Sign in to follow this  
BBStyle

asquared Anti-Malware low Selfprotection

Recommended Posts

So i know asquared asks for allow or block if an application wants to suspend a process(inject code) to another application!

If you allow it and save the rule, then the application you allowed can also Suspend Asquared Anti-Malware Processes!

I was making a task manager in autoit v3 and find it out while testing!

If you first suspend a2guard.exe then a2service.exe, then asquared is disabled!

I tested it with a sample, asquared stops the sample from starting, it says: Application tries to modify autostart...

Rule was not saved.

I suspended a2guard then a2service.exe and see there, i could start the sample without any alerts.

Continued asquared processes again, started the sample: asquared alerted!

I think this is not really fine, asquared should block the application from suspending asquared!

Autoit v3 code for suspend:

_ProcessSuspend()

Func _ProcessSuspend()

Local $processid = ProcessExists ("a2guard.exe")

If $processid Then

Global $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)

Global $i_sucess = DllCall("ntdll.dll", "int", "NtSuspendProcess", "int", $ai_Handle[0])

DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)

If IsArray($i_sucess) Then

Return 1

Else

SetError(1)

Return 0

EndIf

Else

SetError(2)

Return 0

EndIf

EndFunc

Share this post


Link to post
Share on other sites

Hi BBStyle.

You are talking about stronger “self protection” in a2-squared.

At the same time all you described is a correct behaviour. You allowed the action.

You can change the rule and allow some actions but block others

a2 is alerting you again (about itself). What else you can do except answering respectively?

Basically there is no way that you cannot write the code (place it deliberately or get it from somewhere...) that can kill anything despite more or less strong “self protection” is implemented.

Probably you meant that you want to have more distinguished set of rules say allowing the “murderer” to kill a victim (application) “A”, but disabling the same “murderer” to kill other processes “B” ; “C”, etc.

In this case next time the same process will try to suspend "B" & "C" ( a2guard and/or a2service) you will not be alerted but the actions will be silently denied.

Is that the request, or I got it wrong?

I hope the developers will add to that

and answer the question about not saving the rule about the auto-start modification that you allowed as far as I understand.

My regards

Share this post


Link to post
Share on other sites

A2 self-protection is really strong enough.I can give you an example.

Xuetr is a kernel-level antirootkit tool,it injects driver in order to despoil OS-level privilege.Be careful testing in VM.It may cause bluescreen on windows 7.You may get it via URL below.

http://xuetr.com/download/XueTr.zip

kaspersky block it successfully but A2 not.I once talked to a developer who think self-protection is not required.What I have to say is kaspersky's really solid.I never trust the user.

Share this post


Link to post
Share on other sites

Ray,

Let's get the response from BBStyle 1st ... and from the developers

Unfortunately I don't have time at the moment to dive deep; research; and test what you are saying,

but your statement is quite controversial at least... the way it was written

My regards

P.S. What user you never trust? :unsure:

Share this post


Link to post
Share on other sites

Ok i have to say just one thing:

Run(@ComSpec & " /c " & 'net stop "a2AntiMalware"', "", @SW_HIDE)

This command in autoit will stop Asquared!

I got even no alerts!

Kaspersky and other av vendors blocks that actions!

Should asquared not disable the function to close the service?

Share this post


Link to post
Share on other sites

Starting, stopping, pausing, resuming, or restarting a services are legitimate actions/commands

Why NET STOP [service] should be alerted I really don't know

I do that quiet often, moreover I would be very annoyed by alerts about that.

That is enough firing up Capctha when one tries to close the Guard from the SysTray

but I understand that you want alerts when disabling service and/or startups deliberately using commands (>Net Stop " Mamutu Service") or manually (unchecking or Disabling in Services)

Let's wait for the reply from developers

My regards

Share this post


Link to post
Share on other sites

It wouldn't be annoying if it alerts that an application wants to disable asquared service!

It is the easyest thing for a malware to kill asquared!

Of course asquared processes may be protected good from terminating but for what making such a selfdefense protection if you can even disable it with simple service stop commands? :D

PS: You don't get any captcha enter box if you kill the service!

Share this post


Link to post
Share on other sites

On the other hand you can't stop the service unless you have permission to do so from your system's administrator. This is a purely administrative issue. If you run unknown application as an administratior no self protection on earth could protect you since your protection will ultimately run with the same privileges as the attacking code. We certainly could block service stop requests but that way we would prevent the user from stopping the service if he wants to do so. Additionally that won't protect from an almost infinite number of other attacks that could be used given administrator rights.

We added self protection in the past for attacks that were used by malware against our application (mimicking user interaction, simple TerminateProcess calls, file replacement or deletion) and we will add additional protection if we see any real need for it (= if actual ITW malware attacks our application using a method not covered yet). Until then we focus on actually improving our detection capabilities. Because detection is the best kill protection that can be done. Malware that is blocked from being started can't kill anything.

Share this post


Link to post
Share on other sites

I understand what you mean.

But most users are using still Windows Xp as Adminstrator.

Of course detection is best protection, but lets say a newbie user got a new a malware today.

Asquared didn't alert, and it is disabled by the malware now!

Next day emsi software updates its database and the malware is detected, but asquared doesn't start anymore!

So what do you think this newbie user will do? If asquared would run, then it may still detect the malware and/or block its actions.

I mean cmon under selfprotection i understand full protection including service close protection, registry items protection(you can change asquared registry entries when asquared is active...), suspend protection and of course protection from terminating.

I just say what i saw from products like Kaspersky, Norton and others!

Norton still runs in 96% of computers after an infection!

I can't say this for Asquared, if Asquared gets more known, what do you think how many malware writers will include a simple Service stop command for asquared?

Selfprotection is today one of the most needed functions in an Anti-Malware application.

PS:

Few days ago when i was testing asquared on VMware vs some malware links i saw that actually one of this malware was not detected and asquared was closed, and windows didn't even start anymore!

This was just my opinion ;)

I like Asquared Anti-Malware anyway, i just want to help to improve it!

Share this post


Link to post
Share on other sites

Of course detection is best protection, but lets say a newbie user got a new a malware today.

Asquared didn't alert, and it is disabled by the malware now!

Next day emsi software updates its database and the malware is detected, but asquared doesn't start anymore!

Your argument is flawed on many different levels. Beside the fact that no self protection available in other products today can actually assure that the product is able to start correctly once the system is infected you forget that once malware was able to execute once the system is potentially compromised. Getting a TDL3 dropper to run once is enough to infect a system without any of the current public anti-malware products being able to detect and remove it.

So instead of giving an argument for self protection you gave an argument for not letting malware execute in the first place.

I mean cmon under selfprotection i understand full protection including service close protection, registry items protection(you can change asquared registry entries when asquared is active...), suspend protection and of course protection from terminating.

As I said. The user may want to stop the a-squared service. In fact quite a few a-squared Free users prefer that method. If we actually find malware that tries to stop our service we may include the protection. But until then we won't.

You can access the a-squared registry keys with exception to the auto run entry. The keys itself though only store encrypted data. So essentially the only thing you can do as a malicious software would be deleting settings and thereby resetting a-squared to it's defaults.

Suspending or terminating any a-squared process on the process level shouldn't be possible unless you allow it or exclude an application from being monitored.

I just say what i saw from products like Kaspersky, Norton and others!

Norton still runs in 96% of computers after an infection!

And in case of TDL3 for example finds exactly zero infections once the dropper got executed because the software is bypassed.

I can't say this for Asquared, if Asquared gets more known, what do you think how many malware writers will include a simple Service stop command for asquared?

We will adapt. The last time (malware overwriting and renaming our program files) we had an update out in less than 24 hours.

Few days ago when i was testing asquared on VMware vs some malware links i saw that actually one of this malware was not detected and asquared was closed, and windows didn't even start anymore!

I haven't found any submissions from you. Since I assume you are actually interested in improving a-squared I would ask you to provide the URL or the sample used for your testing.

I like Asquared Anti-Malware anyway, i just want to help to improve it!

First way would be by providing the sample you mentioned above.

Share this post


Link to post
Share on other sites

I will look for the malware which i have tested.

It was some link from malware domain list!

As i said, it blocked windows from starting, gave bluescreen and safemode ended also with BSOD!

I just restored it back to clean from VMware, it won't be easy to find that malware, the links are for sure allready dead and i don't remember which link it was!

I didn't looked for the name of malware because asquared blocked all others succsessfully and i thought it will block that also, so i just downloaded and ran that executable.

Edit: It was 4 or 5 days ago, i will check the links of that days tomorrow!

Share this post


Link to post
Share on other sites

It's a common strategy of rootkits to bluescreen virtual machines. It would be interesting though how the rootkit was loaded since there were no alerts according to your description. I will do some additional tests with ITW rootkits collected in the last 2 weeks. Maybe I stumble over it.

Share this post


Link to post
Share on other sites

Sorry that i have not described it fully!

So i have tried to find it today, but most links are dead and it takes alot of time to test that all, my computer is just too slow!

It was some sort of an Fake AV, i got some popup from tray that windows firewall was disabled and of course that windows is infected! I saw how asquareds tray icon turned to this one with small red sign how it turns when you start windows! And it gone as fast as i saw the red icon.

I tried to run asquared but i go error that it is not an allowed win32 application..

I had no time to search and look what it was and what it did, so i just pressed the Red Stop button in vmware and started from new, but it did not start, bluescreens...

No idea why it did not start anymore, there is no point that a fakeav disables your security and just kills windows coz a fakeav tries to get money from you!

Only reason would be if it wants to modify your computer but knows HIPS/IPS may detect it.

Again sorry, i searched 2 hours but i could not find it, but i have to say that almost all of the links i have tested today were detected and blocked by asquared!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.