|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
12-24-2008
| #131 (permalink) |
| Windows Vista™ Ultimate x64 | Re: Security Team  Quote: Originally Posted by NormCameron  Quote: Originally Posted by Fmjc001 I have a-squared on my computer, I never use it though. I have always just kept it there in case of an emergency but never needed to run it. Norm  . I didn't think any security software would be as bad as to quarantine the explorer... |
My System Specs |
|
12-24-2008
| #132 (permalink) |
| Windows Vista™ Home Premium | Re: Security Team I second A-Squared to be a "low proformance" program. Dont like it and wont use it or recommend it. |
| My System Specs |
|
12-29-2008
| #133 (permalink) |
| Vista Ultimate 64bit | Re: Security Team Quote: Wow thanks Norm, . I didn't think any security software would be as bad as to quarantine the explorer...  I've seen poorly written scanners corrupt the entire kernel, many times. Before XP & Vista, especially Vista, most AV and security programs had to use kernel patching to interact with the lower system functions and this was always a big problem and HUGE security risk in itself. Vista originally did not allow ANY kernel patching and that's why the security companies were so slow to release Vista compatible products. Many of them lobbied MS to allow kernel patching again since it was the only way they knew how (at the time I guess) to integrate and update the scanners, but MS stood firm on the side of OS security. In the end MS had to find a way to allow a certain level of patching while still maintaining the kernel integrity. But I digress...I have seen scanners delete the WINDOWS folder as "infected"...the Entire folder and not just a possibly infected file within it. I've seen scanners delete every executable file on the system due to a single infected exe...I've seen some that couldn't catch a virus if one fell in the developer lap and screamed "I'M A VIRUS!!!". I've seen some really poor scanner coding in my day and I'm sure we'll see lots more in the future. Quote: How do you write the program to scan the files? The scanner is a complex piece of coding and that's why so many are not very well done and why it's hard to do it right the first times. That's well out of my league. But the files I decompiled personally were all sent to me by AV companies to test for unwanted behaviors. Back in the late 90's early 00's, many AV companies used independent testers because they still weren't big enough to employ full time testers yet. When a new unknown variant was picked up by their scanners and sent in for analysis, they would farm these out to us for decompiling and testing. Basically I had a sandboxed system, triple boot (95, 98, W2K, later early XP) and I would monitor what system changes these files did to the OS upon execution. I had specifically built programs for this, mostly supplied by the AV company but other tools as well, many Linux based but with Windows GUI's. After finding out what the file did to the system I would sandbox it on my main system and decompile the file to see what function calls and other things it did like port opening, listeners, dialers, keyloggers, smtp server...etc. Then I would compile a report about the file and it's functions and if possible I would recommend the type of signature base I would use against it. Back then AV's used sig files to combat malware since that was about all there was but some companies like Eset were working on their heuristics engines which really work well on unknown malware behaviors. All the AV companies stopped using independents by around 2004 and I quit in late 02. I found it hard to keep up with the complexity (and sheer volume) of new variants as they started using professional software engineers to write malware and it left the realm of the simple hacker types and skript kiddies. I tell you..much of the malware is better written than most legal programs out there lately and it takes real professional engineers to do that work now. It was fun while it lasted tho and I met allot of cool and very smart people and learned allot of what went on behind the doors. |
| My System Specs |
|
12-29-2008
| #134 (permalink) |
| Windows 7 Ultimate 32 bit Beta, Vista Ultimate x86 | Re: Security Team Quote: Originally Posted by Chappy Quote: Wow thanks Norm, . I didn't think any security software would be as bad as to quarantine the explorer... I've seen poorly written scanners corrupt the entire kernel, many times. Before XP & Vista, especially Vista, most AV and security programs had to use kernel patching to interact with the lower system functions and this was always a big problem and HUGE security risk in itself. Vista originally did not allow ANY kernel patching and that's why the security companies were so slow to release Vista compatible products. Many of them lobbied MS to allow kernel patching again since it was the only way they knew how (at the time I guess) to integrate and update the scanners, but MS stood firm on the side of OS security. In the end MS had to find a way to allow a certain level of patching while still maintaining the kernel integrity. But I digress...I have seen scanners delete the WINDOWS folder as "infected"...the Entire folder and not just a possibly infected file within it. I've seen scanners delete every executable file on the system due to a single infected exe...I've seen some that couldn't catch a virus if one fell in the developer lap and screamed "I'M A VIRUS!!!". I've seen some really poor scanner coding in my day and I'm sure we'll see lots more in the future. Quote: How do you write the program to scan the files? The scanner is a complex piece of coding and that's why so many are not very well done and why it's hard to do it right the first times. That's well out of my league. But the files I decompiled personally were all sent to me by AV companies to test for unwanted behaviors. Back in the late 90's early 00's, many AV companies used independent testers because they still weren't big enough to employ full time testers yet. When a new unknown variant was picked up by their scanners and sent in for analysis, they would farm these out to us for decompiling and testing. Basically I had a sandboxed system, triple boot (95, 98, W2K, later early XP) and I would monitor what system changes these files did to the OS upon execution. I had specifically built programs for this, mostly supplied by the AV company but other tools as well, many Linux based but with Windows GUI's. After finding out what the file did to the system I would sandbox it on my main system and decompile the file to see what function calls and other things it did like port opening, listeners, dialers, keyloggers, smtp server...etc. Then I would compile a report about the file and it's functions and if possible I would recommend the type of signature base I would use against it. Back then AV's used sig files to combat malware since that was about all there was but some companies like Eset were working on their heuristics engines which really work well on unknown malware behaviors. All the AV companies stopped using independents by around 2004 and I quit in late 02. I found it hard to keep up with the complexity (and sheer volume) of new variants as they started using professional software engineers to write malware and it left the realm of the simple hacker types and skript kiddies. I tell you..much of the malware is better written than most legal programs out there lately and it takes real professional engineers to do that work now. It was fun while it lasted tho and I met allot of cool and very smart people and learned allot of what went on behind the doors. Norm |
| My System Specs |
|
12-29-2008
| #135 (permalink) |
| Windows Vista™ Ultimate | Re: Security Team Quote: Originally Posted by Chappy Quote: How do you write the program to scan the files? The scanner is a complex piece of coding and that's why so many are not very well done and why it's hard to do it right the first times. That's well out of my league. Hey Chappy, Scanning files is easy Code: {
foreach (Files.FIND_DATA file in Files.GetFilesEx(SysPath + "\\", FileIO.SearchAllSubDirectories)) {
FileSigCheck();
}
}
Its the way they pass file parameters and check file signatures thats the huge problem with nearly all AV scanners... To give you a better picture of my code in action, I used the system Directory (DarkGreen entries are files protected by Windows built-in System File Check) Each file is passed into FileSigCheck() then it checks a predetermined set of heuristics and signature checks to specify color depending on the files identified (currently 3000 different results)  I have been working on an huge update to my System File Check Utility found in the Tutorial Section if anyone is interested in giving this new scanning engine a try? (pictured above)  Steven |
| My System Specs |
|
12-29-2008
| #136 (permalink) |
| Windows 7 Ultimate 32 bit Beta, Vista Ultimate x86 | Re: Security Team [quote=dmex;923144] Quote: Originally Posted by Chappy Scanning files is easy Code: {
foreach (Files.FIND_DATA file in Files.GetFilesEx(SysPath + "\\", FileIO.SearchAllSubDirectories)) {
FileSigCheck();
}
}
I have been working on an huge update to my System File Check Utility found in the Tutorial Section if anyone is interested in giving this new scanning engine a try? (pictured above) Steven Hi Steven, Of course it's easy. I could do that, piece of cake. Of course I'd have a wee problem understanding it. Not that 'yI have however used your System File Check Utility, a magic little utility and one I thoroughly recommend to all. An upgrade would be the icing on the cake for what is already a great tool. Norm |
| My System Specs |
|
12-29-2008
| #137 (permalink) |
| Vista Ultimate 64bit | Re: Security Team Hi Dmex Well done my friend! Did you develop the heuristics engine yourself? If so, how did you incorporate the 1000's of behaviors that current malware can exploit, or did you use access calls to system files or stacks as a main read on malware behavior? I'd be very interested to know a bit more...my coding is rusty to the point of being seized up solid, so I'm not much help that way, but I can test things if you need. I'll d'load your utility tonite and have a look see. Of course I would not think of trying to decompile your work but if you have a code sample I can look at I would appreciate that. Thanx Norm, it's good to be back! Edit - After a re-read on your utility dmex, is it strictly a system file check utility, or does it have the capability to recognize other parameters? I would love to know more if that's cool by you. |
| My System Specs |
|
12-30-2008
| #138 (permalink) |
| Windows 7 RTM 64-bit | Re: Security Team Quote: Originally Posted by Neverhavemoney Hey everyone here are the current members: Neverhavemoney Brink mansrm81 barman58 .Joe NormCameron If you wish to post paid-for security tools, you may but you need to include a price for a single license though Also i am asking everyone to post FREE security tools and i will include them in the nightly post of members. If you are using these let me know and i will put your name beside the program. Here is the current list:
|
| My System Specs |
|
12-30-2008
| #139 (permalink) |
| VISTA HOME PREMIUM X64/ 7 x64 / 7x86 | Re: Security Team Hi Norm , That's strange, I have scanned my pc with a squared free many times without a problem . Maybe they have improved it since that review. SIW2 |
| My System Specs |
|
01-01-2009
| #140 (permalink) |
| Windows Vista™ Home Premium | Re: Security Team Hey everyone its been a while! I had a rockin christman(got the new blackberry storm) and was off to drivers ed the next day. I dont even have time to breath anymore haha. So i was catching up on the posts here. SIW2, i think it misses some things though. More then a scanner should. If it works for you though, you should deffinatly. That was just my personal opinion. Norm+Chappy, Great posts as always. Such an honor to have you two on the team here. Huge heps and great info. And dmex, Amazing stuff man. I wouldnt know how to do that at all! Care to shine in a little on how you did that? Thansk ya'll and im glad to finally be back, B-E-N (haha new way to put my nam, haha, i know im four haha) |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| Re: Cannot Uninstall Visual Studio 2005 Team Suite & Team Explorer | .NET General | |||
| Problem with IP resolving | Vista security | |||
| Resolving a pointer in quickwatch? | .NET General | |||
| IE7 not resolving after SP1 install | Vista security | |||
