Monday, July 31, 2006

program execution filter done

phew,

well after a lot of where-is-the-bug stuff, I've done program execution filter, and I have to say that it looks great, not just only for its main purpose (which is preventing malwares from running) but it also can be used by user to easily add her new executables to Trusted Executables, as it will prompt user when a new, untrusted executable going to be executed.


I should mention this method of adding programs to trust somewhere in help and in the new GUI's Graphical User Guide.

and yes, thats another new feature which can make using NG easier for end-users by showing them how they can do something with NG.

Saturday, July 29, 2006

old suggestion

there is an old and cool suggestion I have recieved by website's feedback form.

Kevin suggested:

Neoava should also have a filter that prompts the user for launching executables. This can prevent malicious programs from starting.


Actually I've been thinking about this one when begin working on NG project but for some reason (that I can't remember now) ignores it. But this should be a part of every HIPS software.
I'll work on this one from tomorrow after finishing the "driver & services" tests.

i'll report back when it is finished,
thanks Kevin.

busy

I've been really busy working for seperating Drivers & Services in NG's configurations, settings, alerts and prompts.

and its almost done, but I have to test it, I think it takes a couple of hours.

right now I feel that nice headache, that I have when programming for 11+ hours in one day.
So I've decided to leave the rest of the work for tomorrow.

regarding another Navin's suggestion:

If possible perhaps you can make NG´s driver load as a boot
driver, this way it protects the system from the start.


I have to say that a System driver protects everything, and there is no need for Boot driver as a driver can do anything from there, for example a driver can bypass NG's protection. I think this applies to all HIPS softwares.

Friday, July 28, 2006

Monitoring Low-level disk access

Also thanks Krazaf for reminding me the low-level access monitoring.

I've researched a little bit about this kind of access but still can't find information necessary for protection. If anyone (including Krazaf) have a Trojan, virus (or any malware) file which uses low-level access to do damage, please contact me.

If you know exactly how these kind of malwares access and modify MBR or something (that needs low-level access) in Windows NT family, please leave a comment here.

my busy days are just starting, hoping for better

suggestions

there is a dozen of suggestion from Navin, I leave the completely GUI-related suggestions for the first release version as I plan to make big changes in GUI for first non-beta release.

- It might be a conflict but often the "Executable options" can´t load, I get the following error: "error ReadRegString failed". And then Neoavaguard.exe will crash. This is quite a serious bug.

It's debugged before.

- I see that there isn´t a way to delete an entry from the "Executable
options" window? This should be changed. I mean if a process is not trusted
or does not have any special permissions (or violations) it should not be
on the list constantly.
- About "My Protected Files", isn´t it a good idea to make this work like
Hide Folders XP? I´m not sure if it´s working correctly at the moment and
it can even be dangerous, because if not correctly used, the OS will not
start anymore.

They will be fixed by changing GUI, the first one is actally something which can be is easily done as it is supported by lower parts. Actually there will be clean-up option, which will also automatically ask user to remove these executable entries.
The second one needs some filters so it does not allow critical files to become unaccessible by system processes.

- You should have the ability to password protect Neoava Guard´s GUI, with
that I mean that as a non-admin you should be able to see the settings but
you shouldn´t be able to change anything and can´t allow (only deny)
certain behavior when prompted by an alert, unless you have a password.

This is also a very good feature which will be applied by new GUI.

- I think you should make a difference between "Services" and
"Drivers" in the "Custom security" settings. If I´m correct drivers (.sys
files) are used to install rootkits and can be more dangerous than Services
(.exe files).

Thats right, I will try to apply this today, I'll report back.

thank you Navin!

Wednesday, July 26, 2006

Currently working on...

I'm working on Beta 2 version, the GUI is the same as Beta 1 but debugged and it contains a new feature which the user can choose during Wizard so NG will add all programs in computer to trusted applications so after reboot there will be very little amount of alerts (if any).

tomorrow I'm going to start GUI part of this feature.

BTW,
those of you who are interested in beta-testing NG, please send me an email at arman@neoava.com and also write a little bit about yourself.

I'll write about some bugs which is now corrected. I will write about other HIPS softwares here ASAP.

I'm very positive about NG, it does have very nice performance by considering very detailed filtering.

Tuesday, July 25, 2006

Creating this weblog

Hi,

My name is Arman Nayyeri, Im the author of Neoava Guard.

I decided to create this weblog to stay in touch with everyone and publish news, updates, bugs and debugging information to this weblog for those who are interested in Neoava Guard (or HIPS softwares).

For more info visit official Neoava Guard website:
http://www.neoava.com

For more info about myself:
http://www.4rman.com

I'll be back