Skip navigation.
Home

It was better in the old days..

Back in the days of the Amiga, we had lots of viruses too. We had memory resident programs (Like TSRs for Dos) that protected the system, antivirus code in Bootsectors, and programs that warned you if there were some virus-like programs running.

There were even antivirus software that could decode and analyse executable code - on the fly - and tell you what the code could do like "changes reset vectors, may survive a boot" (etc)

Now when i look back upon this era, i feel that we have move backwards in time. Not many are doing anything proactive, most anti virus software is just fixing the problem using reactive measures. Sure, it makes them money, so why bother fixing it?

But some of us are trying to fix it.

"Procwall" (my own toy) have protected me and some of my friends for quite some time against mallicious code by preventing PUP's to run, "DropMyRights" from Microsoft is quite usefull for locking down rights for programs (How about IE? :o), "Antihook" from InfoProcess can isolate a programs actions on API level (cool stuff), and ofcourse you can run programs in VMWares virtual machines to protect your own system from compromise.

I would like to see more of these kinds of protection and less of the traditional file signature scanning. That is sooo 1980's.

In Windows Vista Beta, you get some sort of application protection against malware. Unfortunately, it looks like that one line of code in Visual Basic (Sendkeys) could bypass it. I would like to see some profiling mode where the client is protected, then have a separate user mode where applications are blocked and you are not asked any questions at all.

EDIT: Looks like SendKeys() are blocked in Vista, but there are alternatives to that as well as more techniques around it. And even if it manages to block an app, it is only blocking server software from binding to a port (like a Trojan/RAT), it appears that it doesnt block an unknown program from connecting somewhere.

Great!

Are you distributing your tool? Do you have any technical information about it?

Yes, it has been in

Yes, it has been in distribution for a few years.
http://www.geocities.com/Ichinin/procwall.htm

There is a manual and a zip file on the page, and its freeware - knock yourself out.

The program is a basic process interceptor. Whenever a new proc is spawned, it is halted, the file signature is scanned and if the sign is in the db the process is unsuspend, if not the process gets its feet cemented and is thrown into a river.

I have suspended development on that particular version and are working on something more intresting right now.