Monday, March 12, 2007

suggestions

Thanks to MaB69 for his suggestions, here is answers which may help other people learn about NG.

Maintenance task to delete rules related to non existant executables

the non-existent executables will stay in database but not shown for configuration, this way the application permissions will be available if the same executable executed again.

Self protection for the service and in case of attack, the service could relaunch the UI process
In the new NG UI will be shown by client (executed as user login) and it is protected against termination.

Hidden files/process detection
It is something which will be done by root-kits after they load into kernel, althought it is possible to detect hidden files/process in some cases but it is not possible to control a kernel-mode driver as it already had the highest possible access to system.

More Registry keys monitoring ( like IE settings or system settings (regedit actived/disabled))
It is easy to add more keys but currently the work is just too much for me. Thanks it will be in future versions.

Keylogging detection (GetKeyState, GetAsyncKeyState and DirectX request interception)
New NG protects against all kind of keylogging except DirectX, which till now I was unable to find a way to filter it. If anyone knows any technical details about inner work of this function contact me.

7 comments:

MaB69 said...

Hi Arman,

Thank you to answer me

"Maintenance task to delete rules related to non existant executables
the non-existent executables will stay in database but now shown for configuration, this way the application permissions will be available if the same executable executed again." i think you mean "not shown for configuration"

Waiting for the other tabs screenshot before the next release

Keep on the good job

Regards,

MaB

Arman Nayyeri said...

corrected, thanks

Anonymous said...

Hey does that mean you can't customize registry keys to protect like in Regdefend or SSM?

Arman Nayyeri said...

there is no custom registry protection option on NG, as I said before as the work is too much for me, I've tried to exclude rarely-use options like this. But it is in the top of next version to-do list.

MaB69 said...

"New NG protects against all kind of keylogging except DirectX, which till now I was unable to find a way to filter it. If anyone knows any technical details about inner work of this function contact me"

Hi arman,

Didn't see this sorry,

What about a global hook targeting dinput.dll ?

Regards,

MaB

Arman Nayyeri said...

Hey MaB,

a global hook is possible but it is very resource consuming and not very efficient. I'm looking to find how this function actually reads pressed keys from keyboard, it either uses a call to kernel or uses RPC/some other communication to recieve pressed keys.

MaB69 said...

Hi arman,

Sorry that didn't help you

Bon courage like we say in France

MaB