded on this page.


viguardenhash.jpg




Viguard is certainly one of the most exhaustive and sophisticated security soft that a home user can integrate on his system.

It provides a high multi-layered/level protection with its principal features:




*HighGuard:


- ViStartup (registry, service, IE extensions),



vihighguard.jpg



-FileWall (files/folders access rules),




-ViRepair (can restore an original clean file if it was infected).




-PcPass (Files integrity certification),




vipcpass.jpg



pcpass.jpg




*NetTrap (intenet control: on-line programs, email attachments, dowloaded files),




vignettrap.jpg



nettrap.jpg





-ViWatch (Active process and service).



viwatch.jpg



PcPASS is an interesting feature: during the installation, Viguard records all files with strong algorithms and then can certify them with PcPASS module.





viginst.jpg




Viguard is based on DVP technology (Dynamic Virus Protection) which is a pro-active and behavioural detection approach of all kinds of malwares (virus/worms/trojans).







TEST





Configuration:



-files from floppy disks and CDRom are allowed to run,

-Viguard files are protected from access/modification/creation,

-Windows critical files are protected from creation/modification/access,

-all the rest with default rules.




***Execution protection with Leaktests:




-With the rules by default, Viguard can't detect the execution of the 3 leaktests (does not act as an .exe filtering/application firewall by default).


-with specific rules, it's possible to filter any file.


Viguard failed against execution tests with the default configuration.





***Process termination:



Viguard is the winner against ProcX but can be terminated by APT ("all" method).



vsservterm2.jpg



But if the GUI interface can be terminated, Viguard is still running (Service.exe) and the system is always protected.


Viguard is the winner against process termination.





***Dll injection/implant:



Viguard is the winner against Zapass (not integrated in the zapass list) and Copycat.



vigcopycat.jpg





***Process Hijacking:



Viguard is the winner (can't be listed by Hijack.exe)





***API Manipulation test:




-with APISpy32: another instance can't be launched: Viguard is the winner.



-with ExecuteHook demo: Viguard failed (detects none of them).



-with Kapimon: Viguard failed.




vigvskaphook2.jpg


vigvskaphook.jpg




Viguard failed against API manipulation tests (1/3).





***Finjan Tests:




-F.Demo:



vigvsdriv4.jpg




Viguard can detect the creation of the folder and can also block it.

Viguard is the winner.



-F.VBS: Viguard is the winner (has default rules for scripts).



vsvbs5.jpg


vsfvbs.jpg


filfilterscript.jpg



-F.JPG: With rules by default, Viguard can only block the creation of the folder by killing the test file (stop the action): Viguard failed.



Viguard is the winner against Finjan tests.





***Registry Tests:



-with Regtest 1: Viguard is the winner.



vigvsregtest55.jpg



vsregtest2.jpg



-with Regtest 2: the access to the registry is detected and prompted by an alert, but the shutdown is to "brutal" to deny the action: Viguard failed.



-with Scoundrel Simulator: Viguard is the winner (can detect and deny all actions except for the "startup entry" in user group).




vsscoundie.jpg


vsscound5.jpg


vsscound4.jpg




-with RegTick Pro: Viguard is the winner: it detects and can allow the user do deny the deactivation of the TaskManager.



vsregtickpro.jpg


vsregtickpro1.jpg




-with RegHide: Viguard failed.





Viguard is the winner against registry tests.





*** Simulate a trojan with Trojan Simulator:



Viguard is the winner.




vstrojansimulator.jpg


vstrojansimulator2.jpg






***Memory Manipulation test:




-with UH: Viguard is the winner.




vigvsuh8.jpg



NB. By default, Viguard protects memory of ist own files and also system process.


-with PhysMem (physical device memory access): Viguard failed.



I consider that Viguard is the winner against Memory manipulation test.






***Data Theft with Trojan Demo:



Viguard is the winner (detects and can deny TaskManager/Telnet/FTP access).



trojandemo.jpg


trojandemo2.jpg


trojandemo3.jpg


trojandemo5.jpg






***Service/driver Manipulation:




-service/driver installation: Viguard is the winner.



vigvsdriv2.jpg


copie-1-vigvsdriv3.jpg




-service termination: Viguard is the winner (against ProcX, APT and EkinX).



vsservterm.jpg


viguardservterm.jpg


viguardservterm2.jpg


vsterm2pg.jpgvsservterm3.jpg



viguardservterm3.jpgviguardservterm4.jpg





-service/driver modification: Viguard is the winner (Viguard's drivers can't be modified or reconfigured).




-uploading a driver: Viguard is the winner.



vskapsystrace.jpg





Viguard is the winner against driver/service manipulation test.





***CDRom autorun:




Viguard is the winner (has the ability to deny access to external drives/.exe).





***Fake/Jokes test:




-open/close the CDRom drive: Viguard failed.



-launching several Windows applications at the same time: Viguard failed.



Viguard failed against Jokes test.






***Buffer/Heap overflow:



Viguard failed against SDTester and OverflowGuard.



Viguard failed against Buffer/Heap overflow test.






***Deactivation Methods:



-trashcan: Viguard is the winner.



-blacklisting: Viguard is the winner.



vsa3blacklisting2.jpg


vsa3blacklisting.jpg


vsa3blacklisting3.jpg


vsa3blacklisting4.jpg




Viguard is the winner against deactivation test.







CONCLUSION:








viginfo.jpg







***The Pros:





-very exhaustive and elaborated (registry, files, internet protection),



-effective protection by default,



-strong integrity protection with PcPass: that which is not recognized and certified can be not allowed to run,




viguardalertmodification.jpg



-effective protection of the registry,



-efficient self-protection (sdload32.exe and service.exe; has the ability to reinstall itself if the program is corrupted/infected),



-impressive features, rules and configurations possibilities,



vigvsrootkits.jpg




-covers execution filtering from external drives,



-covers all kinds of scripts,




-integrates an integrity checker (which can be programed to run automatically when we want or on demand),




filcheck.jpg



fileintegritycheck.jpg






-antivirus (considered as) features: quarantine, reskue disk, boot sector/CMOS protection,




vigdosmenu.jpg






-runs as a service, and is associated with a boot start file system driver (VirBlock) and a system start device driver (VIGHLPR) for more efficacy,



copie-1-virboot.jpg





-macros protection,





-nice graphic interface,



-antispywares features: a full license of SpySweeper is integrated (one year of free updates) in the "Home" and "Pro" version; monitoring of BHO, ActiveX and others IE extensions, anti/web-spoofing/phishing abilities (untrusted servers) etc,



vigsetupspysweeper.jpg





-"pro and clean package": Viguard package often integrates a virus cleaner (1) based on ClamAV (necessary for a total clean installation), a flash demo (quick start guide) and an exhaustive pdf manual,



setup.jpg




NB. (1): I don't trust in the VDetect database: i suggest to use Sysclean (TrendMicro), PandaAciveScan, SpybotSearch&Destroy, ADWare, CWShredder (VS CWS trojans) to clean any virus/worm/trojan/spyware/adware, and UnHackMe to detect usual rootkits (trial).




-online exhaustive process database which can be used on ViWatch if the online info option is enabled (for Windows process),



pssinfo.jpg



-recognized by Windows Security Center as an antivirus,



vigseccenter.jpg





-compatible with old Windows versions ( 95/98).








***The Cons:




-consume too much RAM,




-only advanced and experienced users can take advantage of all features and possible rules,



-no install mode: Viguard must be disabled during an installation of a new soft (the WinTrust option which can certify software publishers is not helpful in this case) and any infection is still possible during this phase,



vigwintrust.jpg



-very expensive (the Home version is more cheap), but it's quite normal in relation to its complexity and the "very pro" package (but according to its publisher and reseller, it will be less expensive in a foreseeable future: then wait and see),




-incompatibility with some classical antivirus resident (NOD 32, KAV etc),




-forum only available in french (even if Viguard exists in english language) and not really busy (no name for mumbers but just a number),












COMMENTS:





Viguard is an exhaustive and sophisticated product which provides a high degree of protection by default and which has rare features:



-has an integrity checker (automatically or on demand),


-can reinstall iself,


-acts as an antivirus (can repair files by restoring the original ones),


-can filter e-mail attachments, downloded files ( image)...




vstelerch.jpg




-monitor connected applications/packets.



Options, rules, configurations are really impressive; but unfortunately, only advanced users well informed about malwares behaviour can totally take advantage of all possibilities.

The Home version, less expensive and complicated, can surely be more suggested for classical users.

Registry, file access monitoring, memory protection, outgoing connections, antispywares features and the most important: certification/authentication of files: Viguard's programmers had thought at all... except API hooks and Buffer Overflows.

Consequently, Viguard is not strongly armed against keyloggers (stealth or not) and can't really be recommended in public computers (internet cafes, School).



Covering critical areas of the system supposed to be infection vectors, Viguard is a sophisticated system's alarm detection and prevention: virus, trojans, worms, rootkits, spywares...the majority of malwares can be detected.


vigvirus.jpg



Viguard Pro requires time to be familiar with all features, and consume unfortunately too much resource.


It's an impressive, very exhaustive and efficient product, but more intented to experienced users.




NB. A big thanks to Eyal D.(Head of R&D) for the copy of Viguard before the official released on the market.






COMMENTAIRES:




Viguard est un logiciel trés élaboré utilisé aussi bien par les entreprises et les administrations que par les particuliers.

TEGAM, société éditrice d'origine, a déposé son bilan fin mai 2005 (1).

C'est donc SOFTED qui en hérite des droits et en poursuis le développement (auquel elle participe depuis 7 ans).



Le pricipal atout de Viguard Pro (version téstée içi) réside dans sa protection du système par certification des fichiers (module PcPass).


En effet, lors de son installation, Viguard enregistre tous les fichiers présents (censés êtres sains) via des algorithmes de hashage et les intégre ensuite dans sa base de donnée.

Par la suite, tout ce qui n'est pas strictement reconnu et certifié peut être susceptible d'être révoqué, interdit d'exécution ou alors réparé (module ViRepair).


Avec PcPass, les autres modules importants de Viguard sont:



-HighGuard (FileWall pour la protection des fichiers, ViStartup pour la surveillance des différents éléments de démarrage et ViRepair pour la réparation des fichiers),


-NetTrap: filtrage des programmes devant se connecter à internet (attention: peut en aucun cas se substituer au parefeu), filtrage des attachements pour les e-mails et des téléchargements pour les navigateurs.


A noter les nouveautés que sont WinTrust (certification de package d'editeurs) et WinWatch qui affiche les processus en cours d'exécution (avec infos en ligne en option).



Par défaut, Viguard Pro offre une excellente protection contre tous les types de parasites.

Toutefois, sa faiblesse envers les API hooks le rend vulnérable aux enregistreurs de frappes et apparaît en conséquence plutôt déconseillé sur des postes publics (cybercafés, hôtels, universités etc).

L'une des qualités principales du logiciel est qu'il assure une protection multi-niveaux: fichiers critiques (Windows\Systeme32, host, DRV, INI etc), registre, mémoire des processus etc.


Viguard Pro permet d'éditer des règles avancées, particulièrement avec le module FileWall qui peut allouer des permissions d'accès et de droits pour n'importe quel fichier (modification, création, accès etc).



Mais s'il offre une vaste palette d'options et de configurations, Viguard ne s'avére profitable que pour les utilisateurs connaissant bien leur système et surtout parfaitement avertis des typologies comportementales des différentes malveillances.


Il peut ainsi arriver qu'un utilisateur novice ou classique puisse infecter involontairement son ordinateur en autorisant une activité qu'il n'imagine pas suspecte.

La version "perso" de Viguard, bien configurée par défaut, est en conséquence bien plus indiqué pour l'utilisateur classique.



Si le prix peut (69 Euros pour la version personnelle et 99 Euros pour la version "pros"), il convient de noter l'intégration d'une version compléte de l'anti-spyware de référence qu'est SpySweeper, et l'ambition annoncé de SOFTED et de son distributeur DODATA de revoir les prix à la baisse (2) afin de toucher un plus large public.



Viguard Pro apparaît comme l'un des logiciels les plus évolués et efficaces que l'on puisse déployer sur un ordinateur personnel.

Dommage toutefois qu'il ne puisse être réelement profitable qu'à un public de connaisseurs.



NB. MERCI à Eyal D. pour m'avoir fourni une copie de Viguard avant sa sortie officielle.




(1): Voir l'article de Vnunet içi;


(2): Voir l'autre article içi.

(3): Sur le site du distributeur, une version d'evaluation de Viguard est disponible (ci-dessous les contrôle par MD4, MD5 et SHA-1), ainsi que divers pdf (manuel, plaquette) et une présentation en flash.


vighash.jpg

 



NB. La polémique TEGAM contre Guillermito est içi hors-sujet.

Et si je ne suis partisan ni de l'un, ni de l'autre, mon opinion est claire:

tester un produit quel qu'il soit requiére un minimum de déontologie: méthodologie, objectivité, neutralité et honnêteté sont nécessaires à toute crédibilité.

En utilisant une version"warez" ou pirate, Guillermito s'est fourvoyé aux antipodes de cette déontologie.

Que pourraient dire les géants de l'industrie automobile si les "crash-tests" étaient effectués avec des véhicules volés et trafiqués?

Tout le reste n'est que littérature.












RATING: 9/10 


Commenter cet article