OSSURANCE DESKTOP

Publié le par Kareldjag aka Michel




OSsurance Desktop








"OSsurance Desktop Technology involves Executable Authentication Management which authenticates system calls against a trusted list of files and executables".








OSsurance Desktop from the canadian security firm OSSecurity is pre-eminently an application firewall with integrity/authentication real-time control.

During the installation, OSsurance Desktop records all files and programs, and creates an integrity database: any changed files is supposed to be detected.

All installed programs/files are integrated on a trusted white list (APL):







The protection is based on 4 intrusion protection features:


-malicious/suspect programs (like selfmodifying code) detection,


-buffer overflows detection/prevention,


-application firewall (.exe filtering/control),


-unauthorized modules (dll) detection and prevention.





Therefore, OSsurance Desktop provides a defense against advanced attacks like Buffer overflow and code modification which are used by worms, and also a protection against unknown executions or additional modules.


As it was confirmed from an e-mail by Christopher D. ( OSsecurity):


" OSsurance filters the integrity of data run by the processor.

The result is that inbound code may not be run when the program rejects it and the intented outbound code associated with worms and spying software will not be sent because the process to send it will be stopped when filtered by OSsuranceDesktop".







OSsurance Desktop is a paid product which costs 19.99 dollars.

The version which is tested here is the latest one (4.0).




NB. A trial version is available on Tucows or on Donwnload.com site.







TEST





Configuration: except Kapimon, all files are not integrated on the white list and are consequently run as unauthorized executables.






***Execution Control with Leaktests:




OSsurance Desktop (OSD) can detect the execution of leaktests and has the ability to block them from running.



OSD is the winner against Execution control test.






***Process termination:




OSsurance Monitor can be easily terminated; but the execution protection is still in used:


OSD is the winner against process termination.





***DLL injection/implant:



OSD failed against Zapass.





***Process Hijacking:




OSsurance Desktop can't be hijacked: OSD is the winner (but the warning alert is not precise: the dll injection is shown as a buffer overflow).










***API Manipulation test:




-with APISpy32: Another instance of OSD can't be run: OSD is the winner.



-with ExecuteHook: OSD failed (does not detect the execution of notepad even if we set up the rule to "block").



-with Kapimon: OSD failed.



OSsurance Desktop failed against API manipulation test.





***Finjan Tests:




-F.Demo: OSD failed.



-F.VBS: OSD failed.



-F.JPG: OSD just detects the packager execution but not the creation of the folder: OSsurance Desktop failed.





OSsurance Desktop failed against Finjan tests.




***Registry test:




-with Regtest 1: OSD failed.






-with Regtest 2: OSD failed.



-with Scoundrel Simulator: OSD failed.






Others registry tests are not needful.



OSsurance Desktop failed against registry test.





***Simulate a trojan with Trojan Simulator:




OSD failed against Trojan Simulator.





***Memory manipulation test:




-with UH: OSD failed.




-access to physical device memory with Physmem: OSD failed.



OSsurance Desktop failed against memory manipulation.




***Data theft with Trojan Demo:



OSD detects nothing (even the execution of calc.exe): OSD failed.





***Service/driver manipulation:



-service installation: OSD failed (has detected the execution but unfotunatly too late): OSK failed.



-termination: not possible (does not run as a service).



-driver modication: not possible.



-unloading a driver: OSD failed.




The result for this test can't be considered.





***CDRom autorun:



OSsurance Desktop failed.








***Fake/Jokes test:



-open/close the CDRom drive: OSD failed.


-launching several application at the same time: OSD failed.







OSsurance failed against Jokes test.





***Buffer/Heap Overflow test:



OSsurance Desktop detects the shellcode.







OSD is the winner against buffer overflow test.





***Deactivation Methods:




-trashcan: OSD failed.







-blacklisting: OSD failed.




OSsurance Desktop failed against deactivation methods test.








CONCLUSION:












***The Pros:






-execution filtering with authentication control,





-protects the systems integrity from damages, modifications, infections and keeps the system as safe as possible: any code which is not certified can be blocked,




-efficiency for detecting basic buffer overflows,




-possibility to run an authentication scan on demand,






-integrates an option for " P2P" users (network share drive files),









-maintenance mode for new installations or program updates,










-advanced rules for experienced users ( rights files by files, modules by modules),














-ease-of-use (configuration, not complicated features),








-cheap (but does not mean a very good value for money),




-"clean package" (easy set up, pdf manual, online info),




-does not consume too much resource,




-very prompt when system starts (OSPopup.exe, the warning application,  is located in Windows\System32, and that's why warning alerts also work on DOS mode),



-60 days for the trial,




-available special version for Windows 98 (without the buffer overflow protection).







***The Cons:




-doesn't cover important system's areas which can be used in the majority of infections (registry),



-does not protect against advanced malwares and attacks,




-limited features/options,




-files database can be diificult to manage for beginners/classical users,




-time for a "run's permission": the user must click three times,




-colourless graphic interface,







-many buffer overflows false positives alerts,












-only available in english language.








COMMENTS:




The integrity protection by files authentication is an excellent way to detect sign of compromised system and to prevent changed or infected applications.

But on the other hand, a sandbox files protection seems limited regarding API hooks, memory/registry access, some infection vectors (ex: scripts/trojan e-mail attachments) or rootkits techniques which don't modify Win32 files but only syscalls.


Malwares evolve each day and use more and more advanced methods: OSsurance Desktop ( like many others) has unfortunately not the ability to prevent some of them and should be improved.

But in any cases, this product, like Abtrusion Protector and SoftClan Integrity 2005 should be evaluated in a risky surf environment (warez/porn/brasilian and russian/CoolWeSearch web sites with no firewall and antivirus protection).


If OSSurance has some weaknesses as some others products, it has also strong features: it's the only product on the list which has the ability to detect buffer overflows.

Proactive protections for old versions of Windows are rare, and in this case, OSsurance Desktop 98 can be interesting for Win 98 users.


It's still a good product to prevent classical infections and can be really interesting in public/family computers to keep the system as clean and safe as possible.



COMMENTAIRES:



OSsurance Desktop a pour but de préserver l'intégrité du système des modifications, altérations ainsi que de tout autre changement.

Lors de l'installation, OSsurance Desktop procéde à un scan d'enregisrement de tous les fichiers et en prend ainsi une empreinte dont il est déstiné à protéger l'intégrité.


OsSsurance Desktop offre également une protection efficace contre l'adjonction non autorisée de dll (prévient les attaques par injection), et surtout, sort du lot de ce panel en étant le seul logiciel capable de détecter un basique shellcode/buffer overflow (débordement de tampon).


Il permet également de contrôler l'activité, mais ses alertes se révélent vite fatiguantes (3 clicks pour autoriser une exécution) et souvent imprécises (fausses alertes au buffer overflows/débordement de tampons).


Si l'ensemble présente un interêt certain grâce à la protection de l'intégrité du système (base de donnée), mais face à la nouvelle génération de malveillances, OSsurance Desktop apparaît désarmé et quelque peu dépassé.


Toutefois, les gérants de cybercafés et les utilisateurs fonctionnant sous Windows 98 (OSD98) peuvent trouver un certain interêt pour sa protection par authentification des fichiers: rejetant tout code non authentifié, OSurance Desktop permet de préserver l'intégrité du système et de maintenir le PC aussi sain et stable que possible.





RATING: 7/10





NB. The rating takes into consideration more how the product can react in a using environment: logically, many malwares which use Win32 files as vectors will not be able to infect the system.

 


Commenter cet article