Vendredi 5 octobre 2007 5 05 /10 /Oct /2007 21:30

SYSTEMBODYGUARD or the ADWARE HIPS



Systembodyguard is quite recent in the market (springs of 2006).
It's a security software based behavioral blocking (HIPS): the main feature is the ability to control execution and to detect spying activities (keyboard hooks).


SystemBodyguard is a freeware, based in the Adware principle: the program displays advertisements, especially for other products (already integrated) like Pokerbodyguard or CustomXML, activities and partners of Advanced Interactive Marketing (AIM), the editor of this software:

systembody2.jpg

SystemBodyguard is classified as an Adware by Softpedia: it installs a BHO that is currently detected as an adware by only two scanner engines on Virus Total (Kaspersky and Ikarus):


phpdNtPZuAM.jpg

The system is not really guarded by this Adware HIPS, but fully invaded by the marketing of AIM:
Each time the user opens a folder, he is involved in the Advanced Interactive Marketing world:

systembody1.jpg

If we consider its security abilities, the user a little bit familiar with HIPS could be disappointed.
Execution control and keyboard hooks detection is a minimum feature of most classical HIPS.
And it would be naive to trust in the press announcement which claims how marvellous and ultimate is SystemBodyguard.

systembody3.jpg

SystemBodyguard VS two leaktests:

systembody4.jpg

systembody6.jpg

systembody5.jpg


We do not consider that this software requires more advanced tests:

-we really doubt that its efficiency could be compared with serious HIPS,

-there's already free effective HIPS without marketing and advertising invasion, advanced or not.

We just hope that this commercial concept (imposed advertising as a kind of payment) is insulated, and that some editor (Comodo for instance) will not adopt it as another way to boost their NASDAQ value...




Par SSTA - Publié dans : MARKETING ANATOMY
Voir les 0 commentaires
Lundi 11 juin 2007 1 11 /06 /Juin /2007 22:46

Kaspersky antivirus test





The main goal of this test is:


-to introduce SSTA testing approach, motivation and philosophy,

-to show protection limits of personal antivirus and HIPS softwares,

-to circumscribe real value of Kaspersky antivirus for the potential consumer,

-to help security softwares editors in their products improvements.


Many weaknesses pointed by this test concern also most antivirus and HIPS editors.
Comparisons tests will be published in the future to test editors reactivity.

This page is the plan for browsing the test: it's suited to follow step by step the order.
And this is the offical test link page (please, do not link directly to a another test page).



TEST MAP:



Introduction pages:


Presentation


How we proceed


Configuration


Part 1


Part 2


Part 3


Copright and disclaimer


A brief historic



Test pages


Kaspersky test pages



Overall pages


General Pros and Cons


Trojans, backdoors, bots and Rats


Viruses, worms and scripts


Spywares and adwares


Stealth threats


Client/server side and other attacks


Keyloggers and spy methods


Antivirus: the antimarketing test




Par SSTA - Publié dans : TEST AND TESTING
Ecrire un commentaire - Voir les 3 commentaires
Lundi 11 juin 2007 1 11 /06 /Juin /2007 19:26

ANTIVIRUS:THE ANTIMARKETING TEST


Introduction


 Kaspersky products reseller has published pdf papers about the efficiency of kav 6 in general
and rootkit removal in particular1.
In these papers, malwares and demo are used to show and demonstrate the effectiveness of the
proactive module.
Naturally, the results are maximum: 100% !
Naturally...because we can't expect any security software editor and reseller to show the
weaknesses of his products.
May he is aware about its weaknesses...

The rule of marketing and advertising is mainly to show the bride more beautiful than she
really is.
This is a legitimate policy : we live in a business world, isn't it?



However, under Kav protection, we were able to :


-spy from various ways on (keyloggers, sniffing, webcam),

-run scripts, copy files and folders,

-create new accounts and play with privileges,

-evade the scanner engine,

-Dump silently all the content of an USB stick to the desktop, and root and damage the system from external drives (USB, CD Rom),

-compromise security by running backdoors,

-run remote code execution (Outlook etc)

-crash browsers and computers (...)

-download malicious files...



We have thereof shown the limit of marketing.
And what concerns Kaspersky antivirus concerns any other antivirus, HIPS and firewall editor.
Like any other security sofware, Kaspersky antivirus 6.0 is not the perfect product that is presented by the usual marketing speech.



Softwares as Security, Softwares as a Religion


By this test we have shown some limits of antivirus and HIPS softwares: internet threats are too
various, numerous and sophisticated to be fully covered by just one product.
Unfortunately, security forums are full of endless discussions about super products which
provides ultimate security.
This is here the impact of the massive marketing investissment of the IT Industry: and even
system administrators and IT Manager are influenced by the sirens of marketing...

Antivirus, firewall, HIPS, HIDS, NIPS, NIDS, IPS, IDS, Anti-0 Day, anti-keylogger...the ultimate2
software does not exist.
Or only in the IT Managers wishes and developers dreams...


Dealing security with softwares is a lost battle: Protection provided by security sofwares is
both driving and limited by its own components: code.

A software is composed of line of code,
but any line of code can theoretically be broken3,
then any software can be bypassed and defeated.

As simple as is this sophism, there's an intangible law: The Graal of security doesn't exist,
neither than the Graal of product.

The second house of a programer is the table draw, and this house should be the school of modesty: as much talented are security softwares developers, it's difficult to believe in the unknown genius...
The line of code designed today can be defeated tomorrow: the destiny of a programer's work is
like Sysuphus destiny.


Things are not as simple as the equation: Disease=medicine, crime=police, virus=antivirus,
computer threat=security software.

Security is a complex process4, not only a variable of products.
Highest is the control level on this process, highest is the level of security.

Unfortunately, the police can't control any street or any airport, the system administrator
can't have an absolute control of what happens on a network perimeter:
does he, in the first place, control if the installed security products are securely coded...




The Computer's world: a grey world.


Windows is not perfect, but it can be enhanced to mitigate impact of malwares: if the user gets
used to apply the principle of least privileges, and takes time to harden the system5.
And the AV industry has legitimately never done the apology of least privilege principle:
"Windows is not secure, buy our products and you'll be secure" is the marketing bla-bla used
since years.

Fotunately, with the release of Vista, Microsoft has made up for lost time: what requires
efforts and knowledge with XP, comes already hardened into Vista.
And the "intrusion" of Microsoft in the security industry has generated grumbles and loaded UZI
from most AV editors.
In fact Microsoft wants legitimately its part of the market, and AV editors do not wish to loose their own.
This is a business battle: who could seriously doubt of that?

But what about the end user?
Should he remains a cash machine?


"Do we really need a Security Industry" 6 has recently written Bruce Schneier.
And if it's difficult to be totally agree, we need to consider that the computing security business is like any othey business: Money is its only religion.

In the land of this world, we have:

-In the first side of the river, there are products providers (softwares, hardware): the web is
dangerous: buy our products and you'll be secure.

-In the second side of the river, there are vulnerability assessments societies, ethical
hackers: your line defense can be compromised: see the demonstration and the POC, subscribe to our services (audit, web protection, secure transactions etc) and we'll help you to make it much more secure.

-In the middle of the river, all computer users (home, corporate , institutions,
administrations) who cross the river and meet here and there spammers, crackers, ddoser,
cybercriminals...

Each group needs each other: security products providers need cybercriminals for a marketing exploitation of the fright, ethical hackers and vulnerability assessments campanies need security products providers for their research or to sell their services (and the tools used by pen-testers and cybercriminals are sometimes the same)...


There's no white side and black side: like Human being, things are often grey.



Greatness and decadence of the black list protection concept


All that being said, we need to be as objective and neutral as possible.
And to consider and admit some facts.
Since AV exist, since AV are AV, the black list concept is a dead end.
Since years and years, antivirus softwares provide a colander-like protection: more than any firewall or HIPS, an antivirus is the kind of software the most easy to bypass.

Since years and years, the AV industry has sell ineffective products, designed by "virus
experts" and defeated by kids of 12 years old...
From the system administrator to the international security guru, who can utterly trust them?

Moreover some institutions like Virus Bulletin used to play the AV industry marketing game: by
providing tests with 100% detection rate results, they gave to the home user the feeling that
antivirus softwares are able to stop 100% of the malwares.
The VB100 logo is not only designed to point out reactive editors, but also to help these editors
in selling more and more softwares...

The black list concept can't stop 100% of malwares: this fact is integrated in the EULAs of
most antivirus editors (chapter 5.3 of the Kaspersky Eula for instance).

Last year, an organization7 has released tests with created malwares as test files, and naturally, the AV industry has contested this testing methodology.
As far as we know, new malwares emerge each day: this is a reality.
And the contestation of this testing approach is the contestation of the reality.

Business or not business, there's a limit with the bad faith...




With the available technology (virtualization8 for instance), the different security models
(white list9, behavioural analysis10, sandboxing11) and the different classes of software (HIPS12,
Rollback/instant back up), antivirus based black list are technically not absolutely necessary.
And it would not be difficult to demonstrate that an HIPS based white list is much more
effective and reliable than any antivirus based signature file detection.

That which is not checked as safe (white list) is automatically blocked: this is a wall.
Only that which is checked as malicious is automatically blocked (black list): this is a colander.
This ovious fact does not require any kind of testing demonstration.

In addition, there will be in the future an hardware14 alternative to antivirus softwares: it is also legitimate for the hardware chipset industry to take its part of the market...

But the majority of users are not familiar with HIPS, and do not have the knowledge to define if
a file is malicious or not.
The presence of AV boxes at Wal Mart, Carrefour, Al Campo, Tesco, Ahold, Metro and in any other supermarket is not endangered.


Antivirus are dead13, viva antimalwares: Kaspersky 6 or the evolution from antivirus to antimalwares


"If God does not exist, then everything is permitted" has said Dostoevsky.
And in a world driven by money, cybercriminals15 are not the last ones to show how genius can be Human being for doing bad things.
There are more and more computers users in the world, and in the same time internet threats in
general and malwares in particular become more and more sophisticated.

Most antivirus editors have not followed the wave of this sophistication.
Perhaps are they afraid to disturb their consumer's habits (the sacrosaint scan button); and in the same way, to loose their part of the AV market.
A typical example is the rootkit phenomena: Windows rootkits exist officially since 2000, and
the AV industry only takes care of them since 2006/200716.
Strange definition of reactivity isn't it?


Fortunately, some editors are convinced of the need of a real and technical evolution.
Kaspersky is one of them.
When big companies invest more in marketing, small and middle size companies invest more in
research and development.
This is here the most reliable policy in the long run.
Moreover, isn't it the rule of editors: to provide the most reliable and effective security
software, to give the best they can do for their potential consumers?


Our test has clearly demonstrated that the integration of an HIPS or proactive module is very
helpful to offset the limits of signature file detection.
Many tests have shown the need of another approach to fight unknown malwares.
In the case of kaspersky, the behavioural analyzer has catched malwares which were not
recognized as malicious by the black list protection.
If behavioural analysis isn't a brand-new security concept, the integration of proactive module in
a classical antivirus is a kind of revolution for common users.


Using a computer nowadays becomes more and more risky without a reliable protection.
By the integration of this proactive module, Kaspersky antivirus is currently and without any doubt the "antivirus" which provides the most exhaustive protection for end users.
1.PDMVsRootkits: direct download here.

Proactive defense/PDM paper here.

2.The ultimate security software (fun)

Dark Reading: "Top 10 Reasons Security Products Don't Work"

HIPS/IPS products become more and more popular, but it seems this is not the panacea if we also take into consideration that many of them are vulnerable to attack evasion techniques...

3.Exploiting software: how to break code.

4.From product to process, Bruce Schneier.

5.An exhaustive guide for home user here.

6."Do we really need a Security Industry" from Bruce Schneier's blog.

A summary here.

7.Techworld article.

 8.Wikipedia

Virtualization info

Kernelthread: An introduction to virtualization

9.Wikipedia

"Black list versus White list software solutions" by Faronics: Anti-Executable is an example of white list HIPS.

"Witelisting Repairs Broken Anti-Malware Model"

Darkreading: A-Listing Your Apps.

"Antivirus 2.0: the bouncer approach"  (as a pdf here)

Securewave, one of the leader of the white list security approach with Sanctuary, provides interesting articles links on its web site.

- BBC News: Staying safe without antivirus

- NZ fights viruses in two fronts


10. Securityfocus: "Behaviour blocking: The Next Step in Antivirus Protection".

11.Wikipedia

Kernelthread

12.Wikipedia

An overview of personal/desktop HIPS here and an HIPS list updated recently for the purpose of this article.

The list of our Castlecops friends (the list of anti-phishing HIPS is empty: update required :) )

Darkreading review of corporate H/IPS: "Host intrusion prevention products"

An example of innovative HIPS approach with Nexthink.

13. "The slow death of AV technology".

"Has The End arrived for Desktop Antivirus?"

14. "A chip counters the viruses"

15.Crime-research: Computer crime: top threat in 2007.

2006 FBI/CSI Computer Crime and Security Survey: pdf here.

An interesting blog here.

16. Only a few editors like Kaspersky, Nod32, BitDefender or AVZ integrate a fully functional antirootkit module.
Currently most anti-rookits tools from AV editors are simple beta tools.
chita2.jpg





Par SSTA - Publié dans : TEST AND TESTING
Ecrire un commentaire - Voir les 0 commentaires
Mercredi 30 mai 2007 3 30 /05 /Mai /2007 21:33

Part 2

PART 2


The goal here was to test the product’s protection against real malware that users are likely to encounter.

KAV 6.0 is classified as an antivirus product but testing it only with viruses is an out-of-date and obsolete approach. The malware circulating today cuts across the old classifications of viruses, trojans, adware and spyware and typically includes features of multiple malware products in a single bundle.

To meet this threat, modern security products need to provide broad spectrum protection against all kinds of malware regardless of whether the security product is itself classified as an anti-virus, anti-trojan or anti-spyware product. Since all these security products employ some form of signature based detection this approach can be employed effectively against virtually all malware products.

Given this fact we have rejected the idea of testing KAV against a standard set on "in-the-wild" most prevalent viruses. Instead we've used an broad set of malware that included old and recent versions of viruses, worms, trojans, backdoors, rootkits, R.A.Ts, keyloggers, spywares, adwares etc.
Also included were commercial spy and keylogging programs.

And to further replicate the real life situation, some of these samples were disguised as codecs, text files, pgp keys, images, self-extracting archives or screensavers Additionally some test were performed live via Instant Messaging (Yahoo, MSN) or by email.

This way, we take the side of a real life approach by covering many scenari.
This includes various aspects of computer's spying, and especially cases which require a physical access to the machine (keyloggers for instance).


Most antivirus editors provides an annual report about the most importants threats (malwares mostly).
We can mention:


-Microsoft Security Intelligence Report (1 and 2)

-Kaspersky

And here an excellent technical study of the keylogger threat.

-McAfee Virtual Criminology Report 2007 (direct download here)

-WebsenseSecurityLabs 2006 (pdf here)

-Symantec Threat report


For those who wish to be regularly aware about the recent threats, but with illustrations:

-McAfee Avert Labs (excellent),

-Sunbelt blog,



In most case, the malwares used as test files are named by using:

-Kaspersky lab classification,

-other antivirus classification (when not detected by Kaspersky antivirus),

-their original name,

-a "fake name" : in this case, they're renamed (R) for ethical or other reasons (some files are provided by people who do not wish to see these malwares catched by antivirus).

For more details and descriptions about the malwares test files, we highly suggest to use an online search tools which queries several antivirus editors database at the same time:

-Online Security Malware Research Tool

Par SSTA - Publié dans : TEST AND TESTING
Voir les 0 commentaires
Mardi 29 mai 2007 2 29 /05 /Mai /2007 22:32

Part 1


Part 1


This first part is elaborated to test the proactive module against some class of behaviour used by malwares like:

-dll injection (trojans),

-message hooks (trojan spy, password stealers, keyloggers),

-service/driver installation (rootkits, advanced trojans like "trojan pakes"),

-physical memory access (rootkits).


In addition are also tested some various aspects of system protection like file system and registry.

The majority of test files used for this first part are demonstration tools (only the task manager disabler can be considered as malicious).
This methodology is not a standard methodology, but it is already used by some personal HIPS editors to demonstrate the efficiency of their products (example here with GesWall): an HIPS with results < 60% can't seriously be taken into consideration.
In addition this is a way for classical users to test their own HIPS without causing damages on their system.

Par SSTA - Publié dans : TEST AND TESTING
Voir les 0 commentaires
Mardi 29 mai 2007 2 29 /05 /Mai /2007 21:38

Part 3


Part 3


Testing any security software only by malwares is a restricted methodology, and an "out of the reality approach".
Insecurity is not only a question of malwares.

It's necessary to consider:

-various aspects of attacks which are used for an intrusion:

*buffer Overflow,

*privilege escalation,

*exploits (which can be used also for malwares distribution1)


-some methods used for important threats like phishing2:

*link manipulation (URL obfuscation),

*Man in the Middle Attack (certificate spoofing);


-the new generation of attack: web application attacks like XSS for instance.

Web pages are more and more used as an attack and infection vector3.

Are also included in this third part: endpoint threats (data theft via thumbsucking4 for instance), and various spying methods.

Are excluded from this methodology network attacks which concern more firewalls, NIPS, NIDS, HIDS and IDS.

In addition our test focus only on security sofwares for a home environment: it is not necessary to use attack vector platform such as Metasploit or Canvas.

For those interested in attacks statistics, we can mention:

-Arbor Networks Atlas

-Websense Map

-Dshiled (most attacked ports)



1. Bot's via flaw for instance (Securityfocus).

2. Interesting PDF papers about phishing here and there.

3. Many illustrated examples are available at Websence blog.

4. Thumbsucking, or the way to steal data via an USB key.
Par SSTA - Publié dans : TEST AND TESTING
Voir les 0 commentaires
Mardi 29 mai 2007 2 29 /05 /Mai /2007 19:45

COPYRIGHT and DISCLAIMER


DISCLAIMER


 *Limitation of testing during a long period

This test began in the summer of 2006 and was finished in 2007 -05.
During this period, the operating system (Windows XP), applications (browsers mostly) and the tested product (Kaspersky) have been updated.
Some browsers and exploits tests are then obsolete: testing a product against exploits should be done only with unpublished exploits...in a few words: by our own exploits...


*Kaspersky program updates and ethical conflict

-Kaspersky lab is aware of tests published on over-blog platform since 2005 (kav forums, end posts).

-Kaspersky lab is aware of this based methodology for one year (that's why the methodology has been "unloaded" from the blog),

-the results have been submitted to Kaspersky lab in 2007-04-14


A typical example is the PC Flank test: "fail" in the summer of 2006 and "pass" after the latest version (2006-12).

Kaspersky team members do not drink adulterate vodka while playing online poker games on the table draw: this is one of the most reactive and productive team of the AV industry.
We're convinced that the database has been updated (stealth keylogger for instance), and that the weaknesses will be fixed for the version 7.

For more information, it's suited to take a look at this powerpoint presentation by Nicolay Grebennikov:

"Kav 7.0 : overview of technologies": here for a direct download.

Many weaknesses that we have noticed and pointed are already fixed (hidden ADS detection, rootkit scanner engine, keylogger's detection enhanced etc).

If sharing results before publication is honest, it is not interesting from a testing point of view.
A few days are enough to improve and updated the product: between the test submission and the official publication, some results may have changed (F1/F2 becomes F1/P2 or P1/P2).

As we wish a real life approach, future tests will not be shared at all with editors: when an attacker wishes to root a system, he does not contact the administrator a few weeks before, and it does not send him the "how to" and manual of future intrusion.
Fortunately, we have not shared files used for this methodology: or these files are submitted to all AV editors, or they're submitted to no one of them.

No one (each one its job).


 *No software recommendation

Our goal is not to recommend products that we test.
We focus on the effectiveness of any product, list advantages and drawbacks, distinguish true efficiency from pure marketing, but this not our part to incite in the purchase of a particular product.

We recommend for classical users a multi-layered defense strategy:

-a firewall and an antivirus (with a forum and support available in your language),

-an HIPS: the choice should be based on the language (some of them are only available in English) and mostly on the level of knowledge (HIPS based white list, virtualization or sandboxing for beginners and normal users for instance) and convenience (with or without pop up).





                     *****Copyright and Disclaimer*****
     This publication, and information provided by SSTA team on this blog, and other blogs where articles are stored, is copyright © . Except as specifically permitted, no portion of this publication may be distributed or reproduced by any means, or in any forms, in whole or in part, without SSTA's prior written permission; notwithstanding that this information is provided electronically.

     However, users are granted there the right to distribute links to this publication.

     Any information provided by SSTA staff on these blogs are offered 'AS IS', with no express or implied warranties, claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained in.
     Any material contained herein is believed to be complete, and the SSTA team takes care to ensure the correctness of any information provided. However the authors do not warrant that the information is in every respect accurate or complete, and thus are not responsible for any errors or omissions, or for the results caused by any use of such information. SSTA and its testers can not be held liable for any damage or loss which might occur, howsoever such loss or damage may arise, as a result of, or related to the use of the information provided on these blogs.




Par SSTA - Publié dans : TEST AND TESTING
Voir les 0 commentaires
Dimanche 27 mai 2007 7 27 /05 /Mai /2007 19:22

KEYLOGGERS AND SPY METHODS



SPYING: not sufficient


 The pros:

-good detection of usual keylogger behaviour (keyboard hooks),

-excellent prevention feature (invader alerts, often in relation with dll injection),

-one of the most reliable keylogger database (with Fortinet, BitDefender, Sunbelt and F-Secure)


The cons:

-Does not cover a large panel of keylogger behaviours,

-ineffective against stealth keyloggers,

-no task with trusted programs, that make the job of ill-intentioned person more easy (in public computer for instance).


And we have been very nice, not vicious at all.
We have not included tests about:

-hardware keyloggers (example here or here),

-jitter bugs (general info in this PCWorld article and more technical in this usenix article),

-sound of keyboard,

-Tempest,

-RFID ( few info here and here for privacy invasion)

-Smart Dust (nanotechnology): this technology and its privacy issue implications is not new (sites and articles warned about that since years).
For those interested in this subject, we can recommend this article and these two PDF papers ( summarize here).
More technology, more possibilities of spying: the combat for privacy rights is eternal (Eff, Protia and many more).



It's technically impossible for a security software to cover all possibility of Spying: the key here again is not a product (antivirus, anti-keylogger, HIPS), but more a security approach: white list (biometric authentication, applications, protocols etc) and encrypted communications (Tor, free or paid SSL VPN, or recent technology) should be enough to mitigate the risk of spying.

The next generation of computer will include touch smart screen for instance, virtual devices (here another example), or "the finger as a mouse" (here and here)...

But we hope that future generations of computers will include self defense against spy.

Ladies and gentlemen, after Bruce Lee, the son of Bruce Lee, the cow of Bruce lee, here's come the computer of Bruce Lee!

 

 

Par SSTA - Publié dans : TEST AND TESTING
Voir les 0 commentaires
Dimanche 27 mai 2007 7 27 /05 /Mai /2007 18:15

How we proceed


EVALUATION METHODOLOGY


Testing environment:

-OS: Most tests were conducted using Windows XP2 Home Edition. A few tests were conducted using Windows XP Pro and verified on XP Home.

-Version of KAV: All tests used the trial version available from the Kaspersky web site for test done since the summer of 2006.
Since the begining of 2007, tests were done with a licensed version of Kav.
As the tests spanned the period from July 2006 to a may 2007 there were some changes in version during that period. All tests in part 1 and a few in part 2 were done using KAV version 6.0. However all test results were later verified with the latest KAV version (6.0.2.621).

- PC environment: All tests were done on a standard non-hardened machine typical of home user's systems. To approximate more closely a real-life situation all tests were run in a native XP environment using a standard user account with Admin privileges rather than using VMWare. Tests done in several machines, some of them integrated in a Lan, from 256 Mo to 1024 Mo of memory.

Apart from a firewall the test PC was not protected by other security products that may interfere with Kaspersky antivirus.
However all software including Windows, KAV 6.0, Adobe Acrobat etc were updated to the latest version including any security patches.

Prior to the commencement of the tests the system was checked for any kind of infection (virus, trojan, rootkit etc) to verify that the system was totally clean.
This clean system state was then imaged to another hard drive partition which was itself protected. The system was restored using this image after any test that might impact on the system such as the creation of run keys, hooks into the SSDT etc.
This approach, though time consuming, provided a clean environment that was consistent between tests.

-Testing Tools: In order to measure the impact of our tests we used a full suite of security tools such as the Sysinternals utilities, anti-rootkits such as IceSword and various files and registry monitors.
Par SSTA - Publié dans : TEST AND TESTING
Voir les 0 commentaires
Dimanche 27 mai 2007 7 27 /05 /Mai /2007 17:50

Trojans, bots, backdoors and RATs


Trojans, bots, backdoors and RATs: Very good.

As long as the malware tries to install itself on the system, it can be prevented (registry guard, trojan generic etc).
The weakness concerns "pure malware servers": the PDM does not integrate a server (application which accepts connections) detection module.
In this case the computer can easily be compromised during the session.
But on the other hand, we can mention a "rootshell" behaviour detection which mitigate this little weakness.
This feature is unique for a behavioural analyzer designed for home users (as far as we know, rootshell detection is not present in any other personal HIPS).
Par SSTA - Publié dans : TEST AND TESTING
Voir les 0 commentaires

 

Présentation

 

Créer un Blog

Créez votre blog gratuit

 

Recherche

 

Articles récents

Liste complète

 

Calendrier

Juin 2012
L M M J V S D
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  
<< < > >>

 

Créer un blog gratuit sur over-blog.com - Contact - C.G.U. - Rémunération en droits d'auteur - Signaler un abus